Error parsing syntax if using complex query for dynamic ip_restriction in azurerm_function_app or azurerm_app_service ressource

[alex-3sr]

• terrascan version: 1.2.0
• Operating System: Windows

Description

Hi,
In some azurerm_function_app or azurerm_app_service, we use often dynamic block for site_config\ip_restriction.
And essentially, we data source other webapp/functionapp for possible_outbound_ip_addresses attributes that we split, for add a for_each element in order to build all IP in ip_restriction block.

Error code output

Terrascan have some issue to parse this, and output this error ->
warn opa/engine.go:330 failed to run prepared query{error 25 0 reme_moreHostsAllowed:16: eval_builtin_error: to_number: strconv.ParseFloat: parsing "${element(split(",", azurerm_app_service": invalid syntax} {rule 15 0 'accurics.azure.NS.169' } {file 15 0 moreHostsAllowed.rego }

What I Did

Bellow an example of azurerm_function_app terraform ressource, with dynamic block who data source possible_outbound_ip_addresses from azurerm_app_service

resource "azurerm_function_app" "afa" {
  name                          = "afa-xxx"
  location                      = azurerm_resource_group.rg.location
  resource_group_name           = azurerm_resource_group.rg.name
  app_service_plan_id           = azurerm_app_service_plan.plan.id
  storage_account_name          = azurerm_storage_account.storage.name
  storage_account_access_key    = azurerm_storage_account.storage.primary_access_key
  version                       = "~3"
  
  site_config {

    dynamic "ip_restriction" {
      for_each = var.environment == "PROD" ? split(",",data.azurerm_app_service.webapp.possible_outbound_ip_addresses) : []
      content {
        ip_address  = "${ip_restriction.value}/32"
        name        = "${data.azurerm_app_service.webapp.name}-${format("%02d", ip_restriction.key)}"
        priority    = 600 + ip_restriction.key
      }
    }
  }
}

Thank you, Regards
Alexandre

[alex-3sr]

Hi everyone ;)

With 1.4.0, still have the issue, and the problem is with output junitxml, cause that's add on 1st line of the XML output file this warning content :
2021-03-05T19:51:55.342Z �[33mwarn�[0m opa/engine.go:347 failed to run prepared query{error 26 0 reme_moreHostsAllowed:16: eval_builtin_error: to_number: strconv.ParseFloat: parsing "${element(split(",", azurerm_app_service": invalid syntax} {rule 15 0 'accurics.azure.NS.169' } {file 15 0 moreHostsAllowed.rego }

And so, with this line at the beggining, that failed the XML format :( A workaround could be if using junitxml output, to not write this line (with arguments or by default).

Thanks,
Alex

[kanchwala-yusuf]

Hi @alex-3sr ,

Sorry for the late reply!

Terrascan logs are written to stderr whereas the output is written to stdout.

Would redirecting the stderr to /dev/null help your cause?

After redirecting stderr:

$ terrascan scan -o junit-xml 2> /dev/null | tee
<testsuites tests="607" name="TERRASCAN_POLICY_SUITES" failures="0" time="0">
  <testsuite tests="607" failures="0" time="0" name="TERRASCAN_POLICY_SUITE" package="/Users/jarvis/terraform-examples/gh-757">
    <properties>
      <property name="Terrascan Version" value="v1.5.1"></property>
    </properties>
  </testsuite>
</testsuites>

Without redirecting stderr:

$ terrascan scan -o junit-xml
2021-05-10T12:07:49.493+0530	warn	opa/engine.go:346	failed to run prepared query{error 26 0  kmsKeyExposedPolicy:22: eval_builtin_error: json.unmarshal: invalid character '$' looking for beginning of value} {rule 15 0 'AWS.KMS.NetworkSecurity.High.0566' <nil>} {file 15 0 kmsKeyExposedPolicy.rego <nil>}
2021-05-10T12:07:49.505+0530	warn	opa/engine.go:346	failed to run prepared query{error 26 0  kmsKeySecurePolicyNotUsed:38: eval_builtin_error: json.unmarshal: invalid character '$' looking for beginning of value} {rule 15 0 'AC_AWS_062' <nil>} {file 15 0 kmsKeySecurePolicyNotUsed.rego <nil>}
2021-05-10T12:07:49.511+0530	warn	opa/engine.go:346	failed to run prepared query{error 26 0  kmsKeyPolicyMissingPrincipal:17: eval_builtin_error: json.unmarshal: invalid character '$' looking for beginning of value} {rule 15 0 'AC_AWS_054' <nil>} {file 15 0 kmsKeyPolicyMissingPrincipal.rego <nil>}
<testsuites tests="607" name="TERRASCAN_POLICY_SUITES" failures="0" time="0">
  <testsuite tests="607" failures="0" time="0" name="TERRASCAN_POLICY_SUITE" package="/Users/jarvis/terraform-examples/gh-757">
    <properties>
      <property name="Terrascan Version" value="v1.5.1"></property>
    </properties>
  </testsuite>
</testsuites>

[alex-3sr]

Hi @kanchwala-yusuf ,

Thanks for you reply. Do you have same stderr for Windows version ?

[kanchwala-yusuf]

Hey @alex-3sr,
I am not sure if I completely understand your question, But terrascan writes logs to stderr irrespective of platform or architecture.

The syntax of redirecting stderr may vary from platform to platform.

A quick search tells me that the following should work on windows:

terrascan scan -o junit-xml 2> nul

But, I believe this documentation should give you a concrete answer.

[alex-3sr]

Thanks, in fact it's because my main local debug machine is in Windows, so I'm wondering how to validate arguments on Windows and if it similar to Linux. BTW, I was able to validate it, and it do the job ;)
But, now I'm a bit lost on my CICD pipeline, I'm not Linux expert.

On my pipeliune, I use docker for Terrascan and have this bash ->
docker run --tty --volume $(System.DefaultWorkingDirectory)/Terraform:/tf accurics/terrascan scan --iac-dir /tf --policy-type azure --iac-type terraform --iac-version v14 --output junit-xml --show-passed > $(System.DefaultWorkingDirectory)/JunitXml/Terrascan-Report.xml

It works perfectly, except when I've a complex rules and that's add the extra lines explained in this thread. So now I tried to combine your stderr and file output. I tried this one, but it doesn't do the job :(
docker run --tty --volume $(System.DefaultWorkingDirectory)/Terraform:/tf accurics/terrascan scan --iac-dir /tf --policy-type azure --iac-type terraform --iac-version v14 --output junit-xml --show-passed 2> null > $(System.DefaultWorkingDirectory)/JunitXml/Terrascan-Report.xml

So, how I can achieve to nullify stderr and still file output the xml file from terrascan ?
If i can do that, the workaround is good enough for me

Thanks
Alexandre

[kanchwala-yusuf]

Hey @alex-3sr ,

On linux, I believe it is /dev/null and not nul.

But, there is a simpler way of getting rid of those warning messages. Terrascan has log levels and you can set those log levels using the --log-level or -l option. So taking your command from this thread and modifying a bit may work for you:

docker run --tty --volume $(System.DefaultWorkingDirectory)/Terraform:/tf accurics/terrascan scan --iac-dir /tf --policy-type azure --iac-type terraform --iac-version v14 -l error --output junit-xml --show-passed > $(System.DefaultWorkingDirectory)/JunitXml/Terrascan-Report.xml

Do let me know if it works for you?

[alex-3sr]

error 

Yeahr ;)

Thanks @kanchwala-yusuf , the log level argument (that I missed) permit my task working fine now and xml output is finally in correct format. So for me it's enough as workaround at this time ;)

Later, for large contributor in dev knowledgement (I can't help, sorry), it could be nice to manage dynamic block and complex syntax for don't have to use this workaround.

BTW, for me it's enough for now ;) And thank you again for your time, that help me a lot :)

Regards
Alexandre

[kanchwala-yusuf]

Happy to help!

@alex-3sr, Can we close this issue?

[alex-3sr]

Happy to help!

@alex-3sr, Can we close this issue?

Hi,

I forgot to add a poitn about closing issue, and it was expected, sorry. In fact, for me I've a workaround and it's enough to get my CICD?
But in another point there are still an issue in Terrascan when evaluating dynamic ip_restriction block in azurerm_function_app and azurerm_app_service, it was the main raison to open this issue.

So if you want to keep it open for tracking the issue, feel free to let it open. For me, I'm happy enough with the workaround.

I let you decide ;)

Regards
Alexandre

[kanchwala-yusuf]

Closing this for now!