fix(misconf): add missing variable as unknown (#8683)

Signed-off-by: nikpivkin <[email protected]>

Author: nikpivkin

pkg/iac/scanners/terraform/parser/evaluator.go

@@ -464,9 +464,6 @@ func (e *evaluator) evaluateVariable(b *terraform.Block) (cty.Value, error) {
 	}
 
 	attributes := b.Attributes()
-	if attributes == nil {
-		return cty.NilVal, errors.New("cannot resolve variable with no attributes")
-	}
 
 	var valType cty.Type
 	var defaults *typeexpr.Defaults

pkg/iac/scanners/terraform/parser/parser.go

@@ -269,14 +269,7 @@ func (p *Parser) Load(ctx context.Context) (*evaluator, error) {
 			return nil, err
 		}
 		p.logger.Debug("Added input variables from tfvars", log.Int("count", len(inputVars)))
-
-		if missingVars := missingVariableValues(blocks, inputVars); len(missingVars) > 0 {
-			p.logger.Warn(
-				"Variable values was not found in the environment or variable files. Evaluating may not work correctly.",
-				log.String("variables", strings.Join(missingVars, ", ")),
-			)
-			setNullMissingVariableValues(inputVars, missingVars)
-		}
+		p.setFallbackValuesForMissingVars(inputVars, blocks)
 	}
 
 	modulesMetadata, metadataPath, err := loadModuleMetadata(p.moduleFS, p.projectRoot)
@@ -314,25 +307,54 @@ func (p *Parser) Load(ctx context.Context) (*evaluator, error) {
 	), nil
 }
 
-func missingVariableValues(blocks terraform.Blocks, inputVars map[string]cty.Value) []string {
-	var missing []string
+func missingVariableValues(blocks terraform.Blocks, inputVars map[string]cty.Value) []*terraform.Block {
+	var missing []*terraform.Block
 	for _, varBlock := range blocks.OfType("variable") {
 		if varBlock.GetAttribute("default") == nil {
 			if _, ok := inputVars[varBlock.TypeLabel()]; !ok {
-				missing = append(missing, varBlock.TypeLabel())
+				missing = append(missing, varBlock)
 			}
 		}
 	}
 
 	return missing
 }
 
-// Set null values for missing variables, to allow expressions using them to be
+// Set fallback values for missing variables, to allow expressions using them to be
 // still be possibly evaluated to a value different than null.
-func setNullMissingVariableValues(inputVars map[string]cty.Value, missingVars []string) {
-	for _, missingVar := range missingVars {
-		inputVars[missingVar] = cty.NullVal(cty.DynamicPseudoType)
+func (p *Parser) setFallbackValuesForMissingVars(inputVars map[string]cty.Value, blocks []*terraform.Block) {
+	varBlocks := missingVariableValues(blocks, inputVars)
+	if len(varBlocks) == 0 {
+		return
+	}
+
+	missingVars := make([]string, 0, len(varBlocks))
+	for _, block := range varBlocks {
+		varType := inputVariableType(block)
+		if varType != cty.NilType {
+			inputVars[block.TypeLabel()] = cty.UnknownVal(varType)
+		} else {
+			inputVars[block.TypeLabel()] = cty.DynamicVal
+		}
+		missingVars = append(missingVars, block.TypeLabel())
+	}
+
+	p.logger.Warn(
+		"Variable values were not found in the environment or variable files. Evaluating may not work correctly.",
+		log.String("variables", strings.Join(missingVars, ", ")),
+	)
+}
+
+func inputVariableType(b *terraform.Block) cty.Type {
+	typeAttr, exists := b.Attributes()["type"]
+	if !exists {
+		return cty.NilType
+	}
+	ty, _, err := typeAttr.DecodeVarType()
+	if err != nil {
+		return cty.NilType
 	}
+	return ty
 }
 
 func (p *Parser) EvaluateAll(ctx context.Context) (terraform.Modules, cty.Value, error) {

pkg/iac/scanners/terraform/parser/parser_test.go

@@ -2042,7 +2042,7 @@ resource "test" "values" {
 
 	s_attr := resources[0].GetAttribute("s")
 	require.NotNil(t, s_attr)
-	assert.Equal(t, "foo-", s_attr.GetRawValue())
+	assert.Equal(t, "foo-", s_attr.Value().Range().StringPrefix())
 
 	for _, name := range []string{"l1", "l2", "d1", "d2"} {
 		attr := resources[0].GetAttribute(name)
@@ -2224,7 +2224,7 @@ variable "baz" {}
 	_, err := parser.Load(t.Context())
 	require.NoError(t, err)
 
-	assert.Contains(t, buf.String(), "Variable values was not found in the environment or variable files.")
+	assert.Contains(t, buf.String(), "Variable values were not found in the environment or variable files.")
 	assert.Contains(t, buf.String(), "variables=\"foo\"")
 }
 
@@ -2454,3 +2454,29 @@ module "bar" {
 	_, _, err = parser.EvaluateAll(t.Context())
 	require.NoError(t, err)
 }
+
+func TestAttributeWithMissingVarIsUnresolvable(t *testing.T) {
+	fsys := fstest.MapFS{
+		"main.tf": &fstest.MapFile{Data: []byte(`variable "inp" {
+  type = string
+}
+
+resource "foo" "bar" {
+  attr = "${var.inp}-test"
+}
+`)},
+	}
+
+	parser := New(fsys, "", OptionStopOnHCLError(true))
+	require.NoError(t, parser.ParseFS(t.Context(), "."))
+
+	_, err := parser.Load(t.Context())
+	require.NoError(t, err)
+
+	modules, _, err := parser.EvaluateAll(t.Context())
+	require.NoError(t, err)
+	require.Len(t, modules, 1)
+	foo := modules[0].GetResourcesByType("foo")[0]
+	attr := foo.GetAttribute("attr")
+	assert.False(t, attr.IsResolvable())
+}

pkg/iac/terraform/attribute.go

@@ -286,7 +286,7 @@ func (a *Attribute) Value() (ctyVal cty.Value) {
 		}
 	}()
 	ctyVal, _ = a.hclAttribute.Expr.Value(a.ctx.Inner())
-	if !ctyVal.IsKnown() || ctyVal.IsNull() {
+	if ctyVal.IsNull() {
 		return cty.DynamicVal
 	}
 	return ctyVal

pkg/iac/terraform/presets.go

@@ -64,7 +64,7 @@ func postProcessValues(b *Block, input map[string]cty.Value) map[string]cty.Valu
 
 	if b.TypeLabel() == "aws_s3_bucket" {
 		var bucketName string
-		if bucket := input["bucket"]; bucket.Type().Equals(cty.String) {
+		if bucket := input["bucket"]; bucket.Type().Equals(cty.String) && bucket.IsKnown() {
 			bucketName = bucket.AsString()
 		}
 		input["arn"] = cty.StringVal(fmt.Sprintf("arn:aws:s3:::%s", bucketName))