search

terraform-compliance / cli

a lightweight, security focused, BDD test framework against terraform.
https://terraform-compliance.com
MIT License
1.34k stars 151 forks source link

Tag check failing for "(Known after apply resources)" #642

Open clanbc opened 2 years ago

clanbc commented 2 years ago

Description

Feature: Ensure all Tags are present

  Scenario Outline: Ensure that specific tags are defined
    Given I have resource that supports tags defined
    When it has tags
    Then it must contain tags
    Then it must contain "<tags>"
    And its value must match the "<value>" regex

Is failing on some resources where a terraform plan provides a "(known after apply)" for tag value, i.e.:

  # aws_cloudwatch_log_group.vpc will be created
  + resource "aws_cloudwatch_log_group" "vpc" {
      + arn               = (known after apply)
      + id                = (known after apply)
      + kms_key_id        = (known after apply)
      + name              = (known after apply)
      + retention_in_days = 365
      + tags              = (known after apply)
      + tags_all          = (known after apply)
    }

To Reproduce

Sample Terraform Code:

resource "aws_subnet" "public" {
  count                   = local.public_subnets_size
  vpc_id                  = aws_vpc.vpc.id
  cidr_block              = element(lookup(var.vpc_info, "public-subnets"), count.index)
  availability_zone       = element(local.sorted_azs, count.index)
  map_public_ip_on_launch = "false"

  tags = merge(
    var.tags,
    {
      # Get the last 2 chars of "af-south-1x" to give unique subnet names i.e. public-1a
      "Name" = "public-${substr(element(local.sorted_azs, count.index), 9, 2)}"
    },
  )
}

Terraform code for a failing resouce:

resource "aws_internet_gateway" "vpc-igw" {
  count  = lookup(var.vpc_info, "igw")
  vpc_id = aws_vpc.vpc.id

  tags = merge(
    var.tags,
    {
      "Name" = "${aws_vpc.vpc.id}-igw"
    },
  )
}

Plan File: plan.out.json.zip

Used terraform-compliance Parameters: The terraform compliance steps were carried out using the action:

      - name: terraform-compliance
        uses: terraform-compliance/github_action@0357bd3be2b0a5739f5c09c64366d50f64a9056f
        with:
          plan: plan.out.json
          features: ./features

Error Output:

Failure: aws_internet_gateway.vpc-igw[0] (resource that supports tags) does not have module_name property.

Feature File:

Feature: Ensure all Tags are present

  Scenario Outline: Ensure that specific tags are defined
    Given I have resource that supports tags defined
    When it has tags
    Then it must contain tags
    Then it must contain "<tags>"
    And its value must match the "<value>" regex

    Examples:
      | tags            | value  |
      | account_name    | .+     | 
      | data_type       | .+     |
      | module_name     | .+     |
      | service_related | .+     |
      | squad           | .+     |

Expected Behavior: compliance step to pass