support child modules in the tfplan payload (#5422)

Checkmarx · Jun 6, 2022 · 8d06099 · 8d06099
1 parent 0be47c5
commit 8d06099
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 14 deletions.
diff --git a/...terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego b/...terraform/azure/default_azure_storage_account_network_access_is_too_permissive/query.rego
@@ -11,7 +11,7 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "Expected 'default_action' to be set to 'Deny'",
 		"keyActualValue": "'default_action' is set to 'Allow'",
-		"searchLine": common_lib.build_search_line(["resources", "azurerm_storage_account", name, "network_rules", "default_action"], []),
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account", name, "network_rules", "default_action"], []),
 	}
 }
 
@@ -24,6 +24,6 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "Expected 'default_action' to be set to 'Deny'",
 		"keyActualValue": "'default_action' is set to 'Allow'",
-		"searchLine": common_lib.build_search_line(["resources", "azurerm_storage_account_network_rules", name, "default_action"], []),
+		"searchLine": common_lib.build_search_line(["resource", "azurerm_storage_account_network_rules", name, "default_action"], []),
 	}
 }
diff --git a/assets/queries/terraform/general/name_is_not_snake_case/query.rego b/assets/queries/terraform/general/name_is_not_snake_case/query.rego
@@ -14,7 +14,7 @@ CxPolicy[result] {
 		"issueType": "IncorrectValue",
 		"keyExpectedValue": "All names should be on snake case pattern",
 		"keyActualValue": sprintf("'%s' is not in snake case", [name]),
-		"searchLine": common_lib.build_search_line(["resources", type, name], []),
+		"searchLine": common_lib.build_search_line(["resource", type, name], []),
 	}
 }
 

diff --git a/pkg/parser/json/tfplan.go b/pkg/parser/json/tfplan.go
@@ -40,13 +40,14 @@ func parseTFPlan(doc model.Document) (model.Document, error) {
 
 // readPlan will get the information needed and parse it in a way KICS understands it
 func readPlan(plan *hcl_plan.Plan) model.Document {
-	modRes := readModule(plan.PlannedValues.RootModule.Resources)
+	kp := KicsPlan{
+		Resource: make(map[string]KicsPlanResource),
+	}
+
+	kp.readModule(plan.PlannedValues.RootModule)
 
 	doc := model.Document{}
 
-	kp := KicsPlan{
-		Resource: modRes,
-	}
 	tmpDocBytes, err := json.Marshal(kp)
 	if err != nil {
 		return model.Document{}
@@ -60,16 +61,18 @@ func readPlan(plan *hcl_plan.Plan) model.Document {
 }
 
 // readModule will iterate over all planned_value getting the information required
-func readModule(resources []*hcl_plan.StateResource) map[string]KicsPlanResource {
-	convRes := make(map[string]KicsPlanResource)
+func (kp *KicsPlan) readModule(module *hcl_plan.StateModule) {
 	// initialize all the types interfaces
-	for _, resource := range resources {
+	for _, resource := range module.Resources {
 		convNamedRes := make(map[string]KicsPlanNamedResource)
-		convRes[resource.Type] = convNamedRes
+		kp.Resource[resource.Type] = convNamedRes
 	}
 	// fill in all the types interfaces
-	for _, resource := range resources {
-		convRes[resource.Type][resource.Name] = resource.AttributeValues
+	for _, resource := range module.Resources {
+		kp.Resource[resource.Type][resource.Name] = resource.AttributeValues
+	}
+
+	for _, childModule := range module.ChildModules {
+		kp.readModule(childModule)
 	}
-	return convRes
 }