Skip to content

Improve Readability of .containsNone Function Output in Terraform Checks #5246

New issue
New issue
Open
#5247
Open
Improve Readability of .containsNone Function Output in Terraform Checks#5246
#5247
Assignees
arlimus
Labels
enhancementNew feature or request
@scottford-io

Description

@scottford-io
scottford-io
opened on Feb 20, 2025

The .containsNone function in MQL is useful for ensuring that specific strings do not appear within an array. However, when used in Terraform checks, the output it returns upon failure is difficult to interpret due to excessive verbosity. Instead of providing a concise summary of which values failed the check, the function outputs the entire resource change structure, making it challenging to identify the offending values.

For example, when checking if a specific GCP API (parallelstore.googleapis.com) is not enabled in a Terraform plan file, the following query is used:

terraform.plan.resourceChanges.where( name == "enable_project_apis").all( change.after.triggers.apis.split(" ").containsNone(["parallelstore.googleapis.com"]))

If this check fails, the current output is a large and difficult-to-parse structure that includes all APIs enabled in the plan, rather than clearly highlighting the presence of the restricted API.

Expected Behavior

  • The output should clearly indicate which value(s) caused the failure.
  • Provide a concise and readable summary of the violation, rather than the entire resource change object.
  • The output should clearly indicate which value(s) caused the failure.
  • Provide a concise and readable summary of the violation, rather than the entire resource change object.

Example:

[failed] containsNone check failed: Found restricted API(s): ["parallelstore.googleapis.com"]

Actual Behavior

  • The function outputs an extensive list of all APIs included in the Terraform plan.
  • Parsing through the response to find the violating API is cumbersome.
  • Unnecessary duplication of data makes debugging difficult.

Suggested Enhancement

  • Modify .containsNone to return only the violating elements instead of the entire list.
  • Provide a human-readable summary of the failure.

Use Case:

This improvement will help security teams and infrastructure engineers quickly identify compliance violations without needing to sift through lengthy Terraform plan outputs.

References

Example failure output (current behavior) can be found in the original issue description above.

Impact: Improves usability and debugging efficiency when working with .containsNone in MQL queries.

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions