Terraform merge not working correctly

[dwilliams782]

• terrascan version: v1.5.1
• Operating System: os X

Description

We have a custom module in Terraform that has the following logic to build labels:

  labels = merge({
    "terraform_managed" = "true",
    "module_source"     = "terraform-module-gcs"
    "name"              = replace(var.name, ".", "-")
  }, var.labels)

And the input to the module is as such:

labels = {
    team        = "devops"
    purpose     = "helm-charts-in-dev"
    environment = "development"
  }

From this, we obviously expect to see:

labels = {
    team        = "devops"
    purpose     = "helm-charts-in-dev"
    environment = "development"
    terraform_managed = "true"
    module_source = "terraform-module-gcs"
  }

When scanning with config only, we get the following output (I've removed a bunch of it):

"google_storage_bucket": [
    {
      "id": "google_storage_bucket.this",
      "name": "this",
      "source": "../../../../../../var/folders/n_/q8zgt0vn51gczm9dwd5v8mwm0000gn/T/ul41qd/main.tf",
      "line": 5,
      "type": "google_storage_bucket",
      "config": {
        "labels": {
          "environment": "development",
          "purpose": "helm-charts-in-dev",
          "team": "devops"
        }
    }
  ]

I expected to see the merged labels in the rendered output. The debug logs shows:

2021-05-04T11:18:46.757+0100    debug   commons/variable-references.go:109      resolving variable ref "${merge({\n    \"terraform_managed\" = \"true\",\n    \"module_source\"     = \"terraform-module-gcs\"\n    \"name\"              = replace(var.name, \".\", \"-\")\n  }, var.labels)}" in parent module call
2021-05-04T11:18:46.757+0100    debug   commons/variable-references.go:57       extracted variable name "name" from reference "${merge({\n    \"terraform_managed\" = \"true\",\n    \"module_source\"     = \"terraform-module-gcs\"\n    \"name\"              = replace(var.name, \".\", \"-\")\n  }, var.labels)}"
2021-05-04T11:18:46.757+0100    debug   commons/variable-references.go:155      resolved str variable ref: '${merge({
    "terraform_managed" = "true",
    "module_source"     = "terraform-module-gcs"
    "name"              = replace(var.name, ".", "-")
  }, var.labels)}', value: '${merge({
    "terraform_managed" = "true",
    "module_source"     = "terraform-module-gcs"
    "name"              = replace(testingtestingtesting, ".", "-")
  }, var.labels)}'
2021-05-04T11:18:46.757+0100    debug   commons/variable-references.go:109      resolving variable ref "${merge({\n    \"terraform_managed\" = \"true\",\n    \"module_source\"     = \"terraform-module-gcs\"\n    \"name\"              = replace(testingtestingtesting, \".\", \"-\")\n  }, var.labels)}" in parent module call
2021-05-04T11:18:46.757+0100    debug   commons/variable-references.go:57       extracted variable name "labels" from reference "${merge({\n    \"terraform_managed\" = \"true\",\n    \"module_source\"     = \"terraform-module-gcs\"\n    \"name\"              = replace(testingtestingtesting, \".\", \"-\")\n  }, var.labels)}"
2021-05-04T11:18:46.757+0100    debug   commons/variable-references.go:160      resolved variable ref: '${merge({
    "terraform_managed" = "true",
    "module_source"     = "terraform-module-gcs"
    "name"              = replace(testingtestingtesting, ".", "-")
  }, var.labels)}', value: 'map[environment:development purpose:helm-charts-in-dev team:devops]'

What I Did

terrascan scan -t gcp --config-only -o json -l debug

[devang-gaur]

What's the version of terraform you're using? @dwilliams782

[dwilliams782]

What's the version of terraform you're using? @dwilliams782

Hi @dev-gaur , we are pinned on v0.14.7