New When condition: When its tags contains <key> about cli HOT 18 CLOSED

Closed by accident!

from cli.

I think that as it is a When step, if the resource does not have the property key, we should only filter it and skip. As we are doing at the pull request. But i agree that i'm doing two things in one when condition. We need to refactor it.

from cli.

Not exactly understand the issue here, do you want it to be a part of Examples ?

The example scenarios are just some mere samples. There might be thousands of different use cases.

.. or am I missing something here and the scenario above is not working ? It looks good though

from cli.

Sorry, the issue is: I have a resource, and inside the resource tags, the tag X must have the value matching Y. Well, i don't think that we can achieve this conditions without creating new BDD steps.

I think we need to create a new When step: "its tags contains ".

from cli.

"its tags contains {key: ANY}"
or
"its {property:ANY} contains {key: ANY}"

from cli.

Thanks for the explanation and the PR! 👍

The scenarios should drill to get a value vie resource -> property -> value.

For e.g.

 Scenario Outline: Ensure that the name tag must match project-env-app
    Given I have <resource_name> defined
    When it contains tags
    Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex

    Examples:
    | resource_name           | name_key |
    | aws_vpc                 | Name     |
    | aws_route_table         | Name     |
    | aws_internet_gateway    | Name     |

The idea of using WHEN here is, it doesn't raise any exceptions if the resource or property can not be found. Thus, if you have a terraform resource that doesn't have any tags assigned as a property to it, the step should skip and further steps should not run.

When we create a new step like ;

WHEN it {property:ANY} contains {key:ANY}

then we are breaking this rule - which the test should not FAIL if the {property:ANY} exists but doesn't contain {key:ANY}, because it is a WHEN directive. If it FAILS again it is wrong, because it shouldn't fail on a WHEN directive :)

That's why we need to separate these steps.

I checked your PR, looks great, except we are breaking this structure :(

from cli.

That's why we have https://github.com/eerkunt/terraform-compliance/blob/30c7b2a66185c53c29f1a6b8d8868b8606a5876a/terraform_compliance/steps/steps.py#L105 within the it_condition_contain_something() step.

from cli.

Hum, i see. Well, in this case, i want to navigate thought a property that is an "list of properties". I don't know if we have a best example for that in terraform than tags. Something close is routes of a route table or ports/destination of a security group.

The idea is to navigate through: resource -> property -> sub-property -> value .

The terraform_validate aready know how to deal with it with find_property (does not throw an exception when the property is not found) or property (throw an exception when the property is not found):

resourceList.find_property(property).find_property(subproperty)....

I don't know if my PR is the best way yo do it. I also don't know how is the best way to deal with it using BDD:

One option i thought:

 Scenario Outline: Ensure that the name tag must match project-env-app
    Given I have <resource_name> defined
    When it contains <property>
    And <property> contains <sub-property> 
    Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex

Second option:

 Scenario Outline: Ensure that the name tag must match project-env-app
    Given I have <resource_name> defined
    When it contains <property>
    And it contains <sub-property> 
    Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex

Third option:

 Scenario Outline: Ensure that the name tag must match project-env-app
    Given I have <resource_name> defined
    When it contains <property>
    When it contains <sub-property> 
    Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex

Forth option:

 Scenario Outline: Ensure that the name tag must match project-env-app
    Given I have <resource_name> defined
    When it contains <property>
    When tags contains <sub-property> 
    Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex

I don't know some teoric things:

• Can we have multiple When's (without using And's)?
• And steps must be thought as an parallel execution? Both it are referring to resource? So we have to use the property name?

from cli.

PS:

The first time we call a find_property in a resource list, it returns a PropertyList. Then, when it is called in a PropertyList, it keeps returning PropertyList and terraform_validate adds the property names/keys separating by dot, so for example: vpc.tags.Name.

from cli.

I liked the first and forth option above

from cli.

This is definitely getting a very constructive discussion! Thanks!

I think these options are the valid ones ;

(your second option)

Scenario Outline: Ensure that the name tag must match project-env-app
    Given I have <resource_name> defined
    When it contains <property>
    And it contains <sub-property> 
    Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex

(your third option)

Scenario Outline: Ensure that the name tag must match project-env-app
    Given I have <resource_name> defined
    When it contains <property>
    When it contains <sub-property> 
    Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex

Instead of When this can also be a part of Then, assuming the tester would like to make the tests fail if sub-property can not be found.

Then it can be either ;

Scenario Outline: Ensure that the name tag must match project-env-app
    Given I have <resource_name> defined
    When it contains <property>
    Then it contains <sub-property> 
    And its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex

or

Scenario Outline: Ensure that the name tag must match project-env-app
    Given I have <resource_name> defined
    When it contains <property>
    Then it contains <sub-property> 
    Then its value must match the "\${var.project}-\${var.environment}-\${var.application}-.*" regex

By the way, we are using terraform_validate for very few stuff really. We may remove the dependency and build internal ones (having different behaviours of course), this is still a case that I couldn't decide for a while - because it will require substantial among of refactoring. Maybe somewhere around 0.7

About #63 (comment) , I totally agree. I think the current code base is already doing that already ? Have to check carefully.

from cli.

I think this problem is also a bit about #19 . Just linking the issues.

from cli.

Nice, I think that, if we are going to use "it", i like a sequence of when's or then's because in a sequence of And's, it can be ambiguous and, by another person reading it, can be referring to the resource. When its a sequence of When's or Then's is less likely to thing that is referring to the resource.

from cli.

Forget about it. By definition in this repo, i think that it always refers to the last resource type. It is enough for me.

from cli.

I prefer to use And's after the first When/Then

from cli.

already

I think that needs few modifications to do it.

from cli.

Hi Erkunt abi,

I see this really helpful tool. Is this tool just check the module structure only or check its property and value as well?

is this tool runs after the terraform plan or how it works, because our structure is we have to repo:

1. one is for main code where all the modules, which won't change more
2. is specific for application, where the xxx.tfvars file live with has all the value passes to module when jenkins jobs starts.

Thank you,
Kanat

from cli.

Hello @kanatsultan,

Sorry just saw your message. The tool runs against a terraform plan output and checks any custom compliance rule/test/feature/scenario you wrote.

Since terraform handles all interpolations or module invocations, all scenarios that you have described is possible with 1.0.0 release.

Please have a look on CHANGELOG

from cli.