BREAKING CHANGE: Dropping support for Terraform plans in JSON input #5950
Closed
simar7
started this conversation in
Development
Replies: 3 comments 3 replies
-
|
@nikpivkin as I was further researching this, I thought of the idea to convert the input JSON back into HCL and then to parse it. For example: func toHCL() error {
input, err := ioutil.ReadAll(os.Stdin)
if err != nil {
return fmt.Errorf("unable to read from stdin: %s", err)
}
ast, err := jsonParser.Parse([]byte(input))
if err != nil {
return fmt.Errorf("unable to parse JSON: %s", err)
}
err = printer.Fprint(os.Stdout, ast)
if err != nil {
return fmt.Errorf("unable to print HCL: %s", err)
}
return nil
}Taken from: https://github.com/kvz/json2hcl/blob/master/main.go#L62C1-L79C2 Seems to be evaluated fine as we convert back into HCL and can use You can use the below as input for testing:
resource "aws_athena_database" "good_example" {
name = "database_name"
bucket = aws_s3_bucket.hoge.bucket
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key_arn = aws_kms_key.example.arn
}
}Equivalent {
"resource": {
"aws_athena_database": {
"good_example": [
{
"bucket": "${aws_s3_bucket.hoge.bucket}",
"encryption_configuration": [
{
"encryption_option": "SSE_KMS",
"kms_key_arn": "${aws_kms_key.example.arn}"
}
],
"name": "database_name"
}
]
}
}
} |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
Here is an example of a broken configuration that generates json2html: "//" "metadata" {
"backend" = "local"
"stackName" = "cdktf-eval"
"version" = "0.18.0"
}
"//" "outputs" "cdktf-eval" "tfBackend" {
"bucket" = "tfBackend_bucket_4FB869C0"
"key_id" = "tfBackend_key_id_057987E4"
"table" = "tfBackend_table_289B9B8E"
}
"output" "tfBackend_bucket_4FB869C0" {
"value" = "${aws_s3_bucket.tfBackend_TerraformBackendBucket_CC1A7B64.id}"
}
"output" "tfBackend_key_id_057987E4" {
"value" = "${aws_kms_key.tfBackend_TerraformBackendKey_F8E2509B.id}"
}
"output" "tfBackend_table_289B9B8E" {
"value" = "${aws_dynamodb_table.tfBackend_TerraformBackendLock_D9C1475E.name}"
}
"provider" = {
"aws" = {
"region" = "us-east-1"
}
}
"resource" "aws_dynamodb_table" "tfBackend_TerraformBackendLock_D9C1475E" {
"//" "metadata" {
"path" = "cdktf-eval/tfBackend/TerraformBackendLock"
"uniqueId" = "tfBackend_TerraformBackendLock_D9C1475E"
}
"attribute" = {
"name" = "LockID"
"type" = "S"
}
"billing_mode" = "PAY_PER_REQUEST"
"hash_key" = "LockID"
"name" = "terraform-backend-lock"
}
"resource" "aws_kms_alias" "tfBackend_TerraformBackendAlias_7688F893" {
"//" "metadata" {
"path" = "cdktf-eval/tfBackend/TerraformBackendAlias"
"uniqueId" = "tfBackend_TerraformBackendAlias_7688F893"
}
"name" = "alias/terraform-backend-key"
"target_key_id" = "${aws_kms_key.tfBackend_TerraformBackendKey_F8E2509B.id}"
}
"resource" "aws_kms_key" "tfBackend_TerraformBackendKey_F8E2509B" {
"//" "metadata" {
"path" = "cdktf-eval/tfBackend/TerraformBackendKey"
"uniqueId" = "tfBackend_TerraformBackendKey_F8E2509B"
}
"deletion_window_in_days" = 7
"description" = "Terraform Backend Key"
"enable_key_rotation" = true
}
"resource" "aws_s3_bucket" "tfBackend_TerraformBackendBucket_CC1A7B64" {
"//" "metadata" {
"path" = "cdktf-eval/tfBackend/TerraformBackendBucket"
"uniqueId" = "tfBackend_TerraformBackendBucket_CC1A7B64"
}
"acl" = "private"
"server_side_encryption_configuration" "rule" "apply_server_side_encryption_by_default" {
"kms_master_key_id" = "${aws_kms_key.tfBackend_TerraformBackendKey_F8E2509B.arn}"
"sse_algorithm" = "aws:kms"
}
"versioning" = {
"enabled" = true
"mfa_delete" = false
}
}
"resource" "aws_s3_bucket_public_access_block" "tfBackend_TerraformBackendBucketPublicAccessBlock_E076B36D" {
"//" "metadata" {
"path" = "cdktf-eval/tfBackend/TerraformBackendBucketPublicAccessBlock"
"uniqueId" = "tfBackend_TerraformBackendBucketPublicAccessBlock_E076B36D"
}
"block_public_acls" = true
"block_public_policy" = true
"bucket" = "${aws_s3_bucket.tfBackend_TerraformBackendBucket_CC1A7B64.id}"
"ignore_public_acls" = true
"restrict_public_buckets" = true
}
"terraform" "backend" "local" {
"path" = "/Users/tososomaru/projects/trivy-test/issue-5080/terraform.cdktf-eval.tfstate"
}
"terraform" "required_providers" "aws" {
"source" = "aws"
"version" = "5.17.0"
}What the provider configuration block should look like: provider "google" {
project = "acme-app"
region = "us-central1"
}
Perhaps we can pre-clear the json of comments and unnecessary blocks like terrafrom. |
Beta Was this translation helpful? Give feedback.
3 replies
-
I think so. In my limited testing, I didn't run into this kind of bogus output but certainly it is possible as you highlighted. I took the following as my input:
provider "aws" {
region = "eu-central-1"
}
resource "aws_s3_bucket" "example" {
bucket = "example"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = "arn"
sse_algorithm = "aws:kms"
}
}
}
logging {
target_bucket = "target-bucket"
}
versioning {
enabled = true
}
}
resource "aws_s3_bucket_public_access_block" "good_example" {
bucket = aws_s3_bucket.example.id
block_public_policy = true
block_public_acls = true
ignore_public_acls = true
restrict_public_buckets = true
}
resource "aws_kms_key" "example" {
description = "KMS key 1"
deletion_window_in_days = 10
enable_key_rotation = true
}
resource "aws_athena_database" "example" {
name = "database_name"
bucket = aws_s3_bucket.example.id
encryption_configuration {
encryption_option = "SSE_KMS"
kms_key = aws_kms_key.example.arn
}
}And after a
"format_version" = "1.2"
"terraform_version" = "1.5.4"
"planned_values" "root_module" {
"resources" = {
"address" = "aws_athena_database.example"
"mode" = "managed"
"type" = "aws_athena_database"
"name" = "example"
"provider_name" = "registry.terraform.io/hashicorp/aws"
"schema_version" = 0
"values" = {
"acl_configuration" = []
"comment" =
"encryption_configuration" = {
"encryption_option" = "SSE_KMS"
}
"expected_bucket_owner" =
"force_destroy" = false
"name" = "database_name"
"properties" =
}
"sensitive_values" = {
"acl_configuration" = []
"encryption_configuration" = {}
}
}
"resources" = {
"address" = "aws_kms_key.example"
"mode" = "managed"
"type" = "aws_kms_key"
"name" = "example"
"provider_name" = "registry.terraform.io/hashicorp/aws"
"schema_version" = 0
"values" = {
"bypass_policy_lockout_safety_check" = false
"custom_key_store_id" =
"customer_master_key_spec" = "SYMMETRIC_DEFAULT"
"deletion_window_in_days" = 10
"description" = "KMS key 1"
"enable_key_rotation" = true
"is_enabled" = true
"key_usage" = "ENCRYPT_DECRYPT"
"tags" =
"timeouts" =
"xks_key_id" =
}
"sensitive_values" "tags_all" {}
}
"resources" = {
"address" = "aws_s3_bucket.example"
"mode" = "managed"
"type" = "aws_s3_bucket"
"name" = "example"
"provider_name" = "registry.terraform.io/hashicorp/aws"
"schema_version" = 0
"values" = {
"bucket" = "example"
"force_destroy" = false
"logging" = {
"target_bucket" = "target-bucket"
"target_prefix" =
}
"server_side_encryption_configuration" = {
"rule" = {
"apply_server_side_encryption_by_default" = {
"kms_master_key_id" = "arn"
"sse_algorithm" = "aws:kms"
}
"bucket_key_enabled" =
}
}
"tags" =
"timeouts" =
"versioning" = {
"enabled" = true
"mfa_delete" = false
}
}
"sensitive_values" = {
"cors_rule" = []
"grant" = []
"lifecycle_rule" = []
"logging" = {}
"object_lock_configuration" = []
"replication_configuration" = []
"server_side_encryption_configuration" = {
"rule" = {
"apply_server_side_encryption_by_default" = {}
}
}
"tags_all" = {}
"versioning" = {}
"website" = []
}
}
"resources" = {
"address" = "aws_s3_bucket_public_access_block.good_example"
"mode" = "managed"
"type" = "aws_s3_bucket_public_access_block"
"name" = "good_example"
"provider_name" = "registry.terraform.io/hashicorp/aws"
"schema_version" = 0
"values" = {
"block_public_acls" = true
"block_public_policy" = true
"ignore_public_acls" = true
"restrict_public_buckets" = true
}
"sensitive_values" = {}
}
}
"resource_changes" = {
"address" = "aws_athena_database.example"
"mode" = "managed"
"type" = "aws_athena_database"
"name" = "example"
"provider_name" = "registry.terraform.io/hashicorp/aws"
"change" = {
"actions" = ["create"]
"before" =
"after" = {
"acl_configuration" = []
"comment" =
"encryption_configuration" = {
"encryption_option" = "SSE_KMS"
}
"expected_bucket_owner" =
"force_destroy" = false
"name" = "database_name"
"properties" =
}
"after_unknown" = {
"acl_configuration" = []
"bucket" = true
"encryption_configuration" = {
"kms_key" = true
}
"id" = true
}
"before_sensitive" = false
"after_sensitive" = {
"acl_configuration" = []
"encryption_configuration" = {}
}
}
}
"resource_changes" = {
"address" = "aws_kms_key.example"
"mode" = "managed"
"type" = "aws_kms_key"
"name" = "example"
"provider_name" = "registry.terraform.io/hashicorp/aws"
"change" = {
"actions" = ["create"]
"before" =
"after" = {
"bypass_policy_lockout_safety_check" = false
"custom_key_store_id" =
"customer_master_key_spec" = "SYMMETRIC_DEFAULT"
"deletion_window_in_days" = 10
"description" = "KMS key 1"
"enable_key_rotation" = true
"is_enabled" = true
"key_usage" = "ENCRYPT_DECRYPT"
"tags" =
"timeouts" =
"xks_key_id" =
}
"after_unknown" = {
"arn" = true
"id" = true
"key_id" = true
"multi_region" = true
"policy" = true
"tags_all" = true
}
"before_sensitive" = false
"after_sensitive" "tags_all" {}
}
}
"resource_changes" = {
"address" = "aws_s3_bucket.example"
"mode" = "managed"
"type" = "aws_s3_bucket"
"name" = "example"
"provider_name" = "registry.terraform.io/hashicorp/aws"
"change" = {
"actions" = ["create"]
"before" =
"after" = {
"bucket" = "example"
"force_destroy" = false
"logging" = {
"target_bucket" = "target-bucket"
"target_prefix" =
}
"server_side_encryption_configuration" = {
"rule" = {
"apply_server_side_encryption_by_default" = {
"kms_master_key_id" = "arn"
"sse_algorithm" = "aws:kms"
}
"bucket_key_enabled" =
}
}
"tags" =
"timeouts" =
"versioning" = {
"enabled" = true
"mfa_delete" = false
}
}
"after_unknown" = {
"acceleration_status" = true
"acl" = true
"arn" = true
"bucket_domain_name" = true
"bucket_prefix" = true
"bucket_regional_domain_name" = true
"cors_rule" = true
"grant" = true
"hosted_zone_id" = true
"id" = true
"lifecycle_rule" = true
"logging" = {}
"object_lock_configuration" = true
"object_lock_enabled" = true
"policy" = true
"region" = true
"replication_configuration" = true
"request_payer" = true
"server_side_encryption_configuration" = {
"rule" = {
"apply_server_side_encryption_by_default" = {}
}
}
"tags_all" = true
"versioning" = {}
"website" = true
"website_domain" = true
"website_endpoint" = true
}
"before_sensitive" = false
"after_sensitive" = {
"cors_rule" = []
"grant" = []
"lifecycle_rule" = []
"logging" = {}
"object_lock_configuration" = []
"replication_configuration" = []
"server_side_encryption_configuration" = {
"rule" = {
"apply_server_side_encryption_by_default" = {}
}
}
"tags_all" = {}
"versioning" = {}
"website" = []
}
}
}
"resource_changes" = {
"address" = "aws_s3_bucket_public_access_block.good_example"
"mode" = "managed"
"type" = "aws_s3_bucket_public_access_block"
"name" = "good_example"
"provider_name" = "registry.terraform.io/hashicorp/aws"
"change" = {
"actions" = ["create"]
"before" =
"after" = {
"block_public_acls" = true
"block_public_policy" = true
"ignore_public_acls" = true
"restrict_public_buckets" = true
}
"after_unknown" = {
"bucket" = true
"id" = true
}
"before_sensitive" = false
"after_sensitive" = {}
}
}
"configuration" "provider_config" "aws" {
"name" = "aws"
"full_name" = "registry.terraform.io/hashicorp/aws"
"expressions" "region" {
"constant_value" = "eu-central-1"
}
}
"configuration" "root_module" {
"resources" = {
"address" = "aws_athena_database.example"
"mode" = "managed"
"type" = "aws_athena_database"
"name" = "example"
"provider_config_key" = "aws"
"expressions" = {
"bucket" = {
"references" = ["aws_s3_bucket.example.id", "aws_s3_bucket.example"]
}
"encryption_configuration" "encryption_option" {
"constant_value" = "SSE_KMS"
}
"encryption_configuration" "kms_key" {
"references" = ["aws_kms_key.example.arn", "aws_kms_key.example"]
}
"name" = {
"constant_value" = "database_name"
}
}
"schema_version" = 0
}
"resources" = {
"address" = "aws_kms_key.example"
"mode" = "managed"
"type" = "aws_kms_key"
"name" = "example"
"provider_config_key" = "aws"
"expressions" "deletion_window_in_days" {
"constant_value" = 10
}
"expressions" "description" {
"constant_value" = "KMS key 1"
}
"expressions" "enable_key_rotation" {
"constant_value" = true
}
"schema_version" = 0
}
"resources" = {
"address" = "aws_s3_bucket.example"
"mode" = "managed"
"type" = "aws_s3_bucket"
"name" = "example"
"provider_config_key" = "aws"
"expressions" = {
"bucket" = {
"constant_value" = "example"
}
"logging" "target_bucket" {
"constant_value" = "target-bucket"
}
"server_side_encryption_configuration" = {
"rule" = {
"apply_server_side_encryption_by_default" "kms_master_key_id" {
"constant_value" = "arn"
}
"apply_server_side_encryption_by_default" "sse_algorithm" {
"constant_value" = "aws:kms"
}
}
}
"versioning" "enabled" {
"constant_value" = true
}
}
"schema_version" = 0
}
"resources" = {
"address" = "aws_s3_bucket_public_access_block.good_example"
"mode" = "managed"
"type" = "aws_s3_bucket_public_access_block"
"name" = "good_example"
"provider_config_key" = "aws"
"expressions" "block_public_acls" {
"constant_value" = true
}
"expressions" "block_public_policy" {
"constant_value" = true
}
"expressions" "bucket" {
"references" = ["aws_s3_bucket.example.id", "aws_s3_bucket.example"]
}
"expressions" "ignore_public_acls" {
"constant_value" = true
}
"expressions" "restrict_public_buckets" {
"constant_value" = true
}
"schema_version" = 0
}
}
"relevant_attributes" = {
"resource" = "aws_s3_bucket.example"
"attribute" = ["id"]
}
"relevant_attributes" = {
"resource" = "aws_kms_key.example"
"attribute" = ["arn"]
}
"timestamp" = "2024-01-20T05:16:16Z"The above |
Beta Was this translation helpful? Give feedback.
-
will this require new binary dependencies at runtime? (terraform, json2hcl) |
Beta Was this translation helpful? Give feedback.
-
|
We are still investing. Sometimes generating HCL from Terraform Plan isn't functionally correct (or is an older HCL v1). |
Beta Was this translation helpful? Give feedback.
-
|
As explained here we have found a way to solve this problem, without deprecating the support for terraform plan. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
This is a breaking change.
Description
As highlighted in the issue, we will be dropping support for the timebeing for terraform plan scanning that's passed in via JSON.
Motivation
We've run into several occasions (see linked issues below) where we incorrectly flag (false positive) misconfigurations in Terraform scanning when the input is the Terraform plan in JSON. This issue takes place as we're unable to parse nested blocks and attributes past the first stage as currently there's no way to "walk" the JSON input. See the more on this hashicorp/hcl#543
In other words, we currently are unable to parse any nested attributes that are actually defined within a Terraform Plan in JSON input.
Action items
Drop support for Terraform JSON until we have a proper way to walk the input. Flagging false positives creates misinformation.
Timeline
As for the timeline, we will commence this change in version v0.50.0 of Trivy at this time. That's roughly 2 months from the time of posting this discussion.
We welcome any questions that you may have on this. Please share your feedback, questions, concerns or suggestions regarding this change. We're open to hearing from you all and we apologize for the inconvenience that this may cause.
Affected issues
#5080
#5894
#5081
#5099
References
Beta Was this translation helpful? Give feedback.
All reactions