Terraform 12 string interpolation within heredocs break entire doc

Question

Terraform 12 string interpolation within heredocs break entire doc

milldr opened this issue 5 years ago · 5 comments

If a heredoc for a policy or alike has string interpolation, it will resolve to be null. Removing the variable will behave as expected.

When a policy has a string interpolation in it, config-lint always returns an OK.

Example:

resource "aws_sqs_queue_policy" "policy_version_set_incorrectly" {
  queue_url = aws_sqs_queue.test_queue.id

  policy = <<EOF
{
  "Version": "2008-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sqs:SendMessage",
      "Resource": "${aws_sqs_queue.test_queue.arn}"
    }
  ]
}
EOF
}

resolves to:

  {
    "ID": "policy_version_set_incorrectly",
    "Type": "aws_sqs_queue_policy",
    "Category": "resource",
    "Properties": {
      "policy": null,
      "queue_url": "UNDEFINED"
    },
    "Filename": "testdata/builtin/terraform12/aws/sqs_queue_policy/policy_version.tf",
    "LineNumber": 25
  }

Change "Resource": "${aws_sqs_queue.test_queue.arn}" to "Resource": "#{aws_sqs_queue.test_queue.arn}" and now the resource (correctly) resolves to

  {
    "ID": "policy_version_set_incorrectly",
    "Type": "aws_sqs_queue_policy",
    "Category": "resource",
    "Properties": {
      "policy": {
        "Statement": [
          {
            "Action": "sqs:SendMessage",
            "Effect": "Allow",
            "Resource": "#{aws_sqs_queue.test_queue.arn}"
          }
        ],
        "Version": "2008-10-17"
      },
      "queue_url": "UNDEFINED"
    },
    "Filename": "testdata/builtin/terraform12/aws/sqs_queue_policy/policy_version.tf",
    "LineNumber": 25
  }

Answer 1 · 2020-03-05T21:02:12.000Z

reopening this. the bug isnt resolved, but instead we found a workaround for our use case. will come back to this after higher priority items.

Answer 2 · 2020-03-05T21:04:35.000Z

for reference, the mentioned workaround is for #113

Answer 3 · 2020-04-21T17:16:55.000Z

I dug into this a little and found that variables that are determined after a deploy (like aws_sqs_queue.test_queue.arn) cause the entire JSON block to be "undefined"/nil.

Ideally we'd want these variables to resolve as "UNDEFINED", or even better the variable name could be kept in place so the name could be used for matching in rules.

Answer 4 · 2020-06-25T18:50:08.000Z

If there is a string interpolation in the Resource definition, the test always returns an OK.

Answer 5 · 2020-06-25T22:11:11.000Z

Found a customer rule that is specifically looking to see if a particular parameter contains a variable. So hopefully we can fix this such that it still sees the variable,