Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

change inputs back to string from list(string) #27

Closed
wants to merge 3 commits into from
Closed

change inputs back to string from list(string) #27

wants to merge 3 commits into from

Conversation

mcalhoun
Copy link
Member

what

  • Change the optional inputs of the module to be string rather than list(string)

bridgecrew[bot]
bridgecrew bot reviewed Nov 17, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bridgecrew has found infrastructure configuration errors in this PR ⬇️

main.tf
@@ -82,7 +82,7 @@ resource "aws_security_group" "cbd" {
# Because we have 2 almost identical alternatives, use x == false and x == true rather than x and !x
count = local.create_security_group && var.create_before_destroy == true ? 1 : 0

name_prefix = concat(var.security_group_name, ["${module.this.id}${module.this.delimiter}"])[0]
name_prefix = concat(var.security_group_name[*], ["${module.this.id}${module.this.delimiter}"])[0]
Copy link

@bridgecrew bridgecrew bot Nov 17, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.cbd | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

Dependent Resources



Path Resource Connecting Attribute
/main.tf aws_security_group_rule.keyed depends_on

main.tf
@@ -25,15 +25,15 @@ resource "aws_security_group" "default" {
# Because we have 2 almost identical alternatives, use x == false and x == true rather than x and !x
count = local.create_security_group && var.create_before_destroy == false ? 1 : 0

name = concat(var.security_group_name, [module.this.id])[0]
name = concat(var.security_group_name[*], [module.this.id])[0]
Copy link

@bridgecrew bridgecrew bot Nov 17, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.default | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

Dependent Resources



Path Resource Connecting Attribute
/main.tf aws_security_group_rule.keyed depends_on

bridgecrew[bot]
bridgecrew bot reviewed Nov 17, 2021
View reviewed changes
main.tf
@@ -82,7 +82,7 @@ resource "aws_security_group" "cbd" {
# Because we have 2 almost identical alternatives, use x == false and x == true rather than x and !x
count = local.create_security_group && var.create_before_destroy == true ? 1 : 0

name_prefix = concat(var.security_group_name, ["${module.this.id}${module.this.delimiter}"])[0]
name_prefix = concat(var.security_group_name[*], ["${module.this.id}${module.this.delimiter}"])[0]
Copy link

@bridgecrew bridgecrew bot Nov 17, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.cbd | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

Dependent Resources



Path Resource Connecting Attribute
/main.tf aws_security_group_rule.keyed depends_on

bridgecrew[bot]
bridgecrew bot reviewed Nov 17, 2021
View reviewed changes
main.tf
@@ -25,15 +25,15 @@ resource "aws_security_group" "default" {
# Because we have 2 almost identical alternatives, use x == false and x == true rather than x and !x
count = local.create_security_group && var.create_before_destroy == false ? 1 : 0

name = concat(var.security_group_name, [module.this.id])[0]
name = concat(var.security_group_name[*], [module.this.id])[0]
Copy link

@bridgecrew bridgecrew bot Nov 17, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.default | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

Dependent Resources



Path Resource Connecting Attribute
/main.tf aws_security_group_rule.keyed depends_on

bridgecrew[bot]
bridgecrew bot reviewed Nov 17, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️   Due to 116c41d - Auto Format - 2 new errors were added

Change details

Error ID Change Path Resource
BC_AWS_NETWORKING_51 Added /main.tf aws_security_group.cbd
BC_AWS_NETWORKING_51 Added /main.tf aws_security_group.default

@Nuru
Copy link
Contributor

Nuru commented Nov 17, 2021

/test bats

@Nuru
Copy link
Contributor

Nuru commented Nov 17, 2021

/test readme terratest

bridgecrew[bot]
bridgecrew bot reviewed Nov 18, 2021
View reviewed changes
main.tf
@@ -25,15 +25,15 @@ resource "aws_security_group" "default" {
# Because we have 2 almost identical alternatives, use x == false and x == true rather than x and !x
count = local.create_security_group && var.create_before_destroy == false ? 1 : 0

name = concat(var.security_group_name, [module.this.id])[0]
name = concat(var.security_group_name[*], [module.this.id])[0]
Copy link

@bridgecrew bridgecrew bot Nov 18, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.default | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

Dependent Resources



Path Resource Connecting Attribute
/main.tf aws_security_group_rule.keyed depends_on

bridgecrew[bot]
bridgecrew bot reviewed Nov 18, 2021
View reviewed changes
main.tf
@@ -82,7 +82,7 @@ resource "aws_security_group" "cbd" {
# Because we have 2 almost identical alternatives, use x == false and x == true rather than x and !x
count = local.create_security_group && var.create_before_destroy == true ? 1 : 0

name_prefix = concat(var.security_group_name, ["${module.this.id}${module.this.delimiter}"])[0]
name_prefix = concat(var.security_group_name[*], ["${module.this.id}${module.this.delimiter}"])[0]
Copy link

@bridgecrew bridgecrew bot Nov 18, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LOW   Ensure Security Groups are attached to EC2 instances or ENIs
    Resource: aws_security_group.cbd | ID: BC_AWS_NETWORKING_51

How to Fix

resource "aws_network_interface" "test" {
  subnet_id       = "aws_subnet.public_a.id"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_instance" "test" {
  ami           = "data.aws_ami.ubuntu.id"
  instance_type = "t3.micro"
  security_groups = [aws_security_group.ok_sg.id]
}

resource "aws_security_group" "ok_sg" {
  ingress {
    description = "TLS from VPC"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = 0.0.0.0/0
  }
}

Description

A check to ensure that orphaned Security groups aren't created. Elastic Network Interfaces (ENIs). This checks that Security Groups are attached to provisioning resources.

Dependent Resources



Path Resource Connecting Attribute
/main.tf aws_security_group_rule.keyed depends_on

bridgecrew[bot]
bridgecrew bot reviewed Nov 18, 2021
View reviewed changes
Copy link

@bridgecrew bridgecrew bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️   Due to 41c2d8b - Update test to illustrate Terraform issue 29973 - 2 new errors were added

Change details

Error ID Change Path Resource
BC_AWS_NETWORKING_51 Added /main.tf aws_security_group.cbd
BC_AWS_NETWORKING_51 Added /main.tf aws_security_group.default

@Nuru Nuru added do not merge Do not merge this PR, doing so would cause problems invalid This doesn't seem right labels Nov 18, 2021
@Nuru
Copy link
Contributor

Nuru commented Nov 18, 2021

@mcalhoun While these changes do avoid the "count" value depends on resource attributes that cannot be determined until apply... error, it looks like they do that by exploiting a bug in Terraform. See hashicorp/terraform#29973

I updated the test to surface the error. The first apply fails, although a second apply will succeed. I don't want to recreate cloudposse/terraform-aws-elasticache-redis#121

@Nuru
Copy link
Contributor

Nuru commented Nov 18, 2021

/test all

@mcalhoun
Copy link
Member Author

@mcalhoun While these changes do avoid the "count" value depends on resource attributes that cannot be determined until apply... error, it looks like they do that by exploiting a bug in Terraform. See hashicorp/terraform#29973

I updated the test to surface the error. The first apply fails, although a second apply will succeed. I don't want to recreate cloudposse/terraform-aws-elasticache-redis#121

I see the problem and the issue you opened. I guess we can't use this method until the underlying bug is fixed. Should we ask Hashcorp on that issue what a workaround is instead of turning string into list(string)?

@Nuru
Copy link
Contributor

Nuru commented Nov 22, 2021
edited
Loading

@mcalhoun said:

I see the problem and the issue you opened. I guess we can't use this method until the underlying bug is fixed. Should we ask Hashcorp on that issue what a workaround is instead of turning string into list(string)?

Turning string into list(string) is Hashicorp's solution to the problem of detecting the presence of optional inputs when the values are unknown. When #29973 is fixed, I expect the fix will be that unknown[*] will throw the same error we get for count and for_each, not that it will magically work the way we want it to.

@Nuru
Copy link
Contributor

Nuru commented Dec 1, 2021

@mcalhoun Indeed, as I expected, hashicorp/terraform#29973 has been fixed by ensuring "unknown values upgraded to a collection via a splat expression result in a DynamicVal (unknown value of unknown type), because the resulting type may be a tuple with 0 or 1 elements."

@mergify
Copy link

mergify bot commented Dec 29, 2021

This pull request is now in conflict. Could you fix it @mcalhoun? 🙏

@mcalhoun mcalhoun closed this Mar 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bridgecrew bridgecrew[bot] bridgecrew[bot] left review comments

Assignees
No one assigned
Labels
do not merge Do not merge this PR, doing so would cause problems invalid This doesn't seem right
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mcalhoun @Nuru @cloudpossebot