From 779c70a0d82096eba5bd4d579f16a72e018e98b5 Mon Sep 17 00:00:00 2001 From: Omri SirComp Date: Thu, 21 May 2026 16:45:17 +0300 Subject: [PATCH] fix(query): skip terraform references in metadata label validation --- .../metadata_label_is_invalid/query.rego | 7 +++++ .../test/negative.tf | 26 +++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego index fac01d34dc4..e81fd3454a8 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego @@ -8,6 +8,7 @@ CxPolicy[result] { labels := resource[name].metadata.labels + not is_terraform_reference(labels[key]) regex.match("^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", labels[key]) == false result := { @@ -21,3 +22,9 @@ CxPolicy[result] { "searchLine": common_lib.build_search_line(["resource", resourceType, name, "metadata"], ["labels", key]), } } + +is_terraform_reference(label) { + regex.match("^\\$\\{(local|var|data)\\.[^}]+\\}$", label) +} else { + regex.match("^(local|var|data)\\.[A-Za-z0-9_][A-Za-z0-9_.-]*$", label) +} diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf index 30e30393a79..cd073a60b37 100644 --- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf +++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf @@ -54,3 +54,29 @@ resource "kubernetes_pod" "test2" { dns_policy = "None" } } + +locals { + resource_name = "my-app-service" +} + +resource "kubernetes_service_v1" "test3" { + metadata { + name = "terraform-service-example" + namespace = "default" + + labels = { + app = local.resource_name + } + } + + spec { + selector = { + app = local.resource_name + } + + port { + port = 80 + target_port = 8080 + } + } +}