Skip to content
This repository has been archived by the owner on Sep 3, 2024. It is now read-only.

[BUG] Unable to process terraform template with unset variable in assume_role_policy #365

Open
jcortega opened this issue Oct 17, 2022 · 0 comments

Comments

@jcortega
Copy link

jcortega commented Oct 17, 2022

I have the below terraform template which defines assume_role_policy as json which references a variable without a default value.

mock.tf

variable "target_account_id" { 
  type = string 
}

resource "aws_iam_role" "valid" {
  name               = "indg-okta-news-tasks"
  path               = "xyz"
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "sts:AssumeRoleWithSAML",
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${var.target_account_id}:saml-provider/OktaIDP"
      },
      "Condition": {
        "StringEquals": { "SAML:aud": "https://signin.aws.amazon.com/saml" }
      }
    }
  ]
}
EOF

  tags = var.tags
}

I then have a minimal rego policy as shown below which should always be successful if the assume_role_policy json is valid.

package rules.r000000017tf

resource_type := "aws_iam_role"

default allow := false

allow {
    policy := json.unmarshal(input["assume_role_policy"])
}

Now, when executing regula run -i ./ -v, I get the error below. Please refer to the second line.

DEBUG evaluate: aws_iam_role.valid.assume_role_policy 
DEBUG evaluate: error: mock.tf:16,38-59: Invalid template interpolation value; The expression result is null. Cannot include a null value in a string template. 
DEBUG evaluate: aws_iam_role.valid.tags            
DEBUG evaluate: aws_iam_role.valid.name            
DEBUG evaluate: aws_iam_role.valid.path            
DEBUG loadedPaths[.terraform] -> .                 
DEBUG loadedPaths[.] -> .                          
DEBUG loadedPaths[mock.tf] -> .                    

r000000017tf:  [Unknown]

  [1]: aws_iam_role.valid
       in mock.tf:5:1

It looks like regula is unable properly handle unset variable during regula run. However, I want to be able to create a rego policy against the json policy as-is (un-interpolated).

How you're running Regula
I am using 2.9.1, build b46cb87, built with OPA v0.43.0

Operating System
MacOS Monterey

Steps to reproduce

  1. Create mock.tf as shown in the code above
  2. Create rules.rego as shown above.
  3. Run regula run -i ./ --verbose
  4. Regula is unable to properly unmarshal json with variable.

IaC Configuration
see mock.tf above

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant