Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Regula doesn't interprete terraform.workspace #305

Closed
rsareth opened this issue Feb 11, 2022 · 3 comments · Fixed by #306
Closed

[BUG] Regula doesn't interprete terraform.workspace #305

rsareth opened this issue Feb 11, 2022 · 3 comments · Fixed by #306
Labels
bug Something isn't working

Comments

@rsareth
Copy link

rsareth commented Feb 11, 2022

Describe the bug
We are using a lot of locals. We concate some locals and variables. But we rely a lot of terraform.workspace. As we started to write our own rules in rego.

How you're running Regula

  • I'm using Regula v2.4.0 as a Rego library with OPA v0.34.1

Steps to reproduce

  1. Create those files
# rules/rule_001.rego
package rules.tf_aws_check_resources_prefix_for_logging

import data.fugue

__rego__metadoc__ := {
	"custom": {"severity": "Medium"},
	"id": "RULE_001",
	"title": "Checking the prefix is in the right shape.",
	"description": "Checking the prefix is in the right shape to prevent from melting the logs between all services"
}

resource_type := "MULTIPLE"
all_s3_buckets := fugue.resources("aws_s3_bucket")

valid_s3(resource) {
  prefix := resource.logging[_].target_prefix
  not startswith(prefix, "/")

  split_prefix := split(prefix, "/")
  count(split_prefix) > 1
  split_prefix[0] == "s3"
  split_prefix[1] == resource.bucket
}

policy[r] {
  s3_bucket := all_s3_buckets[_]
  valid_s3(s3_bucket)
  r := fugue.allow_resource(s3_bucket)
}

policy[r] {
  s3_bucket := all_s3_buckets[_]
  prefix = s3_bucket.logging[0].target_prefix
  not valid_s3(s3_bucket)
  msg := sprintf("The s3 bucket logging's prefix, %v, must be in this shape s3/%v/, instead of %v", [s3_bucket.id, s3_bucket.bucket, prefix])
  r := fugue.deny_resource_with_message(s3_bucket, msg)
}
# split_tf/s3.tf
locals {
  common_base_name = "${terraform.workspace}-base" # <--- The use of terraform.workspace
  s3_bucket_b_name = "${local.common_base_name}-mybucket"
}

resource "aws_s3_bucket" "b" {
  bucket = local.s3_bucket_b_name
  
  logging {
    target_bucket = "bucket_1.s3.amazonaws.com"
    target_prefix = "s3/${local.s3_bucket_b_name}"
  }

  tags = {
    Name = "My bucket"
  }
}
  1. Run
$ regula run -n -i rules/rule_001.rego split_tf/s3.tf

RULE_001: Checking the prefix is in the right shape. [Medium]

  [1]: aws_s3_bucket.b
       in split_tf/s3.tf:6:1
       The s3 bucket logging's prefix, aws_s3_bucket.b, must be in this shape s3/null/, instead of null

Found one problem.

I didn't expect a null here.

Can you confirm, please?

Thank you

Regards,
Rasmey

@rsareth rsareth changed the title [BUG] Regula interpretes terraform.workspace [BUG] Regula doesn't interprete terraform.workspace Feb 11, 2022
@jaspervdj-luminal jaspervdj-luminal added the bug Something isn't working label Feb 11, 2022
@jaspervdj-luminal
Copy link
Member

Thanks for creating this @rsareth! We don't fully support workspaces yet, but maybe as a workaround, terraform.workspace can be set to "default" for now. I've tested that out in the feature/terraform-workspace branch.

Is it possible for you to test this branch? When I was trying your configuration, I also had to change "${common_base_name}-mybucket" to "${local.common_base_name}-mybucket".

@rsareth
Copy link
Author

rsareth commented Feb 11, 2022

Thanks @jaspervdj-luminal . Sorry for the mistake. And your patch works:

$ /Users/login/src/oss/regula/bin/regula run -n -i rules/rule_001.rego split_tf/s3.tf

No problems found. Beautiful.

And if I put a bad configuration, I'm seeing this:

$ /Users/login/src/oss/regula/bin/regula run -n -i rules/rule_001.rego split_tf/s3.tf

RULE_001: Checking the prefix is in the right shape. [Medium]

  [1]: aws_s3_bucket.b
       in split_tf/s3.tf:6:1
       The s3 bucket logging's prefix, aws_s3_bucket.b, must be in this shape s3/default-base-mybucket/, instead of default-base-mybucket

Found one problem.

@jaspervdj-luminal
Copy link
Member

Great, I merged the PR for this branch, so it should be in the next release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants