Giters

fugue / regula

Regula checks infrastructure as code templates (Terraform, CloudFormation, k8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego

Home Page:https://regula.dev/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[BUG] panic: can't use ElementIterator on null value

szesch opened this issue · comments

commented

Describe the bug
When evaluating Terraform source code I am running into a panic panic: can't use ElementIterator on null value. Based on some testing I've done this seems to be caused when values in a locals block reference variables AND then another value in the locals block references the first value. You can see this in the IaC snippet I provided below. default_tags referencing variables is OK on it's own but when tags = concat(local.default_tags, ["test"]) is added then the panic occurs.

panic: can't use ElementIterator on null value

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.ElementIterator({{{0x13015a0?, 0xc00043de48?}}, {0x0?, 0x0?}})
        /home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.10.0/cty/value_ops.go:1121 +0xc5
github.com/zclconf/go-cty/cty.Value.AsValueSlice({{{0x13015a0?, 0xc00043de48?}}, {0x0?, 0x0?}})
        /home/runner/go/pkg/mod/github.com/zclconf/go-cty@v1.10.0/cty/value_ops.go:1303 +0xd3
github.com/snyk/policy-engine/pkg/hcl_interpreter.(*phantomAttrs).add.func1({0xc000090a90, 0x1, 0x1}, {0xc000158540, 0x12}, {{{0x13015a0?, 0xc00043de48?}}, {0x0?, 0x0?}})
        /home/runner/go/pkg/mod/github.com/snyk/policy-engine@v0.15.0/pkg/hcl_interpreter/phantom_attrs.go:81 +0x16e
github.com/snyk/policy-engine/pkg/hcl_interpreter.(*phantomAttrs).add(0xc00040c218, {{0x1bb54b8, 0x0, 0x0}, {0xc00051e820, 0x2, 0x2}}, {{{0x13015a0, 0xc00043de48}}, {0x0, ...}})
        /home/runner/go/pkg/mod/github.com/snyk/policy-engine@v0.15.0/pkg/hcl_interpreter/phantom_attrs.go:93 +0x296
github.com/snyk/policy-engine/pkg/hcl_interpreter.(*Evaluation).evaluate(0xc0000a8480)
        /home/runner/go/pkg/mod/github.com/snyk/policy-engine@v0.15.0/pkg/hcl_interpreter/hcl_interpreter.go:267 +0x806
github.com/snyk/policy-engine/pkg/hcl_interpreter.EvaluateAnalysis(0xc000031f80)
        /home/runner/go/pkg/mod/github.com/snyk/policy-engine@v0.15.0/pkg/hcl_interpreter/hcl_interpreter.go:192 +0x1cc
github.com/fugue/regula/v3/pkg/loader.newHclConfiguration(0xc00016a060)
        /home/runner/work/regula/regula/pkg/loader/tf.go:105 +0x2a
github.com/fugue/regula/v3/pkg/loader.(*TfDetector).DetectDirectory(0x3?, {0x1302600, 0xc00012bd00}, {0x7?, 0x0?, {0x1bb54b8?, 0x3650c2207d6f068d?, 0x1?}})
        /home/runner/work/regula/regula/pkg/loader/tf.go:95 +0x265
github.com/fugue/regula/v3/pkg/loader.(*directory).DetectType(0x1?, {0x12fbc38?, 0x1bb54b8?}, {0x39?, 0xae?, {0x1bb54b8?, 0xc0004aae20?, 0xc000414690?}})
        /home/runner/work/regula/regula/pkg/loader/input.go:32 +0x39
github.com/fugue/regula/v3/pkg/loader.(*AutoDetector).DetectDirectory(0x7?, {0x1302600, 0xc00012bd00}, {0x30?, 0x75?, {0x1bb54b8?, 0x108abb0?, 0xc000326380?}})
        /home/runner/work/regula/regula/pkg/loader/auto.go:26 +0xf8
github.com/fugue/regula/v3/pkg/loader.(*directory).DetectType(0x108abb0?, {0x12fbbc0?, 0xc00043cba0?}, {0x1?, 0x0?, {0x1bb54b8?, 0xc0004bde90?, 0x1b7ba40?}})
        /home/runner/work/regula/regula/pkg/loader/input.go:32 +0x39
github.com/fugue/regula/v3/pkg/loader.LocalConfigurationLoader.func1()
        /home/runner/work/regula/regula/pkg/loader/loadpaths.go:127 +0x5cd
github.com/fugue/regula/v3/cmd.NewRunCommand.func1(0xc000330f00, {0xc0004bc440, 0x0, 0x1})
        /home/runner/work/regula/regula/cmd/run.go:145 +0x7f7
github.com/spf13/cobra.(*Command).execute(0xc000330f00, {0xc0004bc420, 0x1, 0x1})
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:916 +0x862
github.com/spf13/cobra.(*Command).ExecuteC(0x1b4f8a0)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:1044 +0x3bc
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:968
github.com/fugue/regula/v3/cmd.Execute()
        /home/runner/work/regula/regula/cmd/root.go:47 +0x25
main.main()
        /home/runner/work/regula/regula/main.go:22 +0x17

How you're running Regula

  • I'm using Regula v3.0.0 as a CLI tool and my Terraform source code as an input:
regula run -v

Operating System
Ubuntu 22.04

IaC Configuration

variable "team" {
  type = string
}
variable "service" {
  type = string
}
variable "type" {
  type = string
}

locals {
  default_tags = [
    "owner:tf",
    "service:${var.service}",
    "team:${var.team}",
    "region:*",
    "geo:*",
    "env:*"
  ]
  tags = concat(local.default_tags, ["test"])
}
commented

Hi @szesch, thanks for the bug report -- it is highly detailed and clearly written, which allowed me to reproduce this within minutes.

I am working to fix the root cause (it's a combination of two bugs, one is us assuming that variables have a default in certain cases, which they don't here, and the other is that we're accidentally treating locals as a resource in another place). As a temporary workaround, specifying defaults for the variables should work. I expect to have the fix out later today though.

commented

@jaspervdj-luminal Thank you for the quick turnaround on this. I tested the latest release and ran into a similar error but it looks like a different cause. I created #397