fix(terraform): Handle explicitly-specified tfvars explicitly #7107

thentenaar · 2025-04-15T18:47:40Z

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Allow for --var-file arguments outside of the tf dir to be handled correctly
Use a dict to enforce tfvars precedence, grouping vars by the directory for which they were defined, reducing the number of tfvar nodes added to the graph for a given directory.
Create variable -> tfvars edges based on the directory for which the var was defined.
Have _load_files take a list of str instead of os.DirEntry.
Changed a usage of printf() to logging.debug()

Checklist:

I have performed a self-review of my own code
I have commented my code, particularly in hard-to-understand areas
I have made corresponding changes to the documentation
I have added tests that prove my feature, policy, or fix is effective and works
New and existing tests pass locally with my changes

omriyoffe-panw

Hey @thentenaar,
First of all thank you for your contribution!
I left a few minor comments, however along with them I am not sure I understand your use of the "explicit" variable. If I understand correctly the goal is to allow for .tfvars file in sub-directories of the project using the -var-file flag. I saw you implemented a search on the directory for .tfvars files but I don't see why you would need the "explicit" variable and I can see some use cases where it might allow for files other then .tfvars to be passed in the flag causing errors.
Would love if you could add a short explanation for this implementation.
Thanks!

checkov/terraform/tf_parser.py

gruebel

overall the suggested implementation doesn't reflect the actual Terraform behavior and with the added explicit marker makes it harder to maintain than it actually should be, because it is not a simple override mechanism but rather a hierarchical resolution order.

checkov/terraform/tf_parser.py

* Allow for ``--var-file`` arguments outside of the tf dir to be handled correctly. * Use a dict to enforce tfvars precedence, grouping vars by the directory for which they were defined, reducing the number of tfvar nodes added to the graph for a given directory. * Create variable -> tfvars edges based on the directory for which the var was defined. * Have _load_files take a list of str instead of os.DirEntry. * Changed a usage of printf() to logging.debug()

fix(terraform): Handle explicitly-specified vars explicitly * Allow for ``--var-file`` arguments outside of the tf dir to be handled correctly. * Use a dict to enforce tfvars precedence, grouping vars by the directory for which they were defined, reducing the number of tfvar nodes added to the graph for a given directory. * Create variable -> tfvars edges based on the directory for which the var was defined. * Have _load_files take a list of str instead of os.DirEntry. * Changed a usage of printf() to logging.debug()

thentenaar had a problem deploying to scan-security April 15, 2025 18:47 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from e863c61 to 5cd5efd Compare April 17, 2025 14:16

thentenaar had a problem deploying to scan-security April 17, 2025 14:16 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 5cd5efd to 8b002b5 Compare April 17, 2025 23:03

thentenaar had a problem deploying to scan-security April 17, 2025 23:03 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 8b002b5 to dc4fba3 Compare April 19, 2025 11:28

thentenaar had a problem deploying to scan-security April 19, 2025 11:28 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from dc4fba3 to c8ed2e3 Compare April 21, 2025 12:24

thentenaar had a problem deploying to scan-security April 21, 2025 12:24 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from c8ed2e3 to d8d8596 Compare April 21, 2025 12:25

thentenaar had a problem deploying to scan-security April 21, 2025 12:25 — with GitHub Actions Failure

omriyoffe-panw reviewed Apr 21, 2025

View reviewed changes

checkov/terraform/tf_parser.py Outdated Show resolved Hide resolved

checkov/terraform/tf_parser.py Outdated Show resolved Hide resolved

checkov/terraform/tf_parser.py Outdated Show resolved Hide resolved

thentenaar force-pushed the tfvars branch from d8d8596 to 318de7e Compare April 21, 2025 14:00

thentenaar had a problem deploying to scan-security April 21, 2025 14:00 — with GitHub Actions Failure

thentenaar requested a review from omriyoffe-panw April 21, 2025 14:06

gruebel reviewed Apr 21, 2025

View reviewed changes

checkov/terraform/tf_parser.py Outdated Show resolved Hide resolved

checkov/terraform/tf_parser.py Outdated Show resolved Hide resolved

checkov/terraform/tf_parser.py Outdated Show resolved Hide resolved

thentenaar force-pushed the tfvars branch from 318de7e to b3fe8e9 Compare April 22, 2025 14:14

thentenaar had a problem deploying to scan-security April 22, 2025 14:14 — with GitHub Actions Failure

thentenaar requested a review from gruebel April 22, 2025 14:19

thentenaar force-pushed the tfvars branch from b3fe8e9 to 78e38cd Compare April 23, 2025 14:18

thentenaar had a problem deploying to scan-security April 23, 2025 14:18 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 78e38cd to b3c4cd4 Compare April 23, 2025 14:19

thentenaar had a problem deploying to scan-security April 23, 2025 14:19 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from b3c4cd4 to 8c16249 Compare April 23, 2025 14:26

thentenaar had a problem deploying to scan-security April 23, 2025 14:26 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 8c16249 to 817ce89 Compare April 23, 2025 14:30

thentenaar had a problem deploying to scan-security April 23, 2025 14:30 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 817ce89 to 58fe4d2 Compare April 24, 2025 12:16

thentenaar had a problem deploying to scan-security April 24, 2025 12:16 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 58fe4d2 to 2f9579f Compare April 24, 2025 23:06

thentenaar force-pushed the tfvars branch from d5573f4 to 6a38ad3 Compare May 16, 2025 11:26

thentenaar had a problem deploying to scan-security May 16, 2025 11:26 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 6a38ad3 to 153c1e9 Compare May 16, 2025 18:06

thentenaar had a problem deploying to scan-security May 16, 2025 18:06 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 153c1e9 to 9d06539 Compare May 19, 2025 14:42

thentenaar had a problem deploying to scan-security May 19, 2025 14:42 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 9d06539 to ea49734 Compare May 19, 2025 18:30

thentenaar had a problem deploying to scan-security May 19, 2025 18:30 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from ea49734 to aa30278 Compare May 19, 2025 23:05

thentenaar had a problem deploying to scan-security May 19, 2025 23:05 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from aa30278 to 74e9007 Compare May 20, 2025 11:02

thentenaar had a problem deploying to scan-security May 20, 2025 11:02 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 74e9007 to 709ab51 Compare May 21, 2025 01:10

thentenaar had a problem deploying to scan-security May 21, 2025 01:10 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 709ab51 to 8d5b2ba Compare May 22, 2025 15:33

thentenaar had a problem deploying to scan-security May 22, 2025 15:33 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 8d5b2ba to 5b7011b Compare May 23, 2025 04:06

thentenaar had a problem deploying to scan-security May 23, 2025 04:07 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from 5b7011b to bd6276a Compare May 27, 2025 15:47

thentenaar had a problem deploying to scan-security May 27, 2025 15:47 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from bd6276a to cf80f49 Compare May 28, 2025 00:43

thentenaar had a problem deploying to scan-security May 28, 2025 00:43 — with GitHub Actions Failure

thentenaar force-pushed the tfvars branch from cf80f49 to 96ebeb2 Compare May 31, 2025 06:46

thentenaar temporarily deployed to scan-security May 31, 2025 06:46 — with GitHub Actions Inactive

lirshindalman approved these changes Jun 5, 2025

View reviewed changes

omriyoffe-panw approved these changes Jun 5, 2025

View reviewed changes

lirshindalman merged commit 10d12c9 into bridgecrewio:main Jun 5, 2025
46 checks passed

thentenaar deleted the tfvars branch June 5, 2025 11:35

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(terraform): Handle explicitly-specified tfvars explicitly #7107

fix(terraform): Handle explicitly-specified tfvars explicitly #7107

Uh oh!

thentenaar commented Apr 15, 2025 •

edited

Loading

Uh oh!

omriyoffe-panw left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

gruebel left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

fix(terraform): Handle explicitly-specified tfvars explicitly #7107

fix(terraform): Handle explicitly-specified tfvars explicitly #7107

Uh oh!

Conversation

thentenaar commented Apr 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Checklist:

Uh oh!

omriyoffe-panw left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

gruebel left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

thentenaar commented Apr 15, 2025 •

edited

Loading