Global variables in cnspec policies

[scottford-io]

I am trying to find a way to create global variables in cnspec policies. The example I am trying to write is around testing a Terraform module from the terraform registry:

terraform.modules.where( source == /registry.terraform.io\/terraform-aws-modules\/s3-bucket/ ) 

The above query works on its own in cnspec shell

cnspec> terraform.modules.where( source == /registry.terraform.io\/terraform-aws-modules\/s3-bucket/ ) { source version }
terraform.modules.where: [
  0: {
    source: "registry.terraform.io/terraform-aws-modules/s3-bucket/aws"
    version: "3.6.0"
  }
]

I need to write a bunch of checks against that module. I know I can create a variable in the query for each check like this:

s3_module = terraform.modules.where( source == /registry.terraform.io\/terraform-aws-modules\/s3-bucket/ ) 
s3_module.all( block { arguments['acl'] == "private" })

The problem is I need to define the variable s3_module for every individual control. Is there a way to define global variables?

i tried to use props but that did not seem to work either:

props:
  - uid: s3_module
    title: Define the max amount of days an IAM key is allowed to exist before rotation
    query: terraform.modules.where( source == /registry.terraform.io\/terraform-aws-modules\/s3-bucket/ )

When I ran cnspec bundle validate it did not pass the validation:

cnspec bundle validate mondoo-s3-security.mql.yaml
→ validate policy bundle file=mondoo-s3-security.mql.yaml
x could not compile the query error="failed to compile query '\ns3_module { block { arguments['ignore_public_acls'] == true } }\n': cannot find resource for identifier 's3_module'"
FTL could not validate policy bundle error="failed to validate query '//local.cnspec.io/run/local-execution/queries/mondoo-s3-terraform-hcl-security-check-s3-not-public': failed to compile query '\ns3_module { block { arguments['ignore_public_acls'] == true } }\n': cannot find resource for identifier 's3_module'\n"

[arlimus]

Love that you are raising this!!

There are 2 things to cover for global vars: (1) how to use them in policies and (2) how to use them in the shell. I'll mention a few upcoming things below, which are important for this question.

1: properties for policies

Policies have properties which serve as "global variables" across the policy. These properties can be static (like a number or a string) or they can be full-fledged MQL queries. This design allows us to overwrite their values at any chain of the evaluation. They essentially just chain queries together.

Properties are accessed via the props, so in your case you'd want to use it as props.s3_module. We did this to prevent conflicts in the global namespace (would be really annoying).

2: vars in shell

... is not yet supported, but on the way. The way we will add support is in 3 steps:

• support sticky variables, so that you can define something at the start and just use it later on
• support properties, so you can use them in the shell as well (best for copy and pasting during policy writing)
• pre-load properties from file (more optinoal, but nice to have)

3: outlook to v8

Properties are getting an update in v8, because they are tied to policies right now. The problem is that you can define queries with properties, but cannot use said queries without a policy, since properties are tied to policies. That's annoying.

In v8 we will refresh it so that properties and queries remain on their own and policies only reference them. This will make it easier to use them independent of policies.

Additionally there will be much more flexibility in overwriting values.