fix(misconf): do not erase variable type for child modules (#7941)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2025-12-23 15:37:50 -08:00 · 2024-11-23 01:25:54 +06:00
parent 5448ba2a5c
commit de3b7ea24c
3 changed files with 80 additions and 3 deletions
--- a/pkg/iac/scanners/terraform/parser/evaluator.go
+++ b/pkg/iac/scanners/terraform/parser/evaluator.go
@@ -471,7 +471,7 @@ func (e *evaluator) evaluateVariable(b *terraform.Block) (cty.Value, error) {

 	var val cty.Value

-	if override, exists := e.inputVars[b.Label()]; exists {
+	if override, exists := e.inputVars[b.Label()]; exists && override.Type() != cty.NilType {
 		val = override
 	} else if def, exists := attributes["default"]; exists {
 		val = def.NullableValue()
--- a/pkg/iac/scanners/terraform/parser/parser_test.go
+++ b/pkg/iac/scanners/terraform/parser/parser_test.go
@@ -3,6 +3,7 @@ package parser
 import (
 	"bytes"
 	"context"
+	"io/fs"
 	"log/slog"
 	"os"
 	"path/filepath"
@@ -2008,3 +2009,79 @@ variable "baz" {}
 	assert.Contains(t, buf.String(), "Variable values was not found in the environment or variable files.")
 	assert.Contains(t, buf.String(), "variables=\"foo\"")
 }
+
+func Test_PassingNullToChildModule_DoesNotEraseType(t *testing.T) {
+	tests := []struct {
+		name string
+		fsys fs.FS
+	}{
+		{
+			name: "typed variable",
+			fsys: fstest.MapFS{
+				"main.tf": &fstest.MapFile{Data: []byte(`module "test" {
+  source   = "./modules/test"
+  test_var = null
+}`)},
+				"modules/test/main.tf": &fstest.MapFile{Data: []byte(`variable "test_var" {
+  type    = number
+}
+
+resource "foo" "this" {
+  bar = var.test_var != null ? 1 : 2
+}`)},
+			},
+		},
+		{
+			name: "typed variable with default",
+			fsys: fstest.MapFS{
+				"main.tf": &fstest.MapFile{Data: []byte(`module "test" {
+  source   = "./modules/test"
+  test_var = null
+}`)},
+				"modules/test/main.tf": &fstest.MapFile{Data: []byte(`variable "test_var" {
+  type    = number
+  default = null
+}
+
+resource "foo" "this" {
+  bar = var.test_var != null ? 1 : 2
+}`)},
+			},
+		},
+		{
+			name: "empty variable",
+			fsys: fstest.MapFS{
+				"main.tf": &fstest.MapFile{Data: []byte(`module "test" {
+  source   = "./modules/test"
+  test_var = null
+}`)},
+				"modules/test/main.tf": &fstest.MapFile{Data: []byte(`variable "test_var" {}
+
+resource "foo" "this" {
+  bar = var.test_var != null ? 1 : 2
+}`)},
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			parser := New(
+				tt.fsys, "",
+				OptionStopOnHCLError(true),
+			)
+			require.NoError(t, parser.ParseFS(context.TODO(), "."))
+
+			_, err := parser.Load(context.TODO())
+			require.NoError(t, err)
+
+			modules, _, err := parser.EvaluateAll(context.TODO())
+			require.NoError(t, err)
+
+			res := modules.GetResourcesByType("foo")[0]
+			attr := res.GetAttribute("bar")
+			val, _ := attr.Value().AsBigFloat().Int64()
+			assert.Equal(t, int64(2), val)
+		})
+	}
+}
--- a/pkg/iac/terraform/block.go
+++ b/pkg/iac/terraform/block.go
@@ -585,7 +585,7 @@ func (b *Block) Values() cty.Value {
 		if attribute.Name() == "for_each" {
 			continue
 		}
-		values[attribute.Name()] = attribute.Value()
+		values[attribute.Name()] = attribute.NullableValue()
 	}
 	return cty.ObjectVal(postProcessValues(b, values))
 }
@@ -643,7 +643,7 @@ func (b *Block) expandDynamic() ([]*Block, error) {
 	)

 	forEachVal.ForEachElement(func(key, val cty.Value) (stop bool) {
-		if val.IsNull() {
+		if val.IsNull() || !val.IsKnown() {
 			return
 		}