[BUG] eval_conflict_error: object keys must be unique
rsareth opened this issue · comments
Describe the bug
Using a local composed with variables or other local raises this error: eval_conflict_error: object keys must be unique
The issue was discovered by using a module creating a s3 bucket. But we are using the module several times in the same repository to create the buckets in different region. And the name of the bucket is composed of different variables provided in the call.
How you're running Regula
- I'm using Regula >= v2.9.2 as a Rego library with OPA >= v0.43.1.
Operating System
Mac OS
Steps to reproduce
- Step 1 - Create these TF files with these contents:
# Content in module/activity_log/s3.tf
variable "basename" {
type = string
}
variable "common_tags" {
type = map(string)
}
variable "region" {
type = string
}
locals {
activity_log_basename = "${var.basename}-activity-log-${var.region}"
}
resource "aws_s3_bucket" "activity_log" {
bucket = local.activity_log_basename
tags = {
Name = local.activity_log_basename
use_case = "activity_log"
}
provider = aws.platform
}
# Content ./main.tf
terraform {
backend "s3" {
region = "eu-west-1"
encrypt = true
workspace_key_prefix = ""
}
required_providers {
aws = {
source = "hashicorp/aws"
version = "4.36.1"
}
}
}
variable "aws_assume_role" {
type = string
}
variable "common_tags" {
type = map(string)
}
variable "package_name" {
type = string
}
variable "platform" {
type = string
}
variable "region" {
type = string
}
data "aws_caller_identity" "current" {}
provider "aws" {
region = var.region
default_tags {
tags = local.common_tags
}
assume_role {
role_arn = var.aws_assume_role
}
}
provider "aws" {
region = "us-east-1"
alias = "virginia"
default_tags {
tags = local.common_tags
}
assume_role {
role_arn = var.aws_assume_role
}
}
locals {
common_root_name = "${terraform.workspace}-${var.package_name}"
common_tags = merge(var.common_tags, {
"package_name" = var.package_name,
"platform" = var.platform
})
}
module "ireland" {
source = "./module/activity_log"
basename = local.common_root_name
common_tags = local.common_tags
region = var.region
providers = {
aws.platform = aws
}
}
module "virginia" {
source = "./module/activity_log"
basename = local.common_root_name
caller_id = data.aws_caller_identity.current.id
common_tags = local.common_tags
region = "us-east-1"
providers = {
aws.platform = aws.virginia
}
}
- Step 2 - Run simply regula
$ regula run .
FATAL rules/tf/aws/cloudtrail/s3_access_logging.rego:42: eval_conflict_error: object keys must be unique
- Step 3 - More test by running different version of regula
$ V="2.9.1 2.9.2 2.9.3 2.10.0"
$ for v in $V; do echo "---> $v"; docker run -v $PWD:/tf -it fugue/regula:v$v run /tf; echo ""; done
---> 2.9.1
FG_R00099: S3 bucket server-side encryption should be enabled [High]
https://docs.fugue.co/FG_R00099.html
[1]: module.ireland.aws_s3_bucket.activity_log
in /tf/module/activity_log/s3.tf.tf:18:1
included at /tf/main.tf:72:12
[2]: module.virginia.aws_s3_bucket.activity_log
in /tf/module/activity_log/s3.tf.tf:18:1
included at /tf/main.tf:84:12
[...]
---> 2.9.2
FATAL rules/tf/aws/cloudtrail/s3_access_logging.rego:42: eval_conflict_error: object keys must be unique
---> 2.9.3
FATAL rules/tf/aws/cloudtrail/s3_access_logging.rego:42: eval_conflict_error: object keys must be unique
---> 2.10.0
FATAL rules/tf/aws/cloudtrail/s3_access_logging.rego:42: eval_conflict_error: object keys must be unique
To understand the issue, I dug in the code and I think it is in this file rego/lib/aws/s3/s3_library.rego:57. This is the comparaison page between 2.9.1 and 2.9.2: v2.9.1...v2.9.2#diff-fde3629b9cf39db0cd719504defac97929251ea07446d63cea2142b8074c41f3
Thank you in advance for looking at this
Rasmey
I'm closing it because it is a bug from my script. I need to set properly some tfvars otherwise regula is crashing!