Error retrieving key "module.resources": cannot find schema for "diff"

Sentinel
1

When running on Terraform Enterprise v202010-2, one of my institution’s Sentinel policies failed with this error:

An error occurred: 1 error occurred:
* ./check-subnetwork-log-config.sentinel:25:39: error retrieving key "module.resources": cannot find schema for "diff". This is a serious error, please contact technical support

The Sentinel policy in question looks like this:

// check-subnetwork-log-config.sentinel

import "tfplan"

get_resources = func(type) {
    if length(tfplan.module_paths else []) > 0 {
        return get_resources_all_modules(type)
    } else {
        return get_resources_root_only(type)
    }
}

get_resources_root_only = func(type) {
    resources = []
    named_and_counted_resources = tfplan.resources[type] else {}
    for named_and_counted_resources as _, instances {
        for instances as _, body {
            append(resources, body)
        }
    }
    return resources
}

get_resources_all_modules = func(type) {
    resources = []
    for tfplan.module_paths as path {
        print(tfplan.module(path))
        named_and_counted_resources = tfplan.module(path).resources[type] else {}
        for named_and_counted_resources as _, instances {
            for instances as _, body {
                append(resources, body)
            }
        }
    }
    return resources
}

subnetworks = filter get_resources("google_compute_subnetwork") as s { "applied" in keys(s)}

check_logging = rule {
  all subnetworks as n {
    n.applied.log_config != []
  }
}

main = rule {
  (check_logging) else true
}

… and line 25 seems to be pointing to:

get_resources_all_modules = func(type) {
    resources = []
    for tfplan.module_paths as path {
=====>      named_and_counted_resources = tfplan.module(path).resources[type] else {}  <==== THIS LINE
        for named_and_counted_resources as _, instances {
            for instances as _, body {
                append(resources, body)
            }
        }
    }
    return resources
}

When I download and view the mock data ( mock-tfplan.sentinel ), it seems like Sentinel doesn’t like diff block:

_modules = {
	"root": {
		"data": {},
		"path": [],
		"resources": {
			"google_project_service_identity": {
				"dataflow": {
					0: {
						"applied": {
							"project":  "<SOME_PROJECT_ID>",
							"service":  "dataflow.googleapis.com",
							"timeouts": null,
						},
						"destroy": false,
						"diff": {
							"email": {
								"computed": true,
								"new":      "",
								"old":      "",
							},
							"id": {
								"computed": true,
								"new":      "",
								"old":      "",
							},
							"project": {
								"computed": false,
								"new":      "<SOME_PROJECT_ID>",
								"old":      "",
							},
							"service": {
								"computed": false,
								"new":      "dataflow.googleapis.com",
								"old":      "",
							},
							"timeouts": {
								"computed": false,
								"new":      "",
								"old":      "",
							},
						},
						"requires_new": false,
					},
				},
			},
		},
	},
	
	...
}

Is this a known bug? If yes, is this fixed in the later releases?

Thank you.

2

Hi @choonchernlim,

Does this issue only materialize when your workspace is using Terraform 0.13.x? If so, it sounds like you are experiencing a bug in the Sentinel v1 import where changes to provider addresses caused issues for us. This has been resolved in a later release.

3

Hi @hcrhallm, my institution is currently using Terraform 0.12.x. We are in the process of upgrading to 0.13.x before end of the year. When you say it’s resolved in a later release, are you referring to Terraform or Terraform Enterprise? In any case, do you know which version onward would contain this fix? Thank you.

4

@choonchernlim The most recent release of TFE which is v202012-2 which includes the bug fix for the Sentinel runtime and bumps the Sentinel version to 0.16.1.

5

@hcrhall This is great news! Thank you for troubleshooting and answering my post. I’ll ask my side on the feasibility of upgrading TFE to this latest version in the near future.

6

@hcrhall My institution just upgraded TFE to v202012-2, but this Sentinel bug still exists. Any idea why? The codebase still relies on TF 0.12. Do I need to use TF 0.13 for this bug to go away? Thank you.

7

@choonchernlim this is interesting and will require further triage via support as I am not sure why this is still occurring. I think it would be best if we progress further through a formal support request. Your TAM should be able to help with this if you are not familiar with the process.