begin work to parse modules and tf plans

Author: Emyrk

go.mod

@@ -4,7 +4,10 @@ go 1.23.5
 
 require (
 	github.com/aquasecurity/trivy v0.58.2
+	github.com/coder/serpent v0.10.0
 	github.com/hashicorp/hcl/v2 v2.23.0
+	github.com/hashicorp/terraform-json v0.24.0
+	github.com/jedib0t/go-pretty/v6 v6.6.5
 	github.com/stretchr/testify v1.10.0
 	github.com/zclconf/go-cty v1.16.2
 )
@@ -34,7 +37,6 @@ require (
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cncf/xds/go v0.0.0-20240905190251-b4127c9b8d78 // indirect
 	github.com/coder/pretty v0.0.0-20230908205945-e89ba86370e0 // indirect
-	github.com/coder/serpent v0.10.0 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/envoyproxy/go-control-plane v0.13.1 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
@@ -54,9 +56,9 @@ require (
 	github.com/hashicorp/go-safetemp v1.0.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
-	github.com/jedib0t/go-pretty/v6 v6.6.5 // indirect
 	github.com/jmespath/go-jmespath v0.4.1-0.20220621161143-b0104c826a24 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/liamg/memoryfs v1.6.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect

go.sum

@@ -686,6 +686,8 @@ github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XL
 github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/charmbracelet/lipgloss v0.8.0 h1:IS00fk4XAHcf8uZKc3eHeMUTCxUH6NkaTrdyCQk84RU=
+github.com/charmbracelet/lipgloss v0.8.0/go.mod h1:p4eYUZZJ/0oXTuCQKFF8mqyKCz0ja6y+7DniDDw5KKU=
 github.com/cheggaaa/pb v1.0.27/go.mod h1:pQciLPpbU0oxA0h+VJYYLxO+XeDQb5pZijXscXHm81s=
 github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI=
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
@@ -934,6 +936,8 @@ github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
 github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
+github.com/hashicorp/terraform-json v0.24.0 h1:rUiyF+x1kYawXeRth6fKFm/MdfBS6+lW4NbeATsYz8Q=
+github.com/hashicorp/terraform-json v0.24.0/go.mod h1:Nfj5ubo9xbu9uiAoZVBsNOjvNKB66Oyrvtit74kC7ow=
 github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
@@ -1014,8 +1018,12 @@ github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0=
 github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y=
 github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
 github.com/morikuni/aec v1.0.0/go.mod h1:BbKIizmSmc5MMPqRYbxO4ZU0S0+P200+tUnFx7PXmsc=
+github.com/muesli/reflow v0.3.0 h1:IFsN6K9NfGtjeggFP+68I4chLZV2yIKsXJFNZ+eWh6s=
+github.com/muesli/reflow v0.3.0/go.mod h1:pbwTDkVPibjO2kyvBQRBxTWEEGDGq0FlB1BIKtnHY/8=
 github.com/muesli/termenv v0.15.2 h1:GohcuySI0QmI3wN8Ok9PtKGkgkFIk7y6Vpb5PvrY+Wo=
 github.com/muesli/termenv v0.15.2/go.mod h1:Epx+iuz8sNs7mNKhxzH4fWXGNpZwUaJKRS1noLXviQ8=
+github.com/natefinch/atomic v1.0.1 h1:ZPYKxkqQOx3KZ+RsbnP/YsgvxWQPGxjC0oBt2AhwV0A=
+github.com/natefinch/atomic v1.0.1/go.mod h1:N/D/ELrljoqDyT3rZrsUmtsuzvHkeB/wWjHV22AZRbM=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=

mark.go

@@ -5,16 +5,6 @@ import (
 	"github.com/zclconf/go-cty/cty"
 )
 
-const (
-	diagnosticsMark = "diagnostics"
-)
-
 func markWithDiagnostic(v cty.Value, diag hcl.Diagnostics) cty.Value {
 	return v.Mark(diag)
 }
-
-func valueDiagnostic(v cty.Value) hcl.Diagnostics {
-	x := v.Marks()
-	var _ = x
-	return nil
-}

hook.go renamed to paramhook.go

@@ -50,10 +50,6 @@ func ParameterContextsEvalHook(input Input) func(ctx *tfcontext.Context, blocks
 }
 
 func evaluateCoderParameterDefault(b *terraform.Block) (cty.Value, hcl.Diagnostics) {
-	//if b.Label() == "" {
-	//	return cty.NilVal,  errors.New("empty label - cannot resolve")
-	//}
-
 	attributes := b.Attributes()
 	var valType cty.Type
 	var defaults *typeexpr.Defaults

plan.go

@@ -0,0 +1,63 @@
+package preview
+
+import (
+	"encoding/json"
+	"fmt"
+	"io"
+	"io/fs"
+
+	"github.com/aquasecurity/trivy/pkg/iac/scanners/terraformplan/tfjson/parser"
+	"github.com/aquasecurity/trivy/pkg/iac/terraform"
+	tfcontext "github.com/aquasecurity/trivy/pkg/iac/terraform/context"
+	tfjson "github.com/hashicorp/terraform-json"
+	"github.com/zclconf/go-cty/cty"
+)
+
+func PlanJSONHook(dfs fs.FS, input Input) (func(ctx *tfcontext.Context, blocks terraform.Blocks, inputVars map[string]cty.Value), error) {
+	if input.PlanJSONPath == "" {
+		return func(ctx *tfcontext.Context, blocks terraform.Blocks, inputVars map[string]cty.Value) {}, nil
+	}
+	file, err := dfs.Open(input.PlanJSONPath)
+	if err != nil {
+		return nil, fmt.Errorf("unable to open plan JSON file: %w", err)
+	}
+
+	plan, err := ParsePlanJSON(file)
+	if err != nil {
+		return nil, fmt.Errorf("unable to parse plan JSON: %w", err)
+	}
+
+	//plan.PriorState
+
+	var _ = plan
+	return func(ctx *tfcontext.Context, blocks terraform.Blocks, inputVars map[string]cty.Value) {
+		// 'data' blocks are loaded into prior state
+		//plan.PriorState.Values.RootModule.Resources
+
+	}, nil
+}
+
+func extract(parents []string, mod *tfjson.StateModule) {
+
+}
+
+// ParsePlanJSON can parse the JSON output of a Terraform plan.
+// terraform plan out.plan
+// terraform show -json out.plan
+func ParsePlanJSON(reader io.Reader) (*tfjson.Plan, error) {
+	plan := new(tfjson.Plan)
+	return plan, json.NewDecoder(reader).Decode(plan)
+}
+
+// ParsePlanJSON can parse the JSON output of a Terraform plan.
+// terraform plan out.plan
+// terraform show -json out.plan
+func TrivyParsePlanJSON(reader io.Reader) (*tfjson.Plan, error) {
+	p := parser.New()
+	plan, err := p.Parse(reader)
+	var _ = plan
+
+	plan.ToFS()
+
+	return nil, err
+}

preview.go

@@ -13,6 +13,7 @@ import (
 )
 
 type Input struct {
+	PlanJSONPath    string
 	ParameterValues map[string]types.ParameterValue
 }
 
@@ -28,12 +29,23 @@ func Preview(ctx context.Context, input Input, dir fs.FS) (*Output, hcl.Diagnost
 		return nil, nil
 	}
 
-	hook := ParameterContextsEvalHook(input)
+	planHook, err := PlanJSONHook(dir, input)
+	if err != nil {
+		return nil, hcl.Diagnostics{
+			{
+				Severity: hcl.DiagError,
+				Summary:  "Parsing plan JSON",
+				Detail:   err.Error(),
+			},
+		}
+	}
 	// moduleSource is "" for a local module
 	p := parser.New(dir, "",
 		parser.OptionWithDownloads(false),
 		parser.OptionWithTFVarsPaths(varFiles...),
-		parser.OptionWithEvalHook(hook),
+		parser.OptionWithEvalHook(planHook),
+		parser.OptionWithEvalHook(ParameterContextsEvalHook(input)),
+		parser.OptionWithSkipCachedModules(true),
 	)
 
 	err = p.ParseFS(ctx, ".")

preview_test.go

@@ -2,9 +2,8 @@ package preview_test
 
 import (
 	"context"
-	"embed"
 	"fmt"
-	"io/fs"
+	"os"
 	"path/filepath"
 	"testing"
 
@@ -16,16 +15,12 @@ import (
 	"github.com/coder/preview/types"
 )
 
-//go:embed testdata
-var testdata embed.FS
-
 func Test_Extract(t *testing.T) {
 	t.Parallel()
 
 	for _, tc := range []struct {
 		name        string
 		dir         string
-		showJSON    string
 		failPreview bool
 		input       preview.Input
 
@@ -122,21 +117,33 @@ func Test_Extract(t *testing.T) {
 			expUnknowns: []string{
 				"foo", "bar",
 			},
+
 			input:  preview.Input{},
 			params: map[string]func(t *testing.T, parameter types.Parameter){},
 		},
 		{
-			name:     "external docker resource with plan data",
-			dir:      "dockerdata",
-			showJSON: "show.json",
+			name: "external docker resource with plan data",
+			dir:  "dockerdata",
 			expTags: map[string]string{
 				"qux": "quux",
 				"foo": "ubuntu@sha256:80dd3c3b9c6cecb9f1667e9290b3bc61b78c2678c02cbdae5f0fea92cc6734ab",
 				"bar": "centos@sha256:a27fd8080b517143cbbbab9dfb7c8571c40d67d534bbdee55bd6c473f432b177",
 			},
 			expUnknowns: []string{},
-			input:       preview.Input{},
-			params:      map[string]func(t *testing.T, parameter types.Parameter){},
+			input: preview.Input{
+				PlanJSONPath: "plan.json",
+			},
+			params: map[string]func(t *testing.T, parameter types.Parameter){},
+		},
+		{
+			name:        "external module with external data",
+			dir:         "module",
+			expTags:     map[string]string{},
+			expUnknowns: []string{},
+			input: preview.Input{
+				PlanJSONPath: "before.json",
+			},
+			params: map[string]func(t *testing.T, parameter types.Parameter){},
 		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
@@ -148,8 +155,9 @@ func Test_Extract(t *testing.T) {
 				tc.expTags = map[string]string{}
 			}
 
-			dirFs, err := fs.Sub(testdata, filepath.Join("testdata", tc.dir))
-			require.NoError(t, err)
+			dirFs := os.DirFS(filepath.Join("testdata", tc.dir))
+			//a, b := fs.ReadDir(dirFs, ".")
+			//fmt.Println(a, b)
 
 			output, diags := preview.Preview(context.Background(), tc.input, dirFs)
 			if tc.failPreview {

testdata/.gitignore

@@ -1,5 +1,4 @@
 */.terraform*
 */terraform.tfstate
 */terraform.tfstate.backup
-*/out.plan
-*/plan.json
+*/out.plan

testdata/dockerdata/main.tf

@@ -16,17 +16,13 @@ data "coder_workspace_tags" "custom_workspace_tags" {
   tags = {
     // If a value is required, you can do something like:
     // try(docker_image.ubuntu.repo_digest, "default-value")
-    "foo" = docker_image.ubuntu.repo_digest
+    "foo" = data.docker_registry_image.ubuntu.sha256_digest
     "bar" = docker_image.centos.repo_digest
     "qux" = "quux"
   }
 }
 
 # Pulls the image
-resource "docker_image" "ubuntu" {
-  name = "ubuntu:latest"
-}
-
 resource "docker_image" "centos" {
   name = "centos:latest"
 }

testdata/module/main.tf

@@ -3,6 +3,10 @@ terraform {
     coder = {
       source = "coder/coder"
     }
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "3.0.2"
+    }
   }
 }
 
@@ -19,7 +23,19 @@ module "jetbrains_gateway" {
 
 data "coder_workspace" "me" {}
 resource "coder_agent" "main" {
-
   arch = "amd64"
   os   = "linux"
+}
+
+
+data "coder_workspace_tags" "custom_workspace_tags" {
+  tags = {
+    "foo" = data.docker_registry_image.ubuntu.sha256_digest
+  }
+}
+
+
+data "docker_registry_image" "ubuntu" {
+  name = "ubuntu:precise"
+  // sha256_digest
 }