search

open-policy-agent / conftest

Write tests against structured configuration data using the Open Policy Agent Rego query language
https://conftest.dev
Other
2.85k stars 303 forks source link

inconsistent behaviour for resources that can have repeated blocks defined with HCL2 #1006

Open crivetechie opened 2 weeks ago

crivetechie commented 2 weeks ago

Hello, we are having some issues writing policies for resource that may contain repeated blocks.

It looks like the behaviour of conftest is to produce an object when there's a single block and an array if the block is repeated.

See the example below definining two kubernetes_deployment resources, the first using a single container block and the second using 2 containers blocks

resource "kubernetes_deployment" "example-single-block" {
  spec {
    template {
      spec {
        container {
          name = "one"
        }
      }
    }
  }
}

resource "kubernetes_deployment" "example-multiple-blocks" {
  spec {
    template {
      spec {
        container {
          name = "one"
        }
        container {
          name = "two"
        }
      }
    }
  }
}

the above is parsed as

"resource": {
    "kubernetes_deployment": {
      "example-multiple-blocks": {
        "spec": {
          "template": {
            "spec": {
              "container": [
                {
                  "name": "one"
                },
                {
                  "name": "two"
                }
              ]
            }
          }
        }
      },
      "example-single-block": {
        "spec": {
          "template": {
            "spec": {
              "container": {
                "name": "one"
              }
            }
          }
        }
      }
    }

as you can see spec.template.spec.container in example-multiple-blocks is an array, it is an object in example-single-block

Accoriding to https://github.com/open-policy-agent/conftest/issues/266 I was expecting this to be resolved but it isn't, looks like conftest is using version 0.3.1 of hcl2json lib which doesn't include the fix. I am wondering if there was a decision to lock to hcl2json@0.3.1 to avoid introducing breaking changes and if there's any plan for upgrading to latest version. Thank you!

jalseth commented 1 week ago

@crivetechie We don't lock dependencies, but we typically only bump them if there is a reported issue. Can you confirm if updating this dependency solves your problem?

crivetechie commented 1 week ago

@jalseth updating the dependency solves the problem, however it introducing a list of changes that will break existing policies.

I've opened a PR in my fork to demonstrate the impact of upgrading to latest version: https://github.com/crivetechie/conftest/pull/1/files