Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(terraform): pass module outputs to other modules #6300

Closed
wants to merge 3 commits into from
Closed

fix(terraform): pass module outputs to other modules #6300

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
cff98b9
fix(terraform): pass module outputs to other modules
nikpivkin Mar 11, 2024
86c5249
Merge branch 'main' into tf-modules-ctx
nikpivkin Mar 19, 2024
0a7a256
sort module definitions
nikpivkin Mar 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion pkg/iac/scanners/terraform/parser/evaluator.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,16 @@ func newEvaluator(
logger debug.Logger,
allowDownloads bool,
skipCachedModules bool,
moduleVariables cty.Value,
) *evaluator {

// create a context to store variables and make functions available
ctx := tfcontext.NewContext(&hcl.EvalContext{
Functions: Functions(target, modulePath),
}, nil)

ctx.Set(moduleVariables, "module")

// these variables are made available by terraform to each module
ctx.SetByDot(cty.StringVal(workspace), "terraform.workspace")
ctx.SetByDot(cty.StringVal(projectRootPath), "path.root")
Expand Down Expand Up @@ -156,8 +159,15 @@ func (e *evaluator) EvaluateAll(ctx context.Context) (terraform.Modules, map[str
parseDuration += time.Since(start)

e.debug.Log("Starting submodule evaluation...")

moduleDefinitions, err := sortModuleDefinitions(e.loadModules(ctx))
if err != nil {
e.debug.Log("Modules have a cyclic dependency, so some `count`, `for_each` and `dynamic` expressions may not be evaluated.")
}

var modules terraform.Modules
for _, definition := range e.loadModules(ctx) {
for _, definition := range moduleDefinitions {
definition.Parser.moduleVariables = e.ctx.Get("module")
submodules, outputs, err := definition.Parser.EvaluateAll(ctx)
if err != nil {
e.debug.Log("Failed to evaluate submodule '%s': %s.", definition.Name, err)
Expand Down
103 changes: 103 additions & 0 deletions pkg/iac/scanners/terraform/parser/load_module.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,13 @@ package parser

import (
"context"
"errors"
"fmt"
"io/fs"
"path"
"strings"

"github.com/samber/lo"
"github.com/zclconf/go-cty/cty"

"github.com/aquasecurity/trivy/pkg/iac/scanners/terraform/parser/resolvers"
Expand Down Expand Up @@ -153,3 +155,104 @@ func (e *evaluator) loadExternalModule(ctx context.Context, b *terraform.Block,
External: true,
}, nil
}

func sortModuleDefinitions(modules []*ModuleDefinition) ([]*ModuleDefinition, error) {
graph := buildModuleDefinitionsGraph(modules)

if graph.hasCycle() {
return modules, errors.New("graph is cyclical")
}

sortedDefNames := graph.sort()

defsMap := lo.SliceToMap(modules, func(definition *ModuleDefinition) (string, *ModuleDefinition) {
return definition.Name, definition
})

return lo.FilterMap(sortedDefNames, func(defName string, _ int) (*ModuleDefinition, bool) {
val, exists := defsMap[defName]
return val, exists
}), nil
}

type moduleDefinitionsGraph map[string][]string

func buildModuleDefinitionsGraph(modules []*ModuleDefinition) moduleDefinitionsGraph {
graph := lo.SliceToMap(modules, func(definition *ModuleDefinition) (string, []string) {
return definition.Name, nil
})

for _, def := range modules {
for _, ref := range def.Definition.AllReferences() {
if ref.BlockType() != terraform.TypeModule {
continue
}

referencedModule := ref.TypeLabel()
if referencedModule != "" {
graph[def.Name] = append(graph[def.Name], referencedModule)
}
}
}

return graph
}

func (g moduleDefinitionsGraph) hasCycle() bool {
visited := make(map[string]bool)
recStack := make(map[string]bool)

var dfs func(string) bool
dfs = func(node string) bool {
visited[node] = true
recStack[node] = true

for _, neighbor := range g[node] {
if visited[neighbor] && recStack[neighbor] {
return true
}
if !visited[neighbor] && dfs(neighbor) {
return true
}
}

recStack[node] = false
return false
}

for node := range g {
if dfs(node) {
return true
}
}

return false
}

func (g moduleDefinitionsGraph) sort() []string {
var (
visited = make(map[string]bool)
stack = make([]string, 0, len(g))
dfs func(n string)
)

dfs = func(n string) {
if visited[n] {
return
}

visited[n] = true

for _, neighbor := range g[n] {
dfs(neighbor)
}

stack = append(stack, n)
}

for node := range g {
dfs(node)
}

return stack
}
2 changes: 2 additions & 0 deletions pkg/iac/scanners/terraform/parser/parser.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ type Parser struct {
fsMap map[string]fs.FS
skipRequired bool
configsFS fs.FS
moduleVariables cty.Value
}

func (p *Parser) SetDebugWriter(writer io.Writer) {
Expand Down Expand Up @@ -310,6 +311,7 @@ func (p *Parser) EvaluateAll(ctx context.Context) (terraform.Modules, cty.Value,
p.debug.Extend("evaluator"),
p.allowDownloads,
p.skipCachedModules,
p.moduleVariables,
)
modules, fsMap, parseDuration := evaluator.EvaluateAll(ctx)
p.metrics.Counts.Modules = len(modules)
Expand Down
70 changes: 70 additions & 0 deletions pkg/iac/scanners/terraform/parser/parser_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1497,6 +1497,76 @@ resource "test_block" "this" {
})
}

func TestModuleRefersToOutputOfAnotherModule(t *testing.T) {
files := map[string]string{
"main.tf": `
module "module2" {
source = "./modules/foo"
}

module "module1" {
source = "./modules/bar"
test_var = module.module2.test_out
}
`,
"modules/foo/main.tf": `
output "test_out" {
value = "test_value"
}
`,
"modules/bar/main.tf": `
variable "test_var" {}

resource "test_resource" "this" {
dynamic "dynamic_block" {
for_each = [var.test_var]
content {
some_attr = dynamic_block.value
}
}
}
`,
}

modules := parse(t, files)
require.Len(t, modules, 3)

resources := modules.GetResourcesByType("test_resource")
require.Len(t, resources, 1)

attr, _ := resources[0].GetNestedAttribute("dynamic_block.some_attr")
require.NotNil(t, attr)

assert.Equal(t, "test_value", attr.GetRawValue())
}

func TestModuleRefersToModuleThatDoesNotExist(t *testing.T) {
files := map[string]string{
"main.tf": `
module "module2" {
source = "./modules/foo"
}

module "module1" {
source = "./modules/bar"
test_var = module.module22.test_out
}
`,
"modules/foo/main.tf": `
output "test_out" {
value = "test_value"
}
`,
"modules/bar/main.tf": `
variable "test_var" {}

resource "test_resource" "this" {}
`,
}

parse(t, files)
}

func parse(t *testing.T, files map[string]string) terraform.Modules {
fs := testutil.CreateFS(t, files)
parser := New(fs, "", OptionStopOnHCLError(true))
Expand Down
9 changes: 9 additions & 0 deletions pkg/iac/terraform/block.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,15 @@ type Block struct {
reference Reference
}

func (b Block) AllReferences() []*Reference {
var references []*Reference
for _, attr := range b.attributes {
references = append(references, attr.AllReferences()...)
}

return references
}

func NewBlock(hclBlock *hcl.Block, ctx *context.Context, moduleBlock *Block, parentBlock *Block, moduleSource string,
moduleFS fs.FS, index ...cty.Value) *Block {
if ctx == nil {
Expand Down