Skip to content

feat(terraform): support nested HCL identifier parsing by grouping variable paths and preserving relative subpaths#7428

Merged
cx-artur-ribeiro merged 16 commits intomasterfrom
AST-65917-fix-terraform-parser
Apr 14, 2025
Merged

feat(terraform): support nested HCL identifier parsing by grouping variable paths and preserving relative subpaths#7428
cx-artur-ribeiro merged 16 commits intomasterfrom
AST-65917-fix-terraform-parser

Conversation

@cx-artur-ribeiro
Copy link
Copy Markdown
Contributor

@cx-artur-ribeiro cx-artur-ribeiro commented Apr 4, 2025
edited
Loading

Reason for Proposed Changes

  • We identified a problem with our Terraform parser due to a false positive (FP) result on the query S3 Bucket Policy Accepts HTTP Requests, Specifically, the issue stemmed from how the parser handled variable resolution for resources like aws_cloudfront_origin_access_identity.
    In the added unit test negative8.tf,we encountered an issue where the variable identifier referencing the resource aws_cloudfront_origin_access_identity caused the parser to throw an error during variable resolution:

image

The parser couldn't resolve the policy on the payload, leading to the detection of a false positive:

image

Proposed Changes

  • Manually add the missing variable to the inputVariableMap and ensure the nested path map is built correctly with the resource identifier;
  • Note that when Terraform evaluates something like:
    identifiers = [aws_cloudfront_origin_access_identity.support_site_origin_access_identity.iam_arn]
    It expects an actual object with nested fields, not a string like:
    "aws_cloudfront_origin_access_identity.support_site_origin_access_identity.iam_arn"
    Otherwise, we get the "Unsupported attribute" error. Thats why the root path is removed in this case, as we can see on line 319:
image

Related Issues

I submit this contribution under the Apache-2.0 license.

@cx-artur-ribeiro cx-artur-ribeiro self-assigned this Apr 4, 2025
@github-actions github-actions bot added feature New feature terraform Terraform query labels Apr 4, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 4, 2025

kics-logo

KICS version: v2.1.6

Category Results
CRITICAL CRITICAL 0
HIGH HIGH 0
MEDIUM MEDIUM 0
LOW LOW 0
INFO INFO 0
TRACE TRACE 0
TOTAL TOTAL 0
Metric Values
Files scanned placeholder 1
Files parsed placeholder 1
Files failed to scan placeholder 0
Total executed queries placeholder 47
Queries failed to execute placeholder 0
Execution time placeholder 0

@github-actions github-actions bot added query New query feature aws PR related with AWS Cloud labels Apr 7, 2025
@cx-artur-ribeiro cx-artur-ribeiro marked this pull request as ready for review April 7, 2025 16:03
@cx-artur-ribeiro cx-artur-ribeiro requested a review from a team as a code owner April 7, 2025 16:03
cx-rui-araujo
cx-rui-araujo reviewed Apr 10, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@cx-rui-araujo cx-rui-araujo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@cx-artur-ribeiro please check my comment

cx-miguel-dasilva
cx-miguel-dasilva approved these changes Apr 14, 2025
View reviewed changes
Copy link
Copy Markdown
Collaborator

@cx-miguel-dasilva cx-miguel-dasilva left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@cx-artur-ribeiro cx-artur-ribeiro merged commit 59f46f7 into master Apr 14, 2025
27 checks passed
@cx-artur-ribeiro cx-artur-ribeiro deleted the AST-65917-fix-terraform-parser branch April 14, 2025 11:36
JonasCordsen pushed a commit to JonasCordsen/kics that referenced this pull request Jun 11, 2025
@cx-artur-ribeiro
feat(terraform): support nested HCL identifier parsing by grouping va…
905dc71 
…riable paths and preserving relative subpaths (Checkmarx#7428)

* Support nested HCL identifier parsing by grouping variable paths and preserving relative subpaths

* Add a new data_source test to cover the new functions defined
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-rui-araujo cx-rui-araujo cx-rui-araujo left review comments

@cx-miguel-dasilva cx-miguel-dasilva cx-miguel-dasilva approved these changes

Assignees

@cx-artur-ribeiro cx-artur-ribeiro

Labels

aws PR related with AWS Cloud feature New feature query New query feature terraform Terraform query

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cx-artur-ribeiro @cx-miguel-dasilva @cx-rui-araujo