fix(terraform): resolve module output edges by identity, not path alone#7471
Open
pszypowicz wants to merge 3 commits intobridgecrewio:mainfrom
Open
fix(terraform): resolve module output edges by identity, not path alone#7471pszypowicz wants to merge 3 commits intobridgecrewio:mainfrom
pszypowicz wants to merge 3 commits intobridgecrewio:mainfrom
Conversation
pszypowicz
had a problem deploying
to
scan-security
GitHub Actions
Failure
Author
|
Why this works: The bug is in The old second condition: self.get_abspath(vertex.source_module_object.path) == self.get_abspath(module_node.path)Only compared file paths. When modules The fix: vertex.source_module_object == get_vertex_as_tf_module(module_node)
|
pszypowicz
force-pushed
the
fix/module-output-edge-same-source-siblings
branch
from
bcf546a to
cb6c46e
Compare
pszypowicz
had a problem deploying
to
scan-security
GitHub Actions
Failure
When two module calls share the same source, _should_add_edge() matched output vertices by path only, causing edges to connect to the wrong module instance. This corrupted variable resolution for any third module referencing one of their outputs. Replace the loose path comparison with get_vertex_as_tf_module(), which matches on full module identity (name, path, nested modules). Fixes bridgecrewio#7470
…lution Add test_module_output_edge_with_same_source_siblings to verify that variable resolution works when two modules share the same source and a third module references one of their outputs. The test fixture uses a minimal reproduction: a variable-to-output module (mod_a) instantiated twice, with the alphabetically-first instance receiving the other's output, and a separate module (mod_c) whose explicitly-passed variable must resolve correctly.
pszypowicz
force-pushed
the
fix/module-output-edge-same-source-siblings
branch
from
cb6c46e to
8ad0421
Compare
pszypowicz
had a problem deploying
to
scan-security
GitHub Actions
Failure
pszypowicz
requested a deployment
to
scan-security
GitHub Actions
Waiting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
_should_add_edge()to match output vertices by full module identity (get_vertex_as_tf_module()) instead of path only, preventing wrong edge connections when two module calls share the same sourceDetails
When two module calls share the same source (e.g., modules
"a"and"b"both using./mod_a), and a third module"c"references one of their outputs, the old path-only check in_should_add_edge()could connect the edge to the wrong module instance. This corrupted variable resolution for module"c", leavingvar.*references unresolved and causing false positives (e.g., CKV_AZURE_35).The fix is a one-line change replacing the loose path comparison with
get_vertex_as_tf_module(module_node), which already exists in the codebase and compares the full module identity (name, path, nested modules).Fixes #7470
Test plan
test_module_output_edge_with_same_source_siblingspasses with the fix'Deny' != 'var.default_action')