feat: dereference variables from terraform.tfvars and *.auto.tfvars

snyk · Feb 21, 2022 · c2f7e94 · c2f7e94
1 parent 66f09c2
commit c2f7e94
Show file tree

Hide file tree

Showing 13 changed files with 136 additions and 48 deletions.
diff --git a/release-scripts/hcl-to-json-parser-generator-v2/src/hcltojson-v2/go.mod b/release-scripts/hcl-to-json-parser-generator-v2/src/hcltojson-v2/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/kr/pretty v0.2.1 // indirect
 	github.com/kr/text v0.2.0 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/snyk/snyk-iac-parsers v0.2.0
+	github.com/snyk/snyk-iac-parsers v0.3.0
 	github.com/tmccombs/hcl2json v0.3.3 // indirect
 	github.com/zclconf/go-cty v1.10.0 // indirect
 )
diff --git a/release-scripts/hcl-to-json-parser-generator-v2/src/hcltojson-v2/go.sum b/release-scripts/hcl-to-json-parser-generator-v2/src/hcltojson-v2/go.sum
@@ -194,6 +194,8 @@ github.com/snyk/snyk-iac-parsers v0.1.0 h1:+VHQorhJ0iro0EwCJR2kNFYpkQ6EsfWSVi3xY
 github.com/snyk/snyk-iac-parsers v0.1.0/go.mod h1:vmR6e9WfglVPO2Y82lW49Sb5jiGb13FXGwJGNtVRBcw=
 github.com/snyk/snyk-iac-parsers v0.2.0 h1:bc48Ra3U3spo5wl6XogFoT4N7VlkxCGBM3Cq0rjd0C8=
 github.com/snyk/snyk-iac-parsers v0.2.0/go.mod h1:vmR6e9WfglVPO2Y82lW49Sb5jiGb13FXGwJGNtVRBcw=
+github.com/snyk/snyk-iac-parsers v0.3.0 h1:WusEK8AT1TiFbkTPVtfJohyGwtQNWBHVeruLVAA2ueI=
+github.com/snyk/snyk-iac-parsers v0.3.0/go.mod h1:vmR6e9WfglVPO2Y82lW49Sb5jiGb13FXGwJGNtVRBcw=
 github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM=
 github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=

diff --git a/src/cli/commands/test/iac-local-execution/index.ts b/src/cli/commands/test/iac-local-execution/index.ts
@@ -62,7 +62,9 @@ export async function test(
     // if TF vars enabled, valid files are all except terraform files
     const validFileTypes = isTFVarSupportEnabled
       ? VALID_FILE_TYPES.filter(
-          (fileType) => fileType !== ValidFileType.Terraform,
+          (fileType) =>
+            fileType !== ValidFileType.Terraform &&
+            fileType !== ValidFileType.TFVARS,
         )
       : undefined;
 
@@ -85,7 +87,6 @@ export async function test(
     // we may have loaded and parsed all but terraform files in the previous step
     // so now we check if we need to do a second load and parse which dereferences TF vars
     if (validFileTypes && !validFileTypes.includes(ValidFileType.Terraform)) {
-      // TODO: read and send .tfvars to parser
       // TODO: iterate through nested directories
       try {
         const tfFilesToParse = await loadFiles(
@@ -94,12 +95,13 @@ export async function test(
             ...options,
             detectionDepth: 1,
           },
-          [ValidFileType.Terraform],
+          [ValidFileType.Terraform, ValidFileType.TFVARS],
         );
         const {
           parsedFiles: parsedTfFiles,
           failedFiles: failedTfFiles,
         } = parseTerraformFiles(tfFilesToParse);
+
         parsedFiles = parsedFiles.concat(parsedTfFiles);
         failedFiles = failedFiles.concat(failedTfFiles);
       } catch (err) {

diff --git a/src/cli/commands/test/iac-local-execution/parsers/hcl-to-json-v2/parser.js b/src/cli/commands/test/iac-local-execution/parsers/hcl-to-json-v2/parser.js
diff --git a/src/cli/commands/test/iac-local-execution/types.ts b/src/cli/commands/test/iac-local-execution/types.ts
@@ -21,6 +21,7 @@ export enum ValidFileType {
   JSON = 'json',
   YAML = 'yaml',
   YML = 'yml',
+  TFVARS = 'tfvars',
 }
 export const VALID_FILE_TYPES = Object.values(ValidFileType);
 

diff --git a/test/fixtures/iac/terraform/var_deref/a.auto.tfvars b/test/fixtures/iac/terraform/var_deref/a.auto.tfvars
@@ -0,0 +1,4 @@
+remote_user_addr_a_auto_tfvars = ["0.0.0.0/0"]
+
+remote_user_addr_b_auto_tfvars = ["1.2.3.4/32"]
+
diff --git a/test/fixtures/iac/terraform/var_deref/b.auto.tfvars b/test/fixtures/iac/terraform/var_deref/b.auto.tfvars
@@ -0,0 +1 @@
+remote_user_addr_b_auto_tfvars = ["0.0.0.0/0"]
diff --git a/test/fixtures/iac/terraform/var_deref/sg_open_ssh.tf b/test/fixtures/iac/terraform/var_deref/sg_open_ssh.tf
@@ -10,3 +10,42 @@ resource "aws_security_group" "allow_ssh" {
     cidr_blocks = var.remote_user_addr
   }
 }
+
+resource "aws_security_group" "allow_ssh_terraform_tfvars" {
+  name        = "allow_ssh"
+  description = "Allow SSH inbound from anywhere"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = var.remote_user_addr_terraform_tfvars
+  }
+}
+
+resource "aws_security_group" "allow_ssh_a_auto_tfvars" {
+  name        = "allow_ssh"
+  description = "Allow SSH inbound from anywhere"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = var.remote_user_addr_a_auto_tfvars
+  }
+}
+
+resource "aws_security_group" "allow_ssh_b_auto_tfvars" {
+  name        = "allow_ssh"
+  description = "Allow SSH inbound from anywhere"
+  vpc_id      = "${aws_vpc.main.id}"
+
+  ingress {
+    from_port   = 22
+    to_port     = 22
+    protocol    = "tcp"
+    cidr_blocks = var.remote_user_addr_b_auto_tfvars
+  }
+}
diff --git a/test/fixtures/iac/terraform/var_deref/terraform.tfvars b/test/fixtures/iac/terraform/var_deref/terraform.tfvars
@@ -0,0 +1,6 @@
+remote_user_addr_terraform_tfvars = ["0.0.0.0/0"]
+
+remote_user_addr_a_auto_tfvars = ["1.2.3.4/32"]
+
+remote_user_addr_b_auto_tfvars = ["1.2.3.4/32"]
+
diff --git a/test/fixtures/iac/terraform/var_deref/variables.tf b/test/fixtures/iac/terraform/var_deref/variables.tf
@@ -2,3 +2,18 @@ variable "remote_user_addr" {
   type = list(string)
   default = ["0.0.0.0/0", "1.2.3.4/32"]
 }
+
+variable "remote_user_addr_terraform_tfvars" {
+  type = list(string)
+  default = ["1.2.3.4/32"]
+}
+
+variable "remote_user_addr_a_auto_tfvars" {
+  type = list(string)
+  default = ["1.2.3.4/32"]
+}
+
+variable "remote_user_addr_b_auto_tfvars" {
+  type = list(string)
+  default = ["1.2.3.4/32"]
+}
diff --git a/test/jest/acceptance/iac/test-directory.spec.ts b/test/jest/acceptance/iac/test-directory.spec.ts
@@ -47,7 +47,7 @@ describe('Directory scan', () => {
     expect(stdout).toContain('Failed to parse YAML file');
     expect(stdout).toContain('Failed to parse JSON file');
     expect(stdout).toContain(
-      '21 projects, 15 contained issues. Failed to test 5 projects.',
+      '21 projects, 15 contained issues. Failed to test 8 projects.',
     );
   });
 

diff --git a/test/jest/acceptance/iac/test-terraform-var-deref.spec.ts b/test/jest/acceptance/iac/test-terraform-var-deref.spec.ts
@@ -30,6 +30,15 @@ describe('Terraform Language Support', () => {
       expect(stdout).not.toContain(
         ' input > resource > aws_security_group[allow_ssh] > ingress',
       );
+      expect(stdout).not.toContain(
+        ' input > resource > aws_security_group[allow_ssh_terraform_tfvars] > ingress',
+      );
+      expect(stdout).not.toContain(
+        ' input > resource > aws_security_group[allow_ssh_a_auto_tfvars] > ingress',
+      );
+      expect(stdout).not.toContain(
+        ' input > resource > aws_security_group[allow_ssh_b_auto_tfvars] > ingress',
+      );
     });
   });
 
@@ -46,6 +55,15 @@ describe('Terraform Language Support', () => {
       expect(stdout).toContain(
         ' input > resource > aws_security_group[allow_ssh] > ingress',
       );
+      expect(stdout).toContain(
+        ' input > resource > aws_security_group[allow_ssh_terraform_tfvars] > ingress',
+      );
+      expect(stdout).toContain(
+        ' input > resource > aws_security_group[allow_ssh_a_auto_tfvars] > ingress',
+      );
+      expect(stdout).toContain(
+        ' input > resource > aws_security_group[allow_ssh_b_auto_tfvars] > ingress',
+      );
 
       expect(stdout).not.toContain(
         'Testing nested-var_deref/sg_open_ssh.tf...',
@@ -67,7 +85,7 @@ describe('Terraform Language Support', () => {
         `Tested ${path.join(
           'kubernetes',
           'pod-privileged.yaml',
-        )} for known issues, found 9 issues`,
+        )} for known issues`,
       );
 
       expect(stdout).not.toContain(
@@ -78,7 +96,7 @@ describe('Terraform Language Support', () => {
           'terraform',
           'var_deref',
           'sg_open_ssh.tf',
-        )} for known issues, found 0 issues`,
+        )} for known issues`,
       );
     });
 

diff --git a/test/jest/unit/iac/file-parser.terraform.fixtures.ts b/test/jest/unit/iac/file-parser.terraform.fixtures.ts
@@ -34,12 +34,12 @@ const terraformPlanJson = JSON.parse(terraformPlanFileContent.toString());
 export const terraformPlanMissingFieldsJson = { ...terraformPlanJson };
 export const terraformFileDataStub: IacFileData = {
   fileContent: terraformFileContent,
-  filePath: 'dont-care',
+  filePath: 'dont-care.tf',
   fileType: 'tf',
 };
 export const terraformPlanDataStub: IacFileData = {
   fileContent: terraformPlanFileContent.toString(),
-  filePath: 'dont-care',
+  filePath: 'dont-care.tf',
   fileType: 'json',
 };
 export const expectedTerraformParsingResult: IacFileParsed = {
@@ -85,7 +85,7 @@ resource "aws_security_group" "allow_ssh" {
 }`;
 export const invalidTerraformFileDataStub: IacFileData = {
   fileContent: invalidTerraformFileContent,
-  filePath: 'dont-care-invalid',
+  filePath: 'dont-care-invalid.tf',
   fileType: 'tf',
 };