Terraform variables support

Summary

Support for Terraform (TF) variables is currently available only in the CLI.

Snyk currently supports:

• Input Variables

• Local Values

At this time Snyk does not support Output Values.

The CLI scans all of your directories and handles each directory that includes supported TF files as it own module. Each module that includes variables is dereferenced appropriately.

Supported TF file formats are .tf, .tfvars,.auto.tfvars. Snyk currently does not support variables that were set/defined using environment variables or the --var command.

The scan handles variable definition precedence in the same way that TF handles the precedence.

Loading a variable definitions file outside of the scanned directory

There is also the option to load an external variable definitions file by using the --var-file flag, for example:

snyk iac test myproject/staging/networking --var-file=myproject/vars.tf

This loads the vars.tf definitions file from the myproject directory, dereferences any variables if they exist, and applies them to the context of the scanned path (myproject/staging/networking).

For more information, refer to the IAC test help.

Supported expressions

The following expressions are currently supported:

• Arithmetic and Logical Operators

• Strings and Templates

• Conditional Expressions

• For Expressions

• Splat Expressions

Supported functions

The following functions are currently supported:

• Numeric Functions - all functions

• String Functions - all functions except lower, regex, regexall, replace, substr, title, upper

• Collection Functions - chunklist, concat, distinct, flatten, length, merge, reverse, sort

• Encoding Functions - csvdecode, jsondecode, jsonencode

• Date and Time Functions - formatdate, timeadd

Examples

Variable handling in the correct precedence

In the example below we can see that we configured a new resource and we are using a variable named remote_user_addr to set its cidr_blocks value.

The variable is defined inside the variables.tf file with a default value but the value is being overridden inside the terraform.tfvars file.

At the end the value is set to 0.0.0.0/0 and this causes the CLI to raise an issue.

vpc.tf

resource "aws_security_group_rule" "ssh" {
  type              = "ingress"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = [var.remote_user_addr]
  security_group_id = aws_security_group.allow.id
}

variables.tf

variable "remote_user_addr" {
  type = string
  default = "11.0.0.0/24"
}

terraform.tfvars

remote_user_addr = "0.0.0.0/0"

Conditional expression using variables

In the following example we are using local and input variables together with conditional expression.

We are checking to see if local.test equals 0 and we are setting the cidr_blocks accordingly.

In our case local.test equals to 0 and the value is set to the value of var.remote_user_addr which causes the CLI to raise an issue.

vpc.tf

resource "aws_security_group_rule" "ssh" {
  type              = "ingress"
  from_port         = 22
  to_port           = 22
  protocol          = "tcp"
  cidr_blocks       = local.test == 0 ? [var.remote_user_addr] : ["11.0.0.0/24"]
  security_group_id = aws_security_group.allow.id
}

locals {
  test = 0
}

variables.tf

variable "remote_user_addr" {
  type = string
  default = "0.0.0.0/0"
}