Terraform variables support

Summary
Support for Terraform (TF) variables is currently available only in the CLI.
Snyk currently supports:
​Input Variables​
​Local Values​
At this time Snyk does not support Output Values.
The CLI scans all of your directories and handles each directory that includes supported TF files as it own module. Each module that includes variables is dereferenced appropriately.
Supported TF file formats are .tf, .tfvars,.auto.tfvars.
Snyk currently does not support variables that were set/defined using environment variables or the
--var command.
The scan handles variable definition precedence in the same way that TF handles the precedence.
Loading a variable definitions file outside of the scanned directory
There is also the option to load an external variable definitions file by using the --var-file flag, for example:
snyk iac test myproject/staging/networking --var-file=myproject/vars.tf
This loads the vars.tf definitions file from the myproject directory, dereferences any variables if they exist, and applies them to the context of the scanned path (myproject/staging/networking).
For more information, refer to the IAC test help.
Supported expressions
The following expressions are currently supported:
​Arithmetic and Logical Operators​
​Strings and Templates​
​Conditional Expressions​
​For Expressions​
​Splat Expressions​
Supported functions
The following functions are currently supported:
Numeric Functions - all functions
String Functions - all functions except lower, regex, regexall, replace, substr, title, upper
Collection Functions - chunklist, concat, distinct, flatten, length, merge, reverse, sort
Encoding Functions - csvdecode, jsondecode, jsonencode
Date and Time Functions - formatdate, timeadd
Examples
Variable handling in the correct precedence
In the example below we can see that we configured a new resource and we are using a variable named remote_user_addr to set its cidr_blocks value.
The variable is defined inside the variables.tf file with a default value but the value is being overridden inside the terraform.tfvars file.
At the end the value is set to 0.0.0.0/0 and this causes the CLI to raise an issue.
vpc.tf
​
resource "aws_security_group_rule" "ssh" {
  type              = "ingress"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = [var.remote_user_addr]
  security_group_id = aws_security_group.allow.id
}
variables.tf
​
variable "remote_user_addr" {
  type = string
  default = "11.0.0.0/24"
}
terraform.tfvars
​
remote_user_addr = "0.0.0.0/0"
Conditional expression using variables
In the following example we are using local and input variables together with conditional expression.
We are checking to see if local.test equals 0 and we are setting the cidr_blocks accordingly.
In our case local.test equals to 0 and the value is set to the value of var.remote_user_addr which causes the CLI to raise an issue.
vpc.tf
​
resource "aws_security_group_rule" "ssh" {
  type              = "ingress"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = local.test == 0 ? [var.remote_user_addr] : ["11.0.0.0/24"]
  security_group_id = aws_security_group.allow.id
}
​
locals {
  test = 0
}
variables.tf
​
variable "remote_user_addr" {
  type = string
  default = "0.0.0.0/0"
}

Scan and fix security issues in Terraform files

Terraform AWS Provider Support

Last modified 3mo ago

Export as PDF

Copy link

Edit on GitHub

On this page

Summary

Supported expressions

Supported functions

Examples