Comments (18)
Closed by accident!
from cli.
I think that as it is a When step, if the resource does not have the property key, we should only filter it and skip. As we are doing at the pull request. But i agree that i'm doing two things in one when condition. We need to refactor it.
from cli.
Not exactly understand the issue here, do you want it to be a part of Examples
?
The example scenarios are just some mere samples. There might be thousands of different use cases.
.. or am I missing something here and the scenario above is not working ? It looks good though
from cli.
Sorry, the issue is: I have a resource, and inside the resource tags, the tag X must have the value matching Y. Well, i don't think that we can achieve this conditions without creating new BDD steps.
I think we need to create a new When step: "its tags contains ".
from cli.
"its tags contains {key: ANY}"
or
"its {property:ANY} contains {key: ANY}"
from cli.
Thanks for the explanation and the PR! 👍
The scenarios should drill to get a value vie resource
-> property
-> value
.
For e.g.
Scenario Outline: Ensure that the name tag must match project-env-app
Given I have <resource_name> defined
When it contains tags
Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex
Examples:
| resource_name | name_key |
| aws_vpc | Name |
| aws_route_table | Name |
| aws_internet_gateway | Name |
The idea of using WHEN
here is, it doesn't raise any exceptions if the resource or property can not be found. Thus, if you have a terraform resource that doesn't have any tags
assigned as a property to it, the step should skip and further steps should not run.
When we create a new step like ;
WHEN it {property:ANY} contains {key:ANY}
then we are breaking this rule - which the test should not FAIL
if the {property:ANY}
exists but doesn't contain {key:ANY}
, because it is a WHEN
directive. If it FAILS
again it is wrong, because it shouldn't fail on a WHEN
directive :)
That's why we need to separate these steps.
I checked your PR, looks great, except we are breaking this structure :(
from cli.
That's why we have https://github.com/eerkunt/terraform-compliance/blob/30c7b2a66185c53c29f1a6b8d8868b8606a5876a/terraform_compliance/steps/steps.py#L105 within the it_condition_contain_something()
step.
from cli.
Hum, i see. Well, in this case, i want to navigate thought a property that is an "list of properties". I don't know if we have a best example for that in terraform than tags. Something close is routes of a route table or ports/destination of a security group.
The idea is to navigate through: resource
-> property
-> sub-property
-> value
.
The terraform_validate aready know how to deal with it with find_property (does not throw an exception when the property is not found) or property (throw an exception when the property is not found):
resourceList.find_property(property).find_property(subproperty)....
I don't know if my PR is the best way yo do it. I also don't know how is the best way to deal with it using BDD:
One option i thought:
Scenario Outline: Ensure that the name tag must match project-env-app
Given I have <resource_name> defined
When it contains <property>
And <property> contains <sub-property>
Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex
Second option:
Scenario Outline: Ensure that the name tag must match project-env-app
Given I have <resource_name> defined
When it contains <property>
And it contains <sub-property>
Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex
Third option:
Scenario Outline: Ensure that the name tag must match project-env-app
Given I have <resource_name> defined
When it contains <property>
When it contains <sub-property>
Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex
Forth option:
Scenario Outline: Ensure that the name tag must match project-env-app
Given I have <resource_name> defined
When it contains <property>
When tags contains <sub-property>
Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex
I don't know some teoric things:
- Can we have multiple When's (without using And's)?
- And steps must be thought as an parallel execution? Both it are referring to resource? So we have to use the property name?
from cli.
PS:
The first time we call a find_property in a resource list, it returns a PropertyList. Then, when it is called in a PropertyList, it keeps returning PropertyList and terraform_validate adds the property names/keys separating by dot, so for example: vpc.tags.Name
.
from cli.
I liked the first and forth option above
from cli.
This is definitely getting a very constructive discussion! Thanks!
I think these options are the valid ones ;
(your second option)
Scenario Outline: Ensure that the name tag must match project-env-app
Given I have <resource_name> defined
When it contains <property>
And it contains <sub-property>
Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex
(your third option)
Scenario Outline: Ensure that the name tag must match project-env-app
Given I have <resource_name> defined
When it contains <property>
When it contains <sub-property>
Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex
Instead of When
this can also be a part of Then
, assuming the tester would like to make the tests fail if sub-property
can not be found.
Then it can be either ;
Scenario Outline: Ensure that the name tag must match project-env-app
Given I have <resource_name> defined
When it contains <property>
Then it contains <sub-property>
And its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex
or
Scenario Outline: Ensure that the name tag must match project-env-app
Given I have <resource_name> defined
When it contains <property>
Then it contains <sub-property>
Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex
By the way, we are using terraform_validate
for very few stuff really. We may remove the dependency and build internal ones (having different behaviours of course), this is still a case that I couldn't decide for a while - because it will require substantial among of refactoring. Maybe somewhere around 0.7
About #63 (comment) , I totally agree. I think the current code base is already doing that already ? Have to check carefully.
from cli.
I think this problem is also a bit about #19 . Just linking the issues.
from cli.
Nice, I think that, if we are going to use "it", i like a sequence of when's or then's because in a sequence of And's, it can be ambiguous and, by another person reading it, can be referring to the resource. When its a sequence of When's or Then's is less likely to thing that is referring to the resource.
from cli.
Forget about it. By definition in this repo, i think that it always refers to the last resource type. It is enough for me.
from cli.
I prefer to use And's after the first When/Then
from cli.
already
I think that needs few modifications to do it.
from cli.
Hi Erkunt abi,
I see this really helpful tool. Is this tool just check the module structure only or check its property and value as well?
is this tool runs after the terraform plan or how it works, because our structure is we have to repo:
- one is for main code where all the modules, which won't change more
- is specific for application, where the xxx.tfvars file live with has all the value passes to module when jenkins jobs starts.
Thank you,
Kanat
from cli.
Hello @kanatsultan,
Sorry just saw your message. The tool runs against a terraform plan output and checks any custom compliance rule/test/feature/scenario you wrote.
Since terraform
handles all interpolations or module invocations, all scenarios that you have described is possible with 1.0.0
release.
Please have a look on CHANGELOG
from cli.
Related Issues (20)
- cleanup tmp HOT 3
- --coverage flag with docker HOT 1
- FATAL ERROR: Unsupported terraform version (1.4.0). HOT 4
- Support for Terraform 1.4.* HOT 2
- Add support for testing the terraform block HOT 1
- tagging feature - false positive for aws_lambda_function's "environment" argument HOT 2
- Terregarrunt support
- Applying test cases to only resources from specific provider HOT 1
- Support for Terraform 1.5.* HOT 8
- Can not find aws_msk_cluster defined in target terraform plan
- Question: Using Terraform Compliance in CircleCI with Terraform and Python Orbs HOT 4
- Add support for Terraform Version 1.6.0 HOT 4
- Is `or` logic supported at all? HOT 1
- STDERR isn't being used, log level cannot be changed.
- THEN's condition matches for child properties in absence of a property at expected level. Is this expected? HOT 1
- 'AttributeError: 'str' object has no attribute 'append'' HOT 2
- "AttributeError: 'dict' object has no attribute 'startswith'" when using resources defining their own "references" blocks
- FATAL ERROR: Unsupported terraform version (1.7.0)
- Get rid of "/root/.cache" directory
- When condition on resource which has its own type property fails HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cli.