fix(terraform): evaluateStep to correctly set EvalContext for multiple instances of blocks

[Emyrk]

Before this change, all data blocks set their values in the EvalContext with the key b.Labels()[0]. If the block is an instance of a block (via count param), the label looks like <name>[<idx>].

This is different to how expandBlockCounts handles this.

https://github.com/aquasecurity/trivy/blob/main/pkg/iac/scanners/terraform/parser/evaluator.go#L422-L422

expandBlockCounts handles this correctly, as an hcl.TraverseIndex expects a tuple (assuming the key is a number).

This PR updates evaluateStep to override the <name> in the EvalContext with a new tuple containing every instance of the data block that is found.

TODO:

This same fix probably needs to be applied for for_each and maybe dynamic blocks.

Testing when count = 0 likely also needs to be tested. I think this is already ok, because if count = 0, then expandBlockCounts will not set the EvalContext. And the block is omitted from the list with any key index. Worst case, the key isNull and it is saved under the name without a tuple. So the context has a value, but not a tuple type, so traversals will still fail.

Checklist

• I've read the guidelines for contributing to this repository.
• I've followed the conventions in the PR title.
• I've added tests that prove my fix is effective or that my feature works.
• I've updated the documentation with the relevant information (if needed).
• I've added usage information (if the PR introduces new options)
• I've included a "before" and "after" example to the description (if the PR is a user interface change).

[Emyrk]

I really think if this if statement branch is executed, we should not do valueMap[b.Labels()[1]] = b.Values().

In an abundance of caution, I kept the previous context setting as well. The previous context is incorrect for an hcl traversal though. So I feel like it was never being hit.

How the code would look if we remove the current behavior entirely.

if rawKey.Type().Equals(cty.Number) {
  existing := valueMap[ref.NameLabel()]
  asInt, _ := rawKey.AsBigFloat().Int64()

  valueMap[ref.NameLabel()] = insertTupleElement(existing, int(asInt), b.Values())
} else {
  valueMap[b.Labels()[1]] = b.Values()
}

[nikpivkin]

I think the old behavior should be removed after adding the handling of all cases.

[Emyrk]

@nikpivkin by "all the cases", do you mean handling for_each and possibly dynamic cases as well? (TBD if dynamic needs any changes, I am unsure off the top of my head)

[nikpivkin]

Hi @Emyrk !

Indeed, I was not even aware of this problem. Now the last part of the path when inserting values into a context contains an index, which is incorrect. Your approach looks good, but this problem applies not only to data blocks, but to all types of blocks with for_each and count meta-arguments. When using for_each, instances of the block should be exported as an object, and the index can be a number, so we should distinguish between these cases.

If you don't mind I can change this PR to add support for the rest of the cases.

[Emyrk]

Indeed, I was not even aware of this problem. Now the last part of the path when inserting values into a context contains an index, which is incorrect. Your approach looks good, but this problem applies not only to data blocks, but to all types of blocks with for_each and count meta-arguments. When using for_each, instances of the block should be exported as an object, and the index can be a number, so we should distinguish between these cases.

If you don't mind I can change this PR to add support for the rest of the cases.

Yes! I was aware this problem is larger than my fix. I'm still getting my footing/bearings in this codebase, so just wanted to tackle this in the smallest incremental improvement I could contribute.

Feel free to contribute to my branch directly if you want to fix it all in 1 go. We could also solve the for_each in a second PR. I will defer to your judgement.

[Emyrk]

@nikpivkin This also exists with module outputs:

https://github.com/aquasecurity/trivy/blob/main/pkg/iac/scanners/terraform/parser/evaluator.go#L245

[nikpivkin]

@Emyrk Yes, I will make the fixes for the modules in the other PR as it requires a slightly different approach. I already have a draft.

[Emyrk]

@Emyrk Yes, I will make the fixes for the modules in the other PR as it requires a slightly different approach. I already have a draft.

Whoops! @nikpivkin I will revert my test and change, and keep this PR to what it was before my comment.

[nikpivkin]

My draft has exactly the same implementation :)

[nikpivkin]

@simar7 Can you take a look?

[simar7]

capturing loop variable is no longer required https://go.dev/blog/loopvar-preview

[Emyrk]

TIL ❤️

[simar7]

@Emyrk can we remove this then?

[simar7]

Should we check if idx is within bounds before we invoke insertTupleElement?

[simar7]

AsBigFloat() will panic if it is not valid type. Maybe we should assert it first?

[nikpivkin]

Element may be larger than the tuple capacity when the context does not yet contain all instances of the block, and then we need to grow it

[nikpivkin]

AsBigFloat() will panic if it is not valid type. Maybe we should assert it first?

We check that it is a number. Also the key cannot be unknown, it is either Nil or a known value.

[Emyrk]

Really sorry, I made a mistake and force pushed to this branch by accident. I got the branch back to the state that was reviewed 🤦‍♂️

[simar7]

Really sorry, I made a mistake and force pushed to this branch by accident. I got the branch back to the state that was reviewed 🤦‍♂️

No worries @Emyrk - were there any other updates to the comments I had left or you have pushed everything you had?

[Emyrk]

@simar7 just read through all the comments. Added 1 little test syntax tweak.

Everything I have for this issue is pushed up 👍

[simar7]

lgtm, thanks for the PR! @nikpivkin could you also take another look at it?