Parsing an input file
It can be difficult to understand the internal representation of your input files as you write your Rego code. As we will see when we learn how to write a rule, the input value is a JSON-like object but the input files could also be YAML, Terraform, or Terraform Plan JSON Output. To help understand how these are translated into JSON we have provided a parse command.
You will need an IaC file to use as an input file. This input file can also be used when testing the rules, where we parse your files into JSON by default.

Parsing Terraform files

Take, for example, the following Terraform file:
example.tf
1
resource "aws_redshift_cluster" "example" {
2
cluster_identifier = "tf-redshift-cluster"
3
database_name = "mydb"
4
master_username = "foo"
5
master_password = "Mustbe8characters"
6
node_type = "dc1.large"
7
cluster_type = "single-node"
8
}
Copied!
To get the equivalent JSON format, run the parse command:
1
snyk-iac-rules parse example.tf --format hcl2
Copied!
This prints out the JSON, which you can use as guidance for writing your rules:
1
{
2
"resource": {
3
"aws_redshift_cluster": {
4
"example": {
5
"cluster_identifier": "tf-redshift-cluster",
6
"cluster_type": "single-node",
7
"database_name": "mydb",
8
"master_password": "Mustbe8characters",
9
"master_username": "foo",
10
"node_type": "dc1.large"
11
}
12
}
13
}
14
}
Copied!
In Rego, accessing the node_type field would look like:
1
input.resource.aws_redshift_cluster.example.node_type
Copied!

Parsing YAML files

Another example is the following YAML file, defining a Kubernetes resource:
example.yaml
1
apiVersion: v1
2
kind: Pod
3
metadata:
4
name: example
5
spec:
6
containers:
7
- name: example
8
image: example:latest
9
securityContext:
10
privileged: true
Copied!
To get the equivalent JSON format, run the parse command:
1
snyk-iac-rules parse example.yaml --format=yaml
Copied!
This prints out the JSON, which you can use as guidance for writing your rules:
1
{
2
"apiVersion": "v1",
3
"kind": "Pod",
4
"metadata": {
5
"name": "example"
6
},
7
"spec": {
8
"containers": [
9
{
10
"image": "example:latest",
11
"name": "example",
12
"securityContext": {
13
"privileged": true
14
}
15
}
16
]
17
}
18
}
Copied!
In Rego, accessing the privileged field would look like:
1
input.spec.containers[0].securityContext.privileged
Copied!

Parsing Terraform Plan JSON Output files

Another example is the following Terraform Plan JSON Output file, returned by the terraform show -json ./plan/example.json.tfplan command:
example.json.tfplan
1
{
2
"format_version": "0.2",
3
"terraform_version": "1.0.11",
4
"planned_values": {
5
"root_module": {
6
"resources": [
7
{
8
"address": "aws_vpc.example",
9
"mode": "managed",
10
"type": "aws_vpc",
11
"name": "example",
12
"provider_name": "registry.terraform.io/hashicorp/aws",
13
"schema_version": 1,
14
"values": {
15
"assign_generated_ipv6_cidr_block": false,
16
"cidr_block": "10.0.0.0/16",
17
"enable_dns_support": true,
18
"instance_tenancy": "default",
19
"tags": null
20
},
21
"sensitive_values": {
22
"tags_all": {}
23
}
24
}
25
]
26
}
27
},
28
"resource_changes": [
29
{
30
"address": "aws_vpc.example",
31
"mode": "managed",
32
"type": "aws_vpc",
33
"name": "example",
34
"provider_name": "registry.terraform.io/hashicorp/aws",
35
"change": {
36
"actions": [
37
"create"
38
],
39
"before": null,
40
"after": {
41
"assign_generated_ipv6_cidr_block": false,
42
"cidr_block": "10.0.0.0/16",
43
"enable_dns_support": true,
44
"instance_tenancy": "default",
45
"tags": null
46
},
47
"after_unknown": {
48
"arn": true,
49
"default_network_acl_id": true,
50
"default_route_table_id": true,
51
"default_security_group_id": true,
52
"dhcp_options_id": true,
53
"enable_classiclink": true,
54
"enable_classiclink_dns_support": true,
55
"enable_dns_hostnames": true,
56
"id": true,
57
"ipv6_association_id": true,
58
"ipv6_cidr_block": true,
59
"main_route_table_id": true,
60
"owner_id": true,
61
"tags_all": true
62
},
63
"before_sensitive": false,
64
"after_sensitive": {
65
"tags_all": {}
66
}
67
}
68
}
69
],
70
"configuration": {
71
"provider_config": {
72
"aws": {
73
"name": "aws",
74
"expressions": {
75
"region": {
76
"constant_value": "us-east-1"
77
}
78
}
79
}
80
},
81
"root_module": {
82
"resources": [
83
{
84
"address": "aws_vpc.example",
85
"mode": "managed",
86
"type": "aws_vpc",
87
"name": "example",
88
"provider_config_key": "aws",
89
"expressions": {
90
"cidr_block": {
91
"constant_value": "10.0.0.0/16"
92
}
93
},
94
"schema_version": 1
95
}
96
]
97
}
98
}
99
}
Copied!
To get the equivalent JSON format, run the parse command:
1
snyk-iac-rules parse example.json.tfplan --format=tf-plan
Copied!
This prints out the JSON, which you can use as guidance for writing your rules:
1
{
2
"data": {},
3
"resource": {
4
"aws_vpc": {
5
"example": {
6
"assign_generated_ipv6_cidr_block": false,
7
"cidr_block": "10.0.0.0/16",
8
"enable_dns_support": true,
9
"instance_tenancy": "default",
10
"tags": null
11
}
12
}
13
}
14
}
Copied!
In Rego, accessing the tags field would look like:
1
input.resource.aws_vpc.example.tags
Copied!