Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Readability of .containsNone Function Output in Terraform Checks #5246

Open
scottford-io opened this issue Feb 20, 2025 · 0 comments · May be fixed by #5247
Open

Improve Readability of .containsNone Function Output in Terraform Checks #5246

scottford-io opened this issue Feb 20, 2025 · 0 comments · May be fixed by #5247
Assignees
@arlimus
Labels
enhancement New feature or request

Comments

@scottford-io
Copy link
Contributor

scottford-io commented Feb 20, 2025
edited
Loading

The .containsNone function in MQL is useful for ensuring that specific strings do not appear within an array. However, when used in Terraform checks, the output it returns upon failure is difficult to interpret due to excessive verbosity. Instead of providing a concise summary of which values failed the check, the function outputs the entire resource change structure, making it challenging to identify the offending values.

For example, when checking if a specific GCP API (parallelstore.googleapis.com) is not enabled in a Terraform plan file, the following query is used:

terraform.plan.resourceChanges.where( name == "enable_project_apis").all( change.after.triggers.apis.split(" ").containsNone(["parallelstore.googleapis.com"]))

If this check fails, the current output is a large and difficult-to-parse structure that includes all APIs enabled in the plan, rather than clearly highlighting the presence of the restricted API.

Expected Behavior

  • The output should clearly indicate which value(s) caused the failure.
  • Provide a concise and readable summary of the violation, rather than the entire resource change object.
  • The output should clearly indicate which value(s) caused the failure.
  • Provide a concise and readable summary of the violation, rather than the entire resource change object.

Example:

[failed] containsNone check failed: Found restricted API(s): ["parallelstore.googleapis.com"]

Actual Behavior

  • The function outputs an extensive list of all APIs included in the Terraform plan.
  • Parsing through the response to find the violating API is cumbersome.
  • Unnecessary duplication of data makes debugging difficult.

Suggested Enhancement

  • Modify .containsNone to return only the violating elements instead of the entire list.
  • Provide a human-readable summary of the failure.

Use Case:

This improvement will help security teams and infrastructure engineers quickly identify compliance violations without needing to sift through lengthy Terraform plan outputs.

References

Example failure output (current behavior) can be found in the original issue description above.

Impact: Improves usability and debugging efficiency when working with .containsNone in MQL queries.
@scottford-io scottford-io added the enhancement New feature or request label Feb 20, 2025
@arlimus arlimus linked a pull request Feb 20, 2025 that will close this issue
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@arlimus arlimus

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

⭐ show assessments inside of blocks mondoohq/cnquery
2 participants
@arlimus @scottford-io