Describe the bug
A clear and concise description of what the bug is.
This is in the case when the Terraform file is referring to a data source, e.g. defining the policies in the aws_iam_policy_document
, and the same is referred to in provisioning the aws_ecr_repository_policy.
Please look at the Note section below for other observations.
Control hangs
➜ steampipe check control.ecr_repository_policy_prohibit_public_access
⠴ Running 1 control. (0 complete, 1 running, 0 pending, 0 errors)
⠙ Running 1 control. (0 complete, 1 running, 0 pending, 0 errors)
⠴ Running 1 control. (0 complete, 1 running, 0 pending, 0 errors)
⠴ Running 1 control. (0 complete, 1 running, 0 pending, 0 errors)
CTRL + C
+ ECR repository policy should prohibit public access .......... 1 / 1 [ ]
ERROR: execution cancelled
Steampipe version (steampipe -v
)
Example: Steampipe v0.20.10
Plugin version (steampipe plugin list
)
Example: 0.7.0 | terraform
To reproduce
Steps to reproduce the behaviour (please include relevant code and/or commands).
Create a TF file with the below.
### This works as no data source is provided to associate the policy (inbuilt)
resource "aws_ecr_repository_policy" "foobarworks" {
repository = "foobar"
policy = jsonencode(
{
Version = "2008-10-17",
Statement = [
{
Effect = "Allow",
Principal = "*",
Action = [
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:DescribeImages",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:ListImages"
],
Condition = {
"StringEquals" = {
"aws:PrincipalOrgID" = "something"
}
}
}
]
}
)
}
### CHECKING POLICY AS DATA INPUT (Fails when referring to the data source)
resource "aws_ecr_repository" "foo" {
name = "bar"
}
data "aws_iam_policy_document" "foopolicy" {
statement {
sid = "new policy"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["123456789012"]
}
actions = [
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage",
"ecr:BatchCheckLayerAvailability",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:ListImages",
"ecr:DeleteRepository",
"ecr:BatchDeleteImage",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepositoryPolicy",
]
}
}
resource "aws_ecr_repository_policy" "foopolicy" {
repository = aws_ecr_repository.foo.name
policy = data.aws_iam_policy_document.foopolicy.json
}
The query to execute
with policy_statement as (
select
distinct (type || ' ' || name ) as name
from
terraform_resource ,
jsonb_array_elements(
case when ((arguments ->> 'policy') = '')
then null
else ((arguments ->> 'policy')::jsonb -> 'Statement') end
) as s
where
type = 'aws_ecr_repository_policy'
and (
(s ->> 'Principal' = '*')
and ((s ->> 'Condition') is null)
)
)
select
type || ' ' || r.name as resource,
case
when (arguments ->> 'policy') = '' then 'ok'
when s.name is null then 'ok'
else 'alarm'
end status,
case
when (arguments ->> 'policy') = '' then ' no policy defined'
when s.name is null then ' not public'
else ' public'
end || '.' reason
from
terraform_resource as r
left join policy_statement as s on s.name = concat(r.type || ' ' || r.name)
where
type = 'aws_ecr_repository_policy'
Note-
- Interesting thing is when I execute
.cache off
& .cache clear
, the query renders as expected
- For the first time, the query works (not the control), but when we re-run it, it hangs.
- Now same way if the control is hanging for this case, it halts the execution of entire controls across the services
- Control & query with CTE block mostly hangs
- It may be very much related to cache, as it works when we execute the query with
.cache off
. The moment the cache is on it hangs
Error from plugin log
2023-08-22 10:39:38.535 UTC [TRACE] steampipe-plugin-terraform.plugin: [TRACE] 1692700778380: IndexItem) SatisfiesRequest: satisfiedColumns true satisfiesLimit true satisfiesQuals true
2023-08-22 10:39:38.535 UTC [TRACE] steampipe-plugin-terraform.plugin: [TRACE] 1692700778380: found pending index item to satisfy columns for_each,depends_on,lifecycle,start_line,source,arguments,count,count_src,path,end_line,name,type,provider,_ctx, limit -1, quals: NONE (terraform-1692700778380)
2023-08-22 10:39:38.535 UTC [TRACE] steampipe-plugin-terraform.plugin: [TRACE] 1692700778380: getPendingResultItem returning &{0xc0006de8a0 <nil> terraform-1692700646836 0xc015043100}
2023-08-22 10:39:38.535 UTC [INFO] steampipe-plugin-terraform.plugin: [INFO] 1692700778380: found pending item [terraform-1692700646836] - subscribing to its data (terraform-1692700778380)
2023-08-22 10:39:38.535 UTC [INFO] steampipe-plugin-terraform.plugin: [INFO] 1692700778380: stream all data already cached
Expected behaviour
A clear and concise description of what you expected to happen.
Additional context
Add any other context about the problem here.