Panic: Invalid reference error when issues are emitted with non-expression range

[bendrucker]

Discussed in #84

Prematurely converted this to a discussion. Belongs as an issue in the opa repo.

^{Originally posted by ericsaboia February 4, 2024}

Summary

Hi, I'm using tflint-ruleset-opa to set an issue when the resource signalfx_detector is missing a notifications attribute inside rule.

The rule works fine when validating my detector, but if I include a main.tf file that loads my defective detector, tflint fails with the error pasted in the output section. I even tried to exclude main.tf with # tflint-ignore-file: all, but it still fails.

My folder structure is:

.tflind.d/policies/
  - tags.rego
detectors
  - example.tf 
.tflint.hcl   
main.tf

main.tf:

module "detectors" {
  source = "./detectors"
}

detectors/example.tf:

resource "signalfx_detector" "test" {
  # Should fail as it's missing "notifications"
  rule {
    severity              = "Warning"
  }
}

.tflind.d/policies/tags.rego:

package tflint
import future.keywords.contains
import future.keywords.if

detectors := terraform.resources("signalfx_detector", {"rule": {"notifications": "any"}}, {})

detector_rule contains rule if {
  rule := detectors[_].config.rule[_]
}

# Missing notifications declaration inside rule
deny_signalfx_detector_without_notification[issue] {
  detector_rule[i].config == {}
  issue := tflint.issue("Missing notifications declaration inside rule", detector_rule[i].decl_range)
}

Command

TFLINT_OPA_POLICY_DIR="$(pwd)/.tflint.d/policies/" tflint --config "$(pwd)/.tflint.hcl" --recursive

Terraform Configuration

none

TFLint Configuration

plugin "opa" {
  enabled = true
  version = "0.5.0"
  source  = "github.com/terraform-linters/tflint-ruleset-opa"
}

plugin "terraform" {
  enabled = false
}

Output

panic: detectors/example.tf:3,3-7: Invalid reference; A reference to a resource type must be followed by at least one attribute access, specifying the resource name.

goroutine 88 [running]:
github.com/terraform-linters/tflint/tflint.listVarRefs({0x10342b058?, 0x140001349c0?})
	github.com/terraform-linters/tflint/tflint/runner.go:326 +0x150
github.com/terraform-linters/tflint/tflint.(*Runner).listModuleVars(0x1400068f7a0, {0x10342b058?, 0x140001349c0?})
	github.com/terraform-linters/tflint/tflint/runner.go:314 +0x34
github.com/terraform-linters/tflint/tflint.(*Runner).EmitIssue(0x1400068f7a0, {0x10ad35998?, 0x140001ec3c0}, {0x140001442a0, 0x2d}, {{0x1400012e600, 0x14}, {0x3, 0x3, 0x58}, ...}, ...)
	github.com/terraform-linters/tflint/tflint/runner.go:240 +0x6c
github.com/terraform-linters/tflint/plugin.(*GRPCServer).EmitIssue.func1(...)
	github.com/terraform-linters/tflint/plugin/server.go:202
github.com/terraform-linters/tflint/tflint.(*Runner).WithExpressionContext(...)
	github.com/terraform-linters/tflint/tflint/runner.go:263
github.com/terraform-linters/tflint/plugin.(*GRPCServer).EmitIssue(0x140006082a0, {0x10342fd50?, 0x140001ec3c0}, {0x140001442a0, 0x2d}, {{0x1400012e600, 0x14}, {0x3, 0x3, 0x58}, ...}, ...)
	github.com/terraform-linters/tflint/plugin/server.go:201 +0x11c
github.com/terraform-linters/tflint-plugin-sdk/plugin/internal/plugin2host.(*GRPCServer).EmitIssue(0x14000708ad0, {0x102dcb070?, 0x10?}, 0x140006517c0)
	github.com/terraform-linters/tflint-plugin-sdk@v0.18.0/plugin/internal/plugin2host/server.go:164 +0x1bc
github.com/terraform-linters/tflint-plugin-sdk/plugin/internal/proto._Runner_EmitIssue_Handler.func1({0x10342b4b8, 0x140000ddce0}, {0x103386d80?, 0x140006517c0})
	github.com/terraform-linters/tflint-plugin-sdk@v0.18.0/plugin/internal/proto/tflint_grpc.pb.go:722 +0x74
github.com/terraform-linters/tflint-plugin-sdk/plugin/internal/host2plugin.(*GRPCClient).Check.func1.RequestLogging.func1({0x10342b4b8, 0x140000ddce0}, {0x103386d80?, 0x140006517c0?}, 0x14000175f00, 0x14000800108)
	github.com/terraform-linters/tflint-plugin-sdk@v0.18.0/plugin/internal/interceptor/logging.go:16 +0x1a8
github.com/terraform-linters/tflint-plugin-sdk/plugin/internal/proto._Runner_EmitIssue_Handler({0x10339bb00?, 0x14000708ad0}, {0x10342b4b8, 0x140000ddce0}, 0x14000452500, 0x1400000f770)
	github.com/terraform-linters/tflint-plugin-sdk@v0.18.0/plugin/internal/proto/tflint_grpc.pb.go:724 +0x12c
google.golang.org/grpc.(*Server).processUnaryRPC(0x140001b8400, {0x10342b4b8, 0x140000dd650}, {0x103431088, 0x14000283860}, 0x1400061fe60, 0x14000413c20, 0x103c6d748, 0x0)
	google.golang.org/grpc@v1.60.1/server.go:1372 +0xb8c
google.golang.org/grpc.(*Server).handleStream(0x140001b8400, {0x103431088, 0x14000283860}, 0x1400061fe60)
	google.golang.org/grpc@v1.60.1/server.go:1783 +0xc4c
google.golang.org/grpc.(*Server).serveStreams.func2.1()
	google.golang.org/grpc@v1.60.1/server.go:1016 +0x5c
created by google.golang.org/grpc.(*Server).serveStreams.func2 in goroutine 74
	google.golang.org/grpc@v1.60.1/server.go:1027 +0x138

TFLint Version

0.50.2

Terraform Version

No response

Operating System

• Linux
• macOS
• Windows

[bendrucker]

Did a bit of debugging. The reason for the panic is that the emitted expression is not valid. The hcl.Expression passed into listModuleVars is just rule, as in the block name. Thus the error.

Use of --recursive is irrelevant. The issue here is that when the root module is evaluated, any issues omitted from child modules are suppressed unless they are caused by a variable. By definition, a module call with only source cannot have issues, since there is no configuration. Only when the child module itself is evaluated (which in this case happens as a side effect of recursion) does this come up.

[bendrucker]

Switching to range should clear this error up by providing a range with a valid expression. Leaving this open to cover any documentation and error handling changes that might be appropriate.

[bendrucker]

Dug deeper, actually only decl_range is defined. Switching to range just causes the policy to be a noop by breaking it.

This is actually the issue:

https://github.com/terraform-linters/tflint/blob/5ed807d0d4ab05fc81d9b3c9db623d3ee937ba2e/plugin/server.go#L192-L198

Which in turn just attempts to parse the expression:

https://github.com/terraform-linters/tflint/blob/5ed807d0d4ab05fc81d9b3c9db623d3ee937ba2e/plugin/server.go#L213

But that isn't sufficient for expression detection. It avoids any labeled blocks but it's still going to treat an unlabeled block's name (minus curly braces) as an expression.

I don't see how we can detect this without asking plugins to specify whether they're emitting an issue about an expression or a declaration.

Keeping this open but also re-opening a TFLint issue to cover this.