-
Notifications
You must be signed in to change notification settings - Fork 495
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error parsing syntax if using complex query for dynamic ip_restriction in azurerm_function_app or azurerm_app_service ressource #433
Comments
Hi everyone ;) With 1.4.0, still have the issue, and the problem is with output junitxml, cause that's add on 1st line of the XML output file this warning content : And so, with this line at the beggining, that failed the XML format :( A workaround could be if using junitxml output, to not write this line (with arguments or by default). Thanks, |
Hi @alex-3sr , Sorry for the late reply! Terrascan logs are written to Would redirecting the After redirecting $ terrascan scan -o junit-xml 2> /dev/null | tee
<testsuites tests="607" name="TERRASCAN_POLICY_SUITES" failures="0" time="0">
<testsuite tests="607" failures="0" time="0" name="TERRASCAN_POLICY_SUITE" package="/Users/jarvis/terraform-examples/gh-757">
<properties>
<property name="Terrascan Version" value="v1.5.1"></property>
</properties>
</testsuite>
</testsuites> Without redirecting stderr: $ terrascan scan -o junit-xml
2021-05-10T12:07:49.493+0530 warn opa/engine.go:346 failed to run prepared query{error 26 0 kmsKeyExposedPolicy:22: eval_builtin_error: json.unmarshal: invalid character '$' looking for beginning of value} {rule 15 0 'AWS.KMS.NetworkSecurity.High.0566' <nil>} {file 15 0 kmsKeyExposedPolicy.rego <nil>}
2021-05-10T12:07:49.505+0530 warn opa/engine.go:346 failed to run prepared query{error 26 0 kmsKeySecurePolicyNotUsed:38: eval_builtin_error: json.unmarshal: invalid character '$' looking for beginning of value} {rule 15 0 'AC_AWS_062' <nil>} {file 15 0 kmsKeySecurePolicyNotUsed.rego <nil>}
2021-05-10T12:07:49.511+0530 warn opa/engine.go:346 failed to run prepared query{error 26 0 kmsKeyPolicyMissingPrincipal:17: eval_builtin_error: json.unmarshal: invalid character '$' looking for beginning of value} {rule 15 0 'AC_AWS_054' <nil>} {file 15 0 kmsKeyPolicyMissingPrincipal.rego <nil>}
<testsuites tests="607" name="TERRASCAN_POLICY_SUITES" failures="0" time="0">
<testsuite tests="607" failures="0" time="0" name="TERRASCAN_POLICY_SUITE" package="/Users/jarvis/terraform-examples/gh-757">
<properties>
<property name="Terrascan Version" value="v1.5.1"></property>
</properties>
</testsuite>
</testsuites> |
Hi @kanchwala-yusuf , Thanks for you reply. Do you have same stderr for Windows version ? |
Hey @alex-3sr, The syntax of redirecting A quick search tells me that the following should work on windows: terrascan scan -o junit-xml 2> nul But, I believe this documentation should give you a concrete answer. |
Thanks, in fact it's because my main local debug machine is in Windows, so I'm wondering how to validate arguments on Windows and if it similar to Linux. BTW, I was able to validate it, and it do the job ;) On my pipeliune, I use docker for Terrascan and have this bash -> It works perfectly, except when I've a complex rules and that's add the extra lines explained in this thread. So now I tried to combine your stderr and file output. I tried this one, but it doesn't do the job :( So, how I can achieve to nullify stderr and still file output the xml file from terrascan ? Thanks |
Hey @alex-3sr , On linux, I believe it is But, there is a simpler way of getting rid of those warning messages. Terrascan has log levels and you can set those log levels using the docker run --tty --volume $(System.DefaultWorkingDirectory)/Terraform:/tf accurics/terrascan scan --iac-dir /tf --policy-type azure --iac-type terraform --iac-version v14 -l error --output junit-xml --show-passed > $(System.DefaultWorkingDirectory)/JunitXml/Terrascan-Report.xml Do let me know if it works for you? |
Yeahr ;) Thanks @kanchwala-yusuf , the log level argument (that I missed) permit my task working fine now and xml output is finally in correct format. So for me it's enough as workaround at this time ;) Later, for large contributor in dev knowledgement (I can't help, sorry), it could be nice to manage dynamic block and complex syntax for don't have to use this workaround. BTW, for me it's enough for now ;) And thank you again for your time, that help me a lot :) Regards |
Happy to help! @alex-3sr, Can we close this issue? |
Hi, I forgot to add a poitn about closing issue, and it was expected, sorry. In fact, for me I've a workaround and it's enough to get my CICD? So if you want to keep it open for tracking the issue, feel free to let it open. For me, I'm happy enough with the workaround. I let you decide ;) Regards |
Closing this for now! |
Description
Hi,
In some azurerm_function_app or azurerm_app_service, we use often dynamic block for site_config\ip_restriction.
And essentially, we data source other webapp/functionapp for possible_outbound_ip_addresses attributes that we split, for add a for_each element in order to build all IP in ip_restriction block.
Error code output
Terrascan have some issue to parse this, and output this error ->
warn opa/engine.go:330 failed to run prepared query{error 25 0 reme_moreHostsAllowed:16: eval_builtin_error: to_number: strconv.ParseFloat: parsing "${element(split(",", azurerm_app_service": invalid syntax} {rule 15 0 'accurics.azure.NS.169' } {file 15 0 moreHostsAllowed.rego }
What I Did
Bellow an example of azurerm_function_app terraform ressource, with dynamic block who data source possible_outbound_ip_addresses from azurerm_app_service
Thank you, Regards
Alexandre
The text was updated successfully, but these errors were encountered: