Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] eval_conflict_error: object keys must be unique #372

Closed
rsareth opened this issue Nov 14, 2022 · 1 comment
Closed

[BUG] eval_conflict_error: object keys must be unique #372

rsareth opened this issue Nov 14, 2022 · 1 comment

Comments

@rsareth
Copy link

rsareth commented Nov 14, 2022
edited
Loading

Describe the bug
Using a local composed with variables or other local raises this error: eval_conflict_error: object keys must be unique

The issue was discovered by using a module creating a s3 bucket. But we are using the module several times in the same repository to create the buckets in different region. And the name of the bucket is composed of different variables provided in the call.

How you're running Regula

  • I'm using Regula >= v2.9.2 as a Rego library with OPA >= v0.43.1.

Operating System
Mac OS

Steps to reproduce

  • Step 1 - Create these TF files with these contents:
# Content in module/activity_log/s3.tf

variable "basename" {
  type = string
}

variable "common_tags" {
  type = map(string)
}

variable "region" {
  type = string
}

locals {
  activity_log_basename = "${var.basename}-activity-log-${var.region}"
}

resource "aws_s3_bucket" "activity_log" {
  bucket = local.activity_log_basename

  tags = {
    Name     = local.activity_log_basename
    use_case = "activity_log"
  }

  provider = aws.platform
}
# Content ./main.tf
terraform {
  backend "s3" {
    region               = "eu-west-1"
    encrypt              = true
    workspace_key_prefix = ""
  }

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.36.1"
    }
  }
}

variable "aws_assume_role" {
  type = string
}

variable "common_tags" {
  type = map(string)
}

variable "package_name" {
  type = string
}

variable "platform" {
  type = string
}

variable "region" {
  type = string
}

data "aws_caller_identity" "current" {}

provider "aws" {
  region = var.region

  default_tags {
    tags = local.common_tags
  }

  assume_role {
    role_arn = var.aws_assume_role
  }
}

provider "aws" {
  region = "us-east-1"
  alias  = "virginia"

  default_tags {
    tags = local.common_tags
  }

  assume_role {
    role_arn = var.aws_assume_role
  }
}

locals {
  common_root_name = "${terraform.workspace}-${var.package_name}"
  common_tags = merge(var.common_tags, {
    "package_name" = var.package_name,
    "platform"     = var.platform
  })
}

module "ireland" {
  source = "./module/activity_log"

  basename      = local.common_root_name
  common_tags   = local.common_tags
  region        = var.region

  providers = {
    aws.platform = aws
  }
}

module "virginia" {
  source = "./module/activity_log"

  basename      = local.common_root_name
  caller_id     = data.aws_caller_identity.current.id
  common_tags   = local.common_tags
  region        = "us-east-1"

  providers = {
    aws.platform = aws.virginia
  }
}
  • Step 2 - Run simply regula
$ regula run .
FATAL rules/tf/aws/cloudtrail/s3_access_logging.rego:42: eval_conflict_error: object keys must be unique
  • Step 3 - More test by running different version of regula
$ V="2.9.1 2.9.2 2.9.3 2.10.0"
$ for v in $V; do echo "---> $v"; docker run -v $PWD:/tf -it fugue/regula:v$v run /tf; echo ""; done
---> 2.9.1

FG_R00099: S3 bucket server-side encryption should be enabled [High]
           https://docs.fugue.co/FG_R00099.html

  [1]: module.ireland.aws_s3_bucket.activity_log
       in /tf/module/activity_log/s3.tf.tf:18:1
       included at /tf/main.tf:72:12

  [2]: module.virginia.aws_s3_bucket.activity_log
       in /tf/module/activity_log/s3.tf.tf:18:1
       included at /tf/main.tf:84:12
[...]

---> 2.9.2
FATAL rules/tf/aws/cloudtrail/s3_access_logging.rego:42: eval_conflict_error: object keys must be unique

---> 2.9.3
FATAL rules/tf/aws/cloudtrail/s3_access_logging.rego:42: eval_conflict_error: object keys must be unique

---> 2.10.0
FATAL rules/tf/aws/cloudtrail/s3_access_logging.rego:42: eval_conflict_error: object keys must be unique

To understand the issue, I dug in the code and I think it is in this file rego/lib/aws/s3/s3_library.rego:57. This is the comparaison page between 2.9.1 and 2.9.2: v2.9.1...v2.9.2#diff-fde3629b9cf39db0cd719504defac97929251ea07446d63cea2142b8074c41f3

Thank you in advance for looking at this

Rasmey
@rsareth
Copy link
Author

rsareth commented Nov 14, 2022

I'm closing it because it is a bug from my script. I need to set properly some tfvars otherwise regula is crashing!

@rsareth rsareth closed this as completed Nov 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rsareth