When running on Terraform Enterprise v202010-2, one of my institution’s Sentinel policies failed with this error:
An error occurred: 1 error occurred:
* ./check-subnetwork-log-config.sentinel:25:39: error retrieving key "module.resources": cannot find schema for "diff". This is a serious error, please contact technical support
The Sentinel policy in question looks like this:
// check-subnetwork-log-config.sentinel
import "tfplan"
get_resources = func(type) {
if length(tfplan.module_paths else []) > 0 {
return get_resources_all_modules(type)
} else {
return get_resources_root_only(type)
}
}
get_resources_root_only = func(type) {
resources = []
named_and_counted_resources = tfplan.resources[type] else {}
for named_and_counted_resources as _, instances {
for instances as _, body {
append(resources, body)
}
}
return resources
}
get_resources_all_modules = func(type) {
resources = []
for tfplan.module_paths as path {
print(tfplan.module(path))
named_and_counted_resources = tfplan.module(path).resources[type] else {}
for named_and_counted_resources as _, instances {
for instances as _, body {
append(resources, body)
}
}
}
return resources
}
subnetworks = filter get_resources("google_compute_subnetwork") as s { "applied" in keys(s)}
check_logging = rule {
all subnetworks as n {
n.applied.log_config != []
}
}
main = rule {
(check_logging) else true
}
… and line 25 seems to be pointing to:
get_resources_all_modules = func(type) {
resources = []
for tfplan.module_paths as path {
=====> named_and_counted_resources = tfplan.module(path).resources[type] else {} <==== THIS LINE
for named_and_counted_resources as _, instances {
for instances as _, body {
append(resources, body)
}
}
}
return resources
}
When I download and view the mock data ( mock-tfplan.sentinel
), it seems like Sentinel doesn’t like diff
block:
_modules = {
"root": {
"data": {},
"path": [],
"resources": {
"google_project_service_identity": {
"dataflow": {
0: {
"applied": {
"project": "<SOME_PROJECT_ID>",
"service": "dataflow.googleapis.com",
"timeouts": null,
},
"destroy": false,
"diff": {
"email": {
"computed": true,
"new": "",
"old": "",
},
"id": {
"computed": true,
"new": "",
"old": "",
},
"project": {
"computed": false,
"new": "<SOME_PROJECT_ID>",
"old": "",
},
"service": {
"computed": false,
"new": "dataflow.googleapis.com",
"old": "",
},
"timeouts": {
"computed": false,
"new": "",
"old": "",
},
},
"requires_new": false,
},
},
},
},
},
...
}
Is this a known bug? If yes, is this fixed in the later releases?
Thank you.