fix(tfplan): When attribute isn't found it should raise ProviderError (#267)

refeed · web-flow · commit 785d7603ec76 · 2025-11-15T08:41:22.000+07:00
Closes #266
diff --git a/src/tirith/providers/terraform_plan/handler.py b/src/tirith/providers/terraform_plan/handler.py
@@ -112,9 +112,15 @@ def provide(provider_inputs, input_data):
                             for evaluated_output in evaluated_outputs:
                                 outputs.append({"value": evaluated_output, "meta": resource_change, "err": None})
 
-                    # If we didn't find the attribute in this resource, add a None value so it still gets evaluated
+                    # If we didn't find the attribute in this resource, raise the ProviderError so that the value
+                    # still gets evaluated
                     if not local_is_found_attribute:
-                        outputs.append({"value": None, "meta": resource_change, "err": None})
+                        outputs.append(
+                            {
+                                "value": ProviderError(severity_value=2),
+                                "err": f"attribute: '{attribute}' is not found",
+                            }
+                        )
                 else:
                     outputs.append(
                         {
diff --git a/tests/providers/terraform_plan/fixtures/policy_star_restype_should_skip.json b/tests/providers/terraform_plan/fixtures/policy_star_restype_should_skip.json
@@ -0,0 +1,23 @@
+{
+    "evaluators": [
+        {
+            "id": "eval-id-1",
+            "description": "",
+            "provider_args": {
+                "operation_type": "attribute",
+                "terraform_resource_attribute": "shouldnt_exist",
+                "terraform_resource_type": "*"
+            },
+            "condition": {
+                "type": "Equals",
+                "value": 10,
+                "error_tolerance": 2
+            }
+        }
+    ],
+    "meta": {
+        "required_provider": "stackguardian/terraform_plan",
+        "version": "v1"
+    },
+    "eval_expression": "eval-id-1"
+}
diff --git a/tests/providers/terraform_plan/test_dot_star_attr.py b/tests/providers/terraform_plan/test_dot_star_attr.py
@@ -116,3 +116,24 @@ def test_multiple_resource_tag_check_all_resources_have_tag():
     assert result["final_result"] is True
     all_passed = all(item.get("passed") is True for item in result["evaluators"][0]["result"])
     assert all_passed, "All resource evaluations should pass when all have the required tag"
+
+
+def test_star_with_not_found_attribute_should_raise_providererror():
+    input_data = load_json_from_fixtures("input_costcenter_tags.json")
+    policy = load_json_from_fixtures("policy_star_restype_should_skip.json")
+
+    result = start_policy_evaluation_from_dict(policy, input_data)
+
+    # The policy tries to access 'shouldnt_exist' attribute on all resources (*)
+    # Since this attribute doesn't exist, it should return ProviderError
+    # With error_tolerance=2, errors with severity <= 2 should be skipped
+
+    # Check that we have results for multiple resources
+    assert len(result["evaluators"][0]["result"]) == 3
+
+    # All results should have ProviderError values (skipped due to error tolerance)
+    for item in result["evaluators"][0]["result"]:
+        # With error_tolerance=2, provider errors should be skipped (passed=None)
+        assert item.get("passed") is None
+        # The message should indicate the attribute was not found
+        assert "shouldnt_exist" in item.get("message", "")
