Open kyorav opened 2 years ago
We are missing proper support for for_each
currently. It's on our roadmap, and I think the implementation will be similar to #321 but we haven't gotten around to this yet.
Thanks @jaspervdj-luminal. If I understand correctly, you will be implementing Terraform's logic for unrolling for_each behind the scenes. I believe a more general solution would be to enhance Terraform so that the plan file would have the necessary information, making the solution available for everyone. I am considering opening a feature request -- would you support my request? Do you have input on how this should be solved on the Terraform side? If you are interested in a discussion, I am available on the OPA slack workspace (@Karen Yorav)
This was addressed by https://github.com/fugue/regula/pull/383 and should work in regula v3.0.0
.
@jaspervdj-luminal I tried with regula v3.2.1 and I still see FG_R00054 failing with the same output as before. Is there some argument I need to set to make for_each work properly?
Describe the bug I am not 100% sure this is a bug, I might be using Regula incorrectly. I believe I am getting incorrect results from FG_R00054 when using for_each in the terraform definition for the vpc reference.
How you're running Regula When running "regula version" I get the following:
I'm running it on a terraform plan file generated with Terraform v1.1.7, executing the following command:
Operating System Windows
Steps to reproduce Create the main.tf file below, generate the plan file, run regula. The output I am getting is:
IaC Configuration I believe FG_R00054 should pass on the following terraform file:
Additional context I am writing rules for boundary protection, which requires a lot of jumping over references. I encountered issues when the terraform template uses for_each, in which case it is difficult to resolve references from the "configuration" section of the plan file. I wanted to see how others solved the problem so I tried regula's AWS flow-logs rule, which is very similar to some of the things I am trying to do (although I am not working with the AWS provider).
I am using this issue as a means to contact Regula maintainers for a discussion. Feel free to close this issue if it is not a bug and not the right venue for a discussion.