Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(terraform): handle for-each arguments properly #7611

Closed
2 tasks done
nikpivkin opened this issue Sep 28, 2024 Discussed in #7610 · 0 comments · Fixed by #7612
Closed
2 tasks done

fix(terraform): handle for-each arguments properly #7611

nikpivkin opened this issue Sep 28, 2024 Discussed in #7610 · 0 comments · Fixed by #7612
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.57.0

Comments

@nikpivkin
Copy link
Contributor

Discussed in #7610

Originally posted by roleyfoley September 28, 2024

Description

Just started playing around with trivy for misconfiguration checking on our terraform modules. I have a dynamic block inside of a aws_iam_policy_document data block and when trivy run it generates the following error

[terraform evaluator] Failed to expand block. Invalid "for-each" argument: map key (or set value) is not a stringblock="dynamic.statement" key="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" value="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" err="string required"

The variable provided to the for_each loop is a set of objects that are used in this dynamic block and in a couple of othe spots in our overall module

Desired Behavior

Trivy can evalute this for-each loop as expected

Actual Behavior

Trivy fails to run misconfiguration scanning on the terraform module

Reproduction Steps

main.tf

provider "aws" {}

variable "home_directory_mappings" {
  description = "A list of mappings that specifiy what the user will be able to access"
  type = list(
    object(
      {
        entry = string
        s3_bucket_name = string
        s3_base_prefix = optional(string, "")
        target = optional(string, "")
      }
    )
  )
}

data "aws_iam_policy_document" "user_role" {

  dynamic "statement" {
    for_each = toset(var.home_directory_mappings)
    content {
      effect = "Allow"
      actions = [
        "s3:PutObject",
        "s3:GetObject",
        "s3:GetObjectTagging",
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionTagging",
      ]

      resources = [
        "arn:aws:s3:::${statement.value.s3_bucket_name}/${statement.value.s3_base_prefix}*"
      ]
    }
  }
}

test.tfvars

home_directory_mappings = [ 
  {
    entry          = "/test"
    s3_bucket_name = "bucket"
  } 
]

trivy.yaml

scan:
  scanners:
    - misconfig

misconfiguration:
  terraform:
    vars:
      - test.tfvars

Command

trivy fs . 
2024-09-28T11:52:04+10:00       INFO    Loaded  file_path="trivy.yaml"
2024-09-28T11:52:04+10:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-09-28T11:52:05+10:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-09-28T11:52:05+10:00       ERROR   [terraform evaluator] Failed to expand block. Invalid "for-each" argument: map key (or set value) is not a stringblock="dynamic.statement" key="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" value="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" err="string required"
2024-09-28T11:52:05+10:00       ERROR   [terraform evaluator] Failed to expand block. Invalid "for-each" argument: map key (or set value) is not a stringblock="dynamic.statement" key="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" value="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" err="string required"
2024-09-28T11:52:05+10:00       INFO    Detected config files   num=1


### Target

Filesystem

### Scanner

Misconfiguration

### Output Format

Table

### Mode

Standalone

### Debug Output

```bash
trivy fs . --debug
2024-09-28T11:52:34+10:00       DEBUG   No plugins loaded
2024-09-28T11:52:34+10:00       INFO    Loaded  file_path="trivy.yaml"
2024-09-28T11:52:34+10:00       DEBUG   Cache dir       dir="/Users/michael.foley/Library/Caches/trivy"
2024-09-28T11:52:34+10:00       DEBUG   Cache dir       dir="/Users/michael.foley/Library/Caches/trivy"
2024-09-28T11:52:34+10:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2024-09-28T11:52:34+10:00       DEBUG   Ignore statuses statuses=[]
2024-09-28T11:52:34+10:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-09-28T11:52:34+10:00       DEBUG   [misconfig] Checks successfully loaded from disk
2024-09-28T11:52:34+10:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2024-09-28T11:52:34+10:00       DEBUG   Initializing scan cache...      type="memory"
2024-09-28T11:52:34+10:00       DEBUG   Scanning files for misconfigurations... scanner="Terraform"
2024-09-28T11:52:34+10:00       DEBUG   [terraform scanner] Scanning directory  file_path="."
2024-09-28T11:52:34+10:00       DEBUG   [rego] Overriding filesystem for checks
2024-09-28T11:52:34+10:00       DEBUG   [rego] Embedded libraries are loaded    count=11
2024-09-28T11:52:34+10:00       DEBUG   [rego] Embedded checks are loaded       count=508
2024-09-28T11:52:34+10:00       DEBUG   [rego] Checks from disk are loaded      count=195
2024-09-28T11:52:34+10:00       DEBUG   [rego] Overriding filesystem for data
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2024-09-28T11:52:34+10:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Parsing      module="root" file_path="main.tf"
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Added file   module="root" file_path="main.tf"
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Loading module       module="root" module="root"
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=3 ignores=0
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=1
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/Users/michael.foley/Documents/Source/sftp/scratch"
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Starting module evaluation...     path="."
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Starting iteration        iteration=0
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Starting iteration        iteration=1
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Context unchanged iteration=1
2024-09-28T11:52:34+10:00       ERROR   [terraform evaluator] Failed to expand block. Invalid "for-each" argument: map key (or set value) is not a stringblock="dynamic.statement" key="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" value="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" err="string required"
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      block="dynamic.statement" clones=0
2024-09-28T11:52:34+10:00       ERROR   [terraform evaluator] Failed to expand block. Invalid "for-each" argument: map key (or set value) is not a stringblock="dynamic.statement" key="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" value="cty.ObjectVal(map[string]cty.Value{\"entry\":cty.StringVal(\"/test\"), \"s3_base_prefix\":cty.StringVal(\"\"), \"s3_bucket_name\":cty.StringVal(\"bucket\"), \"target\":cty.StringVal(\"\")})" err="string required"
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      block="dynamic.statement" clones=0
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Starting post-submodules evaluation...
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Starting iteration        iteration=0
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Starting iteration        iteration=1
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Context unchanged iteration=1
2024-09-28T11:52:34+10:00       DEBUG   [terraform evaluator] Module evaluation complete.
2024-09-28T11:52:34+10:00       DEBUG   [terraform parser] Finished parsing module      module="root"
2024-09-28T11:52:34+10:00       DEBUG   [terraform executor] Adapting modules...
2024-09-28T11:52:34+10:00       DEBUG   [terraform executor] Adapted module(s) into state data. count=1
2024-09-28T11:52:34+10:00       DEBUG   [terraform executor] Using max routines count=11
2024-09-28T11:52:34+10:00       DEBUG   [terraform executor] Initialized Go check(s).   count=775
2024-09-28T11:52:34+10:00       DEBUG   [rego] Scannning inputs count=1
2024-09-28T11:52:34+10:00       DEBUG   [terraform executor] Finished applying rules.
2024-09-28T11:52:34+10:00       DEBUG   [terraform executor] Applying ignores...
2024-09-28T11:52:34+10:00       DEBUG   Scanning files for misconfigurations... scanner="Helm"
2024-09-28T11:52:34+10:00       DEBUG   [rego] Overriding filesystem for checks
2024-09-28T11:52:34+10:00       DEBUG   [rego] Embedded libraries are loaded    count=11
2024-09-28T11:52:34+10:00       DEBUG   [rego] Embedded checks are loaded       count=508
2024-09-28T11:52:34+10:00       DEBUG   [rego] Checks from disk are loaded      count=195
2024-09-28T11:52:34+10:00       DEBUG   [rego] Overriding filesystem for data
2024-09-28T11:52:34+10:00       DEBUG   OS is not detected.
2024-09-28T11:52:34+10:00       INFO    Detected config files   num=1
2024-09-28T11:52:34+10:00       DEBUG   Scanned config file     file_path="."
2024-09-28T11:52:34+10:00       DEBUG   [vex] VEX filtering is disabled

Operating System

MacOS Sanoma 14.6.1

Version

trivy --version 
2024-09-28T11:53:28+10:00       INFO    Loaded  file_path="trivy.yaml"
Version: 0.55.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-09-28 00:23:12.078416438 +0000 UTC
  NextUpdate: 2024-09-28 06:23:12.078416118 +0000 UTC
  DownloadedAt: 2024-09-28 01:28:54.29594 +0000 UTC
Check Bundle:
  Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3
  DownloadedAt: 2024-09-27 09:46:54.898547 +0000 UTC

Checklist
@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Sep 28, 2024
@nikpivkin nikpivkin mentioned this issue Sep 28, 2024
Merged
6 tasks
@nikpivkin nikpivkin self-assigned this Sep 28, 2024
@simar7 simar7 added this to the v0.57.0 milestone Oct 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
None yet
Milestone
v0.57.0
Development

Successfully merging a pull request may close this issue.

fix(misconf): properly expand dynamic blocks nikpivkin/trivy
2 participants
@simar7 @nikpivkin