fix(misconf): allow null values only for tf variables [backport: release/v0.58] (#8238)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
Co-authored-by: Nikita Pivkin <nikita.pivkin@smartforce.io>

pkg/iac/scanners/terraform/parser/load_module.go

@@ -24,7 +24,7 @@ type ModuleDefinition struct {
 }
 
 func (d *ModuleDefinition) inputVars() map[string]cty.Value {
-	inputs := d.Definition.Values().AsValueMap()
+	inputs := d.Definition.NullableValues().AsValueMap()
 	if inputs == nil {
 		return make(map[string]cty.Value)
 	}

pkg/iac/scanners/terraform/parser/parser_test.go

@@ -2161,3 +2161,29 @@ resource "foo" "this" {
 		})
 	}
 }
+
+func TestAttrRefToNullVariable(t *testing.T) {
+	fsys := fstest.MapFS{
+		"main.tf": &fstest.MapFile{Data: []byte(`variable "name" {
+  type    = string
+  default = null
+}
+
+resource "aws_s3_bucket" "example" {
+  bucket = var.name
+}`)},
+	}
+
+	parser := New(fsys, "", OptionStopOnHCLError(true))
+
+	require.NoError(t, parser.ParseFS(context.TODO(), "."))
+
+	_, err := parser.Load(context.TODO())
+	require.NoError(t, err)
+
+	modules, _, err := parser.EvaluateAll(context.TODO())
+	require.NoError(t, err)
+
+	val := modules.GetResourcesByType("aws_s3_bucket")[0].GetAttribute("bucket").GetRawValue()
+	assert.Nil(t, val)
+}

pkg/iac/terraform/block.go

@@ -569,13 +569,25 @@ func (b *Block) Attributes() map[string]*Attribute {
 	return attributes
 }
 
+func (b *Block) NullableValues() cty.Value {
+	return b.values(true)
+}
+
 func (b *Block) Values() cty.Value {
+	return b.values(false)
+}
+
+func (b *Block) values(allowNull bool) cty.Value {
 	values := createPresetValues(b)
 	for _, attribute := range b.GetAttributes() {
 		if attribute.Name() == "for_each" {
 			continue
 		}
-		values[attribute.Name()] = attribute.NullableValue()
+		if allowNull {
+			values[attribute.Name()] = attribute.NullableValue()
+		} else {
+			values[attribute.Name()] = attribute.Value()
+		}
 	}
 	return cty.ObjectVal(postProcessValues(b, values))
 }