fix(terraform): panic when referring to a resource instance with a non-existent var

[nikpivkin]

Source: https://github.com/aquasecurity/tfsec/issues/1926

If the meta argument for_each is passed a list where one of the elements refers to a non-existent variable, and one of the resources has a reference to an instance of the resource using each.value, then this causes panic.

modules/gcs/main.tf

resource "google_storage_bucket" "buckets" {
  name = "test"
}

resource "google_storage_bucket_iam_binding" "admins" {
  for_each = toset(var.names)
  bucket   = google_storage_bucket.buckets[each.value].name # <- cause
}

variable "names" {
  type = list(string)
}

main.tf

module "name" {
  source = "./modules/gcs"

  names = ["${var.non-existent-var}-test"]
}

Output:

trivy config test -d
2023-08-12T22:38:35.029+0700    DEBUG   Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2023-08-12T22:38:35.039+0700    DEBUG   cache dir:  /Users/tososomaru/Library/Caches/trivy
2023-08-12T22:38:35.039+0700    DEBUG   Module dir: /Users/tososomaru/.trivy/modules
2023-08-12T22:38:35.039+0700    INFO    Misconfiguration scanning is enabled
2023-08-12T22:38:35.040+0700    DEBUG   Policies successfully loaded from disk
2023-08-12T22:38:35.060+0700    DEBUG   Walk the file tree rooted at 'test' in parallel
2023-08-12T22:38:35.061+0700    DEBUG   Scanning Terraform files for misconfigurations...
panic: value is unknown

goroutine 1 [running]:
github.com/zclconf/go-cty/cty.Value.AsString({{{0x10a3aad88?, 0x140000b48bd?}}, {0x1097e1100?, 0x10d5cbda0?}})
        /home/runner/go/pkg/mod/github.com/zclconf/[email protected]/cty/value_ops.go:1262 +0x108
github.com/aquasecurity/defsec/pkg/terraform.Reference.Key({{{0x107c248a5, 0x8}, {0x0, 0x0}, 0x1}, {0x14000a291e8, 0x15}, {0x14003a29000, 0x7}, {0x0, ...}, ...})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/terraform/reference.go:164 +0xa8
github.com/aquasecurity/defsec/pkg/terraform.Reference.RefersTo({{{0x107c248a5, 0x8}, {0x0, 0x0}, 0x1}, {0x14000a291e8, 0x15}, {0x14003a29000, 0x7}, {0x0, ...}, ...}, ...)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/terraform/reference.go:129 +0x21c
github.com/aquasecurity/defsec/pkg/terraform.(*Module).GetReferencedBlock(0x14001dd9bc0, 0x140005f4dc0, 0x14000a55500)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/terraform/module.go:122 +0x224
github.com/aquasecurity/defsec/pkg/terraform.Modules.GetReferencedBlock({0x140022b7140, 0x2, 0x5?}, 0x8?, 0x14000a55500)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/terraform/modules.go:49 +0x78
github.com/aquasecurity/defsec/internal/adapters/terraform/google/storage.(*adapter).adaptBindings(0x14001e3fdc0)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/google/storage/iam.go:64 +0x498
github.com/aquasecurity/defsec/internal/adapters/terraform/google/storage.(*adapter).adaptBuckets(0x14001e3fdc0)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/google/storage/adapt.go:29 +0x128
github.com/aquasecurity/defsec/internal/adapters/terraform/google/storage.Adapt(...)
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/google/storage/adapt.go:11
github.com/aquasecurity/defsec/internal/adapters/terraform/google.Adapt({_, _, _})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/google/adapt.go:25 +0x200
github.com/aquasecurity/defsec/internal/adapters/terraform.Adapt({0x140022b7140, 0x2, 0x2})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/internal/adapters/terraform/adapt.go:25 +0x170
github.com/aquasecurity/defsec/pkg/scanners/terraform/executor.(*Executor).Execute(0x140022ba000, {0x140022b7140?, 0x2, 0x2})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/scanners/terraform/executor/executor.go:96 +0xd4
github.com/aquasecurity/defsec/pkg/scanners/terraform.(*Scanner).ScanFSWithMetrics(0x14000d38b40, {0x10a3a69f0, 0x140009c4840}, {0x10a303ee0?, 0x14000634060?}, {0x107c024e2, 0x1})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/scanners/terraform/scanner.go:223 +0x604
github.com/aquasecurity/defsec/pkg/scanners/terraform.(*Scanner).ScanFS(0x1400000e7c8?, {0x10a3a69f0?, 0x140009c4840?}, {0x10a303ee0?, 0x14000634060?}, {0x107c024e2?, 0x1?})
        /home/runner/go/pkg/mod/github.com/aquasecurity/[email protected]/pkg/scanners/terraform/scanner.go:151 +0x34
github.com/aquasecurity/trivy/pkg/misconf.(*Scanner).Scan(0x14001267260, {0x10a3a69f0, 0x140009c4840}, {0x10a303ee0?, 0x14001cf61e0?})
        /home/runner/work/trivy/trivy/pkg/misconf/scanner.go:144 +0x140
github.com/aquasecurity/trivy/pkg/fanal/analyzer/config.(*Analyzer).PostAnalyze(0x14000e95300, {0x10a3a69f0?, 0x140009c4840?}, {{0x10a303ee0?, 0x14001cf61e0?}, {0x0?, 0x0?}})
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/config/config.go:45 +0x38
github.com/aquasecurity/trivy/pkg/fanal/analyzer.AnalyzerGroup.PostAnalyze({{0x1400016e580, 0x3, 0x4}, {0x14001afcb80, 0x8, 0x8}, 0x14000f30a20}, {0x10a3a69f0, 0x140009c4840}, 0x14001df4460, ...)
        /home/runner/work/trivy/trivy/pkg/fanal/analyzer/analyzer.go:488 +0x168
github.com/aquasecurity/trivy/pkg/fanal/artifact/local.Artifact.Inspect({{0x16d58f22d, 0x4}, {0x136b1a920, 0x14000f4ab30}, {{{0x0, 0x0, 0x0}, {0x14001d9f2c0, 0x3, 0x4}, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/fanal/artifact/local/fs.go:171 +0x430
github.com/aquasecurity/trivy/pkg/scanner.Scanner.ScanArtifact({{_, _}, {_, _}}, {_, _}, {{0x0, 0x0, 0x0}, {0x14000f4aa60, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/scanner/scan.go:145 +0x98
github.com/aquasecurity/trivy/pkg/commands/artifact.scan({_, _}, {{{0x107c3b69f, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0x140017cf1a0, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:685 +0x298
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanArtifact(_, {_, _}, {{{0x107c3b69f, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:266 +0x94
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).scanFS(_, {_, _}, {{{0x107c3b69f, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:214 +0x98
github.com/aquasecurity/trivy/pkg/commands/artifact.(*runner).ScanFilesystem(_, {_, _}, {{{0x107c3b69f, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, ...}, ...})
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:194 +0x1c0
github.com/aquasecurity/trivy/pkg/commands/artifact.Run({_, _}, {{{0x107c3b69f, 0xa}, 0x0, 0x0, 0x1, 0x0, 0x45d964b800, {0x140017cf1a0, ...}, ...}, ...}, ...)
        /home/runner/work/trivy/trivy/pkg/commands/artifact/run.go:429 +0x3ac
github.com/aquasecurity/trivy/pkg/commands.NewConfigCommand.func2(0x140003d1200, {0x14000dcd480, 0x1, 0x2})
        /home/runner/work/trivy/trivy/pkg/commands/app.go:683 +0x28c
github.com/spf13/cobra.(*Command).execute(0x140003d1200, {0x14000dcd460, 0x2, 0x2})
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:940 +0x5c8
github.com/spf13/cobra.(*Command).ExecuteC(0x140003d0600)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:1068 +0x35c
github.com/spf13/cobra.(*Command).Execute(...)
        /home/runner/go/pkg/mod/github.com/spf13/[email protected]/command.go:992
main.run()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:39 +0x164
main.main()
        /home/runner/work/trivy/trivy/cmd/trivy/main.go:21 +0x1c