search

turbot / steampipe-mod-aws-tags

Is your AWS tagging strategy following best practice? This mod checks if your AWS resource tags are set correctly to help you manage them effectively using Powerpipe and Steampipe.
https://hub.powerpipe.io/mods/turbot/aws_tags
Apache License 2.0
19 stars 8 forks source link

Error: failed to load workspace: Value for undeclared variable: "mandatory_tags". #50

Closed andymadge closed 1 month ago

andymadge commented 2 months ago

Describe the bug When trying to set variables for a benchmark I get an error:

~$ powerpipe benchmark run aws_tags.benchmark.mandatory --var 'mandatory_tags=["Application", "Environment", "Department", "Owner"]'
Error: failed to load workspace: Value for undeclared variable: "mandatory_tags". If you meant to use this value, add a "variable" block to the mod.

Powerpipe version (powerpipe -v) Powerpipe v0.4.0

Steampipe version (steampipe -v) Steampipe v0.23.2

Plugin version (steampipe plugin list) hub.steampipe.io/plugins/turbot/aws@0.138.0 github.com/turbot/steampipe-mod-aws-tags@v0.13.0

To reproduce

  1. Ensure Steampipe/Powerpipe and this plugin are installed and working
  2. Confirm the benchmark works with defaults: 
    powerpipe benchmark run aws_tags.benchmark.mandatory
  3. Add a variable to that benchmark. This is the example from the README: 
    powerpipe benchmark run aws_tags.benchmark.mandatory --var 'mandatory_tags=["Application", "Environment", "Department", "Owner"]'

    Output is the following error:

    Error: failed to load workspace: Value for undeclared variable: "mandatory_tags". If you meant to use this value, add a "variable" block to the mod.

Expected behavior Benchmark should run correctly without the error

Additional context If I try to set the variable in file steampipe.spvars I get the following similar error, but the benchmark does run, albeit with the default variable values.

Warning: Value for undeclared variable: "mandatory_tags". If you meant to use this value, add a "variable" block to the mod.

The same issue happens for all the benchmarks, and all variables I have tried, including:

khushboo9024 commented 2 months ago

Hi andymadge, Apologies that you are facing this issue. We tried to reproduce it on our end, but everything works fine for us. Could you please check if the variable mandatory_tags is defined in the (controls/mandatory.sp) file? That might be the cause of the issue.

Thanks.

andymadge commented 2 months ago

Hi @khushboo9024 ,

Yes the variable is definitely defined. It must be because it works for the defaults.

The file contains:

variable "mandatory_tags" {
  type        = list(string)
  description = "A list of mandatory tags to check for."
  default     = ["Environment", "Owner"]
}

If I run:

powerpipe benchmark run aws_tags.benchmark.mandatory

I get output like this (I've redacted the account numbers):

+ CloudTrail trails should have mandatory tags ..........................................................................................................................   2 /   2 [=         ]
| | 
| ALARM: OrganisationTrail is missing tags: Environment, Owner. ......................................................................................................... eu-west-2 ************
| ALARM: OrganisationTrail is missing tags: Environment, Owner. ......................................................................................................... eu-west-1 ************

If I modify the file /Users/andym/powerpipe/aws-tags/.powerpipe/mods/github.com/turbot/steampipe-mod-aws-tags@v0.13.0/controls/mandatory.sp by adding an extra value to the default:

variable "mandatory_tags" {
  type        = list(string)
  description = "A list of mandatory tags to check for."
  default     = ["Environment", "Owner", "Testing"]
}

That behaves as expected and checks the new value:

+ CloudTrail trails should have mandatory tags ..........................................................................................................................   2 /   2 [=         ]
| | 
| ALARM: OrganisationTrail is missing tags: Environment, Owner, Testing. ................................................................................................ eu-west-2 ************
| ALARM: OrganisationTrail is missing tags: Environment, Owner, Testing. ................................................................................................ eu-west-1 ************

I've started a new project from scratch as follows:

$ mkdir test

$ cd test

$ powerpipe mod init
Created mod definition file '/Users/andym/powerpipe/test/mod.pp'

$ powerpipe mod install github.com/turbot/steampipe-mod-aws-tags                                                                   Installed 1 mod:

local
└── github.com/turbot/steampipe-mod-aws-tags@v0.13.0

This makes no difference.

Running powerpipe benchmark run aws_tags.benchmark.mandatory works properly.

Running powerpipe benchmark run aws_tags.benchmark.mandatory --var 'mandatory_tags=["Application", "Environment", "Department", "Owner"]' fails with the error

andymadge commented 2 months ago

I've just been reading this:

Passing Variables for Dependency Mods A Powerpipe mod can depend on other mods, and those dependency mods may include variables that you would like to pass. To set them, prefix the variable names with the mod alias and then set them like any other variable.

It doesn't seem like this should be relevant, because everything here is within a single mod, but I though I'd give it a try, and it worked.

I changed the variable name in the command from mandatory_tags to aws_tags.mandatory_tags like this:

powerpipe benchmark run aws_tags.benchmark.mandatory --var 'aws_tags.mandatory_tags=["Application", "Environment", "Department", "Owner"]'

And it now runs without the error.

Does this help to diagnose why the normal command doesn't work?

khushboo9024 commented 2 months ago

@andymadge Thanks for figuring this out, and apologies for the trouble caused by the wrong syntax in the command. We will update it as soon as possible. Thanks.

andymadge commented 2 months ago

Didn't you say it worked for you though? Does that mean there's something different in my config somewhere causing it to not work?

khushboo9024 commented 2 months ago

@andymadge I was checking from my existing cloned repo, and it worked fine there. I was able to reproduce the issue by following the steps mentioned by you above. Thanks.

andymadge commented 2 months ago

FYI I've discovered exactly the same issue exists in the aws-thrifty repo

khushboo9024 commented 1 month ago

Apologies for the late reply. Thank you, @andymadge, for the information. We will update the aws-thrifty repo docs as well.