fix(misconf): do not use cty.NilVal for non-nil values (#8567)

Signed-off-by: nikpivkin <[email protected]>

Author: nikpivkin

pkg/iac/scanners/terraform/executor/executor.go

@@ -130,10 +130,16 @@ func writeBlock(tfBlock *terraform.Block, block *hclwrite.Block, causeRng types.
 	var found bool
 
 	for _, attr := range tfBlock.Attributes() {
-		if attr.GetMetadata().Range().Covers(causeRng) && !attr.IsLiteral() {
-			block.Body().SetAttributeValue(attr.Name(), attr.Value())
-			found = true
+		if !attr.GetMetadata().Range().Covers(causeRng) || attr.IsLiteral() {
+			continue
+		}
+
+		value := attr.Value()
+		if !value.IsKnown() || value.IsNull() {
+			continue
 		}
+		block.Body().SetAttributeValue(attr.Name(), value)
+		found = true
 	}
 
 	for _, child := range tfBlock.AllBlocks() {

pkg/iac/scanners/terraform/parser/parser_test.go

@@ -2418,3 +2418,39 @@ func TestConfigWithEphemeralBlock(t *testing.T) {
 	_, err := parser.Load(t.Context())
 	require.NoError(t, err)
 }
+
+func TestConvertObjectWithUnknownAndNullValuesToMap(t *testing.T) {
+	fsys := fstest.MapFS{
+		"main.tf": &fstest.MapFile{Data: []byte(`module "foo" {
+  source = "./modules/foo"
+}
+
+locals {
+  known = "test"
+}
+
+module "bar" {
+  source = "./modules/bar"
+  outputs = {
+    "key1" : { "Value" : module.foo.test },
+    "key2" : { "Value" : local.known },
+    "key3" : { "Value" : local.unknown },
+  }
+}`)},
+		"modules/foo/main.tf": &fstest.MapFile{Data: []byte(`output "test" {
+  value       = ref_to_unknown
+}`)},
+		"modules/bar/main.tf": &fstest.MapFile{Data: []byte(`variable "outputs" {
+  type        = map(any)
+}`)},
+	}
+
+	parser := New(fsys, "", OptionStopOnHCLError(true))
+	require.NoError(t, parser.ParseFS(t.Context(), "."))
+
+	_, err := parser.Load(t.Context())
+	require.NoError(t, err)
+
+	_, _, err = parser.EvaluateAll(t.Context())
+	require.NoError(t, err)
+}

pkg/iac/terraform/attribute.go

@@ -288,7 +288,7 @@ func (a *Attribute) Value() (ctyVal cty.Value) {
 	}()
 	ctyVal, _ = a.hclAttribute.Expr.Value(a.ctx.Inner())
 	if !ctyVal.IsKnown() || ctyVal.IsNull() {
-		return cty.NilVal
+		return cty.DynamicVal
 	}
 	return ctyVal
 }
@@ -304,8 +304,8 @@ func (a *Attribute) NullableValue() (ctyVal cty.Value) {
 		}
 	}()
 	ctyVal, _ = a.hclAttribute.Expr.Value(a.ctx.Inner())
-	if !ctyVal.IsKnown() {
-		return cty.NilVal
+	if !ctyVal.IsKnown() || ctyVal.IsNull() {
+		return cty.NullVal(cty.DynamicPseudoType)
 	}
 	return ctyVal
 }