terraform-to-secrets: Handle case where tags are None

[dav3r]

🗣 Description

This PR adds a check in terraform-to-secrets to verify that a resource's tags are not equal to None. If the tags are None, it's value is changed to an empty dictionary so that the rest of the script runs correctly..

💭 Motivation and Context

I encountered a situation recently where terraform-to-secrets was failing:

❱ terraform-to-secrets -l debug -d -t <REDACTED>
2020-04-11 09:48:07,985 DEBUG Trying to determine GitHub repository name using git.
2020-04-11 09:48:08,005 INFO Using GitHub repository name: cisagov/nessus-packer
2020-04-11 09:48:08,006 INFO Reading state from Terraform command.
2020-04-11 09:48:10,603 INFO Searching Terraform state for IAM credentials.
2020-04-11 09:48:10,603 INFO Found credentials for user: test-nessus-packer
2020-04-11 09:48:10,603 INFO Searching Terraform state for tagged resources.
2020-04-11 09:48:10,603 DEBUG: resource[address]: aws_iam_policy.s3_read tags: {}
2020-04-11 09:48:10,603 DEBUG: resource[address]: aws_iam_role.s3_read tags: None
Traceback (most recent call last):
  File "development-guide/bin/terraform-to-secrets", line 7, in <module>
    exec(compile(f.read(), __file__, 'exec'))
  File "development-guide/project_setup/scripts/terraform-to-secrets", line 399, in <module>
    sys.exit(main())
  File "development-guide/project_setup/scripts/terraform-to-secrets", line 380, in main
    resource_secrets: Dict[str, str] = get_resource_secrets(terraform_state)
  File "development-guide/project_setup/scripts/terraform-to-secrets", line 246, in get_resource_secrets
    for secret_name, secret_value in parse_tagged_resources(terraform_state):
  File "development-guide/project_setup/scripts/terraform-to-secrets", line 136, in parse_tagged_resources
    secret_name: Optional[str] = tags.get(GITHUB_SECRET_NAME_TAG)
AttributeError: 'NoneType' object has no attribute 'get'

The output above shows the two additional lines of debug output that I added to illustrate the problem:

2020-04-11 09:48:10,603 DEBUG: resource[address]: aws_iam_policy.s3_read tags: {}
2020-04-11 09:48:10,603 DEBUG: resource[address]: aws_iam_role.s3_read tags: None

Note that the aws_iam_role.s3_read resource had a tags element, but its value was set to None, which caused the AttributeError seen above.

I am not sure if something in AWS or Terraform changed recently to cause this behavior or if we have just never created a role without any tags before.

The code in this PR simply does a check for this situation and if it occurs, it replaces None with an empty dictionary so that processing can continue.

🧪 Testing

I tested the fix locally and verified that the script ran successfully.

📷 Screenshots (if appropriate)

🚥 Types of Changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (causes existing functionality to change)

✅ Checklist

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes.
• All new and existing tests passed.

[felddy]

Good fix. I wish that wasn't happening. See my comment about a few tweaks.
🐰 🥚 🌷

[felddy]

We might need a comment here to our future selves. I know that if I ever look at this I'll assume this is redundant code. Get get("tags", dict()) is guarding against unset keys in resource["values"] while the new if clause is guarding against tags being explicitly set to None.

It might be clearer to remove the default argument to get and just let the if block handle everything. (Still with a comment, cause I know I'll later say, "Gee, they should have used the default arg")

[dav3r]

Excellent suggestion @felddy. Please take a look at 9954518 and let me know if that works for you.

[jsf9k]

LGTM, but please see @felddy's comment.