Skip to content

Add extractTerraformChanges filter plugin #726

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
+550 −0
Open

Add extractTerraformChanges filter plugin #726

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e6b924c
Add extractTerraformChanges filter plugin
vim-zz May 28, 2025
9ddeac6
added test case
vim-zz May 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 95 additions & 0 deletions plugins/filters/extractTerraformChanges/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
# extractTerraformChanges

A GitStream filter that analyzes Terraform HCL file changes to extract the highest privilege level from modified JIT (Just-In-Time) access configurations.

## Description

This filter examines git diffs of Terraform HCL files to identify which JIT objects have been modified, then extracts the privilege levels from those objects and returns the highest privilege found. The privilege hierarchy is: `rw` (read-write) > `ro` (read-only).

## Syntax

```yaml
{{ <changes> | extractTerraformChanges }}
```

## Parameters

| Name | Type | Description |
|------|------|-------------|
| `changes` | Array | Array of file change objects containing diff, original_content, and new_content |

## Return Value

- `"rw"` - If any modified JIT object contains read-write privileges
- `"ro"` - If modified JIT objects only contain read-only privileges
- `null` - If no JIT objects were modified or no privileges found

## Examples

### Basic Usage

```yaml
automations:
check_terraform_privilege_changes:
if:
- {{ files | extractTerraformChanges == "rw" }}
run:
- action: add-label@v1
args:
label: "high-privilege-change"
```

### Multiple Conditions

```yaml
automations:
terraform_privilege_review:
if:
- {{ files | extractTerraformChanges != null }}
run:
- action: add-reviewers@v1
args:
reviewers: ["security-team"]
- action: add-label@v1
args:
label: "terraform-jit-change"
```

## Input Format

The filter expects an array of file change objects with the following structure:

```json
[
{
"original_file": "path/to/file.hcl",
"new_file": "path/to/file.hcl",
"diff": "@@ -50,7 +50,7 @@\n- privileges = \"rw\"\n+ privileges = \"ro\"",
"original_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninputs = {\n jits = [\n {\n user = \"user_alpha\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"rw\"\n }\n ]\n }\n ]\n}",
"new_content": "..."
}
]
```

## How It Works

1. **Parse Diffs**: Analyzes git diff output to identify changed line numbers
2. **Parse HCL Content**: Extracts JIT objects from the original HCL content with their line ranges
3. **Match Changes**: Determines which JIT objects have been modified based on changed lines
4. **Extract Privileges**: Collects privilege levels from all modified JIT objects
5. **Return Highest**: Returns the highest privilege level found (`rw` > `ro`)

## Use Cases

- **Security Reviews**: Automatically flag changes that modify high-privilege access
- **Approval Workflows**: Require additional approvals for read-write privilege changes
- **Audit Trails**: Track modifications to database access configurations
- **Risk Assessment**: Identify potentially risky infrastructure changes

## Notes

- Only analyzes changes within `jits` arrays in HCL files
- Supports nested JIT object structures with `access` arrays
- Ignores changes outside of JIT configurations
- Returns immediately upon finding `rw` privileges (optimization)
- Handles malformed or incomplete input gracefully
15 changes: 15 additions & 0 deletions plugins/filters/extractTerraformChanges/extract_terraform_changes.cm
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
manifest:
version: 1.0

automations:
linearb_hcl_review:
on:
- pr_created
- commit
if:
- {{ files | match(regex=r/production.*\.hcl/) | some }}
- {{ (source.diff.files | extractTerraformChanges) == 'ro' }}
run:
- action: add-comment@v1
args:
comment: its an RO change
179 changes: 179 additions & 0 deletions plugins/filters/extractTerraformChanges/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,179 @@
/**
* @module extractTerraformChanges
* @description Extract the highest privilege level from modified JIT configurations in Terraform HCL files.
* Analyzes git diffs to identify which JIT objects were changed and returns the highest
* privilege level found (rw > ro).
* @param {Array} changes - Array of file change objects with diff, original_content, and new_content
* @returns {string|null} The highest privilege level found ('rw' or 'ro'), or null if no privileges found
* @example {{ source.diff.files | extractTerraformChanges }}
* @license MIT
**/

module.exports = (changes) => {
if (!changes || !Array.isArray(changes) || changes.length === 0) {
return null;
}

let highestPrivilege = null;

for (const change of changes) {
if (!change.diff || !change.original_content) {
continue;
}

const changedLines = parseChangedLines(change.diff);
if (changedLines.length === 0) {
continue;
}

const originalJitObjects = parseJitObjects(change.original_content);
const newJitObjects = change.new_content ? parseJitObjects(change.new_content) : [];
const modifiedPrivileges = getModifiedPrivileges(originalJitObjects, newJitObjects, changedLines);

for (const privilege of modifiedPrivileges) {
if (privilege === 'rw') {
return 'rw'; // rw is highest, can return immediately
} else if (privilege === 'ro' && !highestPrivilege) {
highestPrivilege = 'ro';
}
}
}

return highestPrivilege;
};

/**
* Parse git diff to extract changed line numbers
* @param {string} diff - Git diff string
* @returns {Array} Array of changed line numbers (1-based)
*/
function parseChangedLines(diff) {
const changedLines = [];
const lines = diff.split('\n');
let currentLine = 0;

for (const line of lines) {
// Parse hunk headers like "@@ -50,7 +50,7 @@"
const hunkMatch = line.match(/^@@ -(\d+),?\d* \+(\d+),?\d* @@/);
if (hunkMatch) {
currentLine = parseInt(hunkMatch[2], 10);
continue;
}

// Track line numbers for context and additions
if (line.startsWith(' ') || line.startsWith('+')) {
if (line.startsWith('+') && !line.startsWith('+++')) {
changedLines.push(currentLine);
}
if (!line.startsWith('-')) {
currentLine++;
}
} else if (line.startsWith('-') && !line.startsWith('---')) {
changedLines.push(currentLine);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🐞 Bug - Git Diff Parsing Bug: Remove the logic that adds deleted lines to changedLines array, since deleted lines don't exist in the original content and shouldn't be used for matching against JIT object line ranges.

Suggested change
changedLines.push(currentLine);
// Deleted lines don't exist in original content, so don't add to changedLines
// and don't increment currentLine since they're not in the target content

}
}

return changedLines;
}

/**
* Parse HCL content to extract JIT objects with their line ranges and privileges
* @param {string} content - HCL file content
* @returns {Array} Array of JIT objects with line ranges and privileges
*/
function parseJitObjects(content) {
const lines = content.split('\n');
const jitObjects = [];
let inJitsArray = false;
let braceLevel = 0;
let currentJit = null;

for (let i = 0; i < lines.length; i++) {
const line = lines[i];
const lineNumber = i + 1;

// Look for the start of jits array
if (line.trim().includes('jits = [')) {
Comment on lines +95 to +96
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Maintainability - Fragile HCL Parsing: Consider using a proper HCL parser library or implement more robust parsing with better tokenization and context awareness to handle edge cases like comments, strings, and nested structures.

Suggested change
// Look for the start of jits array
if (line.trim().includes('jits = [')) {
// Look for the start of jits array - more robust pattern matching
const jitsArrayPattern = /^\s*jits\s*=\s*\[/;
if (jitsArrayPattern.test(line) && !isInComment(line) && !isInString(line)) {

inJitsArray = true;
continue;
}

if (!inJitsArray) {
continue;
}

// Track brace levels to identify JIT object boundaries
const openBraces = (line.match(/{/g) || []).length;
const closeBraces = (line.match(/}/g) || []).length;

if (openBraces > 0 && braceLevel === 0) {
// Start of new JIT object
currentJit = {
startLine: lineNumber,
endLine: lineNumber,
privileges: []
};
braceLevel += openBraces - closeBraces;
} else if (currentJit) {
braceLevel += openBraces - closeBraces;
currentJit.endLine = lineNumber;

// Look for privileges in this line
const privilegeMatch = line.match(/privileges\s*=\s*"(rw|ro)"/);
if (privilegeMatch) {
currentJit.privileges.push(privilegeMatch[1]);
}

// End of JIT object
if (braceLevel === 0) {
jitObjects.push(currentJit);
currentJit = null;
}
}

// Check if we've left the jits array
if (line.trim() === ']' && braceLevel === 0) {
inJitsArray = false;
break;
}
}

return jitObjects;
}

/**
* Get privileges from JIT objects that have been modified
* @param {Array} originalJitObjects - Array of JIT objects from original content with line ranges
* @param {Array} newJitObjects - Array of JIT objects from new content with line ranges
* @param {Array} changedLines - Array of changed line numbers
* @returns {Array} Array of privilege strings from modified objects
*/
function getModifiedPrivileges(originalJitObjects, newJitObjects, changedLines) {
const privileges = [];

// Check original JIT objects for modifications
for (const jit of originalJitObjects) {
// Check if any changed line falls within this JIT object's range
const isModified = changedLines.some(lineNum =>
lineNum >= jit.startLine && lineNum <= jit.endLine
);

if (isModified) {
privileges.push(...jit.privileges);
}
}

// Also check new JIT objects for modifications to capture privilege upgrades (ro->rw)
for (const jit of newJitObjects) {
// Check if any changed line falls within this JIT object's range
const isModified = changedLines.some(lineNum =>
lineNum >= jit.startLine && lineNum <= jit.endLine
);

if (isModified) {
privileges.push(...jit.privileges);
}
}

return privileges;
}
9 changes: 9 additions & 0 deletions plugins/filters/extractTerraformChanges/pr_with_ro_change.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
[
{
"original_file": "production/t1.hcl",
"new_file": "production/t1.hcl",
"diff": "@@ -56,7 +56,7 @@ inputs = {\n },\n {\n user = \"user_beta\"\n- default_ttl = 60 * 60 * 6\n+ default_ttl = 60 * 60 * 7\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n@@ -84,14 +84,13 @@ inputs = {\n },\n {\n user = \"user_delta\"\n- default_ttl = 60 * 60 * 8\n+ default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n- schema = \"monitoring\"\n privileges = \"ro\"\n }\n ]\n",
"original_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninclude \"dependencies\" {\n path = find_in_parent_folders(\"dependencies.hcl\")\n}\n\nlocals {\n service = read_terragrunt_config(find_in_parent_folders(\"service.hcl\")).locals\n}\n\nterraform {\n source = \"${get_repo_root()}/modules/vault-database\"\n}\n\ndependency \"rds\" {\n config_path = \"../rds\"\n mock_outputs = {\n engine = \"mariadb\"\n address = \"dummy-endpoint.rds.amazonaws.com\"\n }\n mock_outputs_allowed_terraform_commands = [\"validate\", \"fmt\", \"init\", \"plan\", \"providers\", \"show\", \"refresh\"]\n}\n\ninputs = {\n domain_name = local.service.account.vault_domain_name\n env = local.service.account.env\n azuread_oidc = dependency.vault_azuread.outputs.accessor\n timestamp = timestamp()\n rotate_on_create = true\n\n db = {\n username = \"vault\"\n password = \"vault\"\n name = local.service.name\n endpoint = dependency.rds.outputs.address\n engine = dependency.rds.outputs.engine\n database_name = local.service.name\n }\n\n jits = [\n {\n user = \"user_alpha\"\n default_ttl = 60 * 60 * 24\n max_ttl = 60 * 60 * 24 * 30\n type = \"temporary\"\n expires = \"2026-04-01\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_beta\"\n default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n access = [\n {\n tables = [\"orders\", \"transactions\"]\n schema = \"sales\"\n privileges = \"ro\"\n }\n ]\n },\n {\n user = \"user_gamma\"\n default_ttl = 60 * 60 * 12\n max_ttl = 60 * 60 * 24 * 14\n type = \"temporary\"\n expires = \"2025-10-15\"\n access = [\n {\n tables = [\"*\"]\n schema = \"analytics\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_delta\"\n default_ttl = 60 * 60 * 8\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n schema = \"monitoring\"\n privileges = \"ro\"\n }\n ]\n }\n ]\n}\n",
"new_content": "include \"root\" {\n path = find_in_parent_folders(\"root.hcl\")\n}\n\ninclude \"dependencies\" {\n path = find_in_parent_folders(\"dependencies.hcl\")\n}\n\nlocals {\n service = read_terragrunt_config(find_in_parent_folders(\"service.hcl\")).locals\n}\n\nterraform {\n source = \"${get_repo_root()}/modules/vault-database\"\n}\n\ndependency \"rds\" {\n config_path = \"../rds\"\n mock_outputs = {\n engine = \"mariadb\"\n address = \"dummy-endpoint.rds.amazonaws.com\"\n }\n mock_outputs_allowed_terraform_commands = [\"validate\", \"fmt\", \"init\", \"plan\", \"providers\", \"show\", \"refresh\"]\n}\n\ninputs = {\n domain_name = local.service.account.vault_domain_name\n env = local.service.account.env\n azuread_oidc = dependency.vault_azuread.outputs.accessor\n timestamp = timestamp()\n rotate_on_create = true\n\n db = {\n username = \"vault\"\n password = \"vault\"\n name = local.service.name\n endpoint = dependency.rds.outputs.address\n engine = dependency.rds.outputs.engine\n database_name = local.service.name\n }\n\n jits = [\n {\n user = \"user_alpha\"\n default_ttl = 60 * 60 * 24\n max_ttl = 60 * 60 * 24 * 30\n type = \"temporary\"\n expires = \"2026-04-01\"\n access = [\n {\n tables = [\"*\"]\n schema = \"schema_one\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_beta\"\n default_ttl = 60 * 60 * 7\n max_ttl = 60 * 60 * 24 * 7\n type = \"temporary\"\n expires = \"2025-12-31\"\n access = [\n {\n tables = [\"orders\", \"transactions\"]\n schema = \"sales\"\n privileges = \"ro\"\n }\n ]\n },\n {\n user = \"user_gamma\"\n default_ttl = 60 * 60 * 12\n max_ttl = 60 * 60 * 24 * 14\n type = \"temporary\"\n expires = \"2025-10-15\"\n access = [\n {\n tables = [\"*\"]\n schema = \"analytics\"\n privileges = \"rw\"\n }\n ]\n },\n {\n user = \"user_delta\"\n default_ttl = 60 * 60 * 6\n max_ttl = 60 * 60 * 24 * 10\n type = \"temporary\"\n expires = \"2026-01-01\"\n access = [\n {\n tables = [\"logs\", \"events\"]\n privileges = \"ro\"\n }\n ]\n }\n ]\n}\n"
}
]
Loading