Transform terraform hcl var

README.md

@@ -20,6 +20,7 @@ Migrate workloads from other platforms to [StackGuardian Platform](https://app.s
 - [sg-cli](https://github.com/StackGuardian/sg-cli/tree/main/shell)
 
 ### Perform terraform login
+
 Perform `terraform login` to ensure that your local Terraform can interact with your Terraform Cloud/Enterprise account.
 
 ### Export the resource definitions and Terraform state
@@ -37,8 +38,11 @@ terraform apply -auto-approve -var-file=terraform.tfvars
 A new `export` folder should have been created. The `sg-payload.json` file contains the definition for each workflow that will be created for each Terraform Workspace, and the `states` folder contains the files for the Terraform state for each of your workspaces, if the state export was enabled.
 
 After completing the export , edit the `sg-payload.json` file to provide tune each workflow configuration with the following:
-###  Use the example_payload.jsonc file as a reference and edit the schema of the `sg-payload.json`
+
+### Use the example_payload.jsonc file as a reference and edit the schema of the `sg-payload.json`
+
 - `DeploymentPlatformConfig` - This is used to authenticate against a cloud provider using a StackGuardian Integration. Create the relevant integration in StackGuardian platform and update `DeploymentPlatformConfig.kind` from the following "AZURE_STATIC", "AWS_STATIC","GCP_STATIC", "AWS_RBAC". Update `DeploymentPlatformConfig.config.integrationId` with "/integrations/INTEGRATION_NAME" and `DeploymentPlatformConfig.config.profileName` with the name of the integration used upon creation.
+
 ```
   DeploymentPlatformConfig: [
     {
@@ -50,27 +54,27 @@ After completing the export , edit the `sg-payload.json` file to provide tune ea
     }
   ]
 ```
+
 - `VCSConfig` - Provide full path to the `repo` like as well the relevant `sourceConfigDestKind` from the following "GITHUB_COM", "BITBUCKET_ORG", "GITLAB_COM", "AZURE_DEVOPS"
-    - `config.auth` 
-    - `config.isPrivate`
-
+  - `config.auth`
+  - `config.isPrivate`
 - `ResourceName` - name of your StackGuardian Workflow
 - `wfgrpName` - this corresponds to the labelling of workflow group name in the StackGuardian platform
 - `Description` - description for the workflows created in the StackGuardian platform
-- `Tags` - list of tags for the workflows created in the StackGuardian platform 
+- `Tags` - list of tags for the workflows created in the StackGuardian platform
 - `EnvironmentVariables` - environment variables for the workflows created in the StackGuardian platform
 - `RunnerConstraints` - Runner description for the workflows in the StackGuardian platform
-    - Private runners - ``` 
-          "RunnerConstraints": {
-            "type": "private",
-            "names": [
-                "sg-runner"
-            ] 
-          }```
-    - Shared runners - ```
-          "RunnerConstraints": {
-            "type": "shared"
-          }```
+  - Private runners - ` 
+"RunnerConstraints": {
+  "type": "private",
+  "names": [
+      "sg-runner"
+  ] 
+}`
+  - Shared runners - `
+"RunnerConstraints": {
+  "type": "shared"
+}`
 - `Approvers` - Approvers for the workflow to run it successfully
 - `TerraformConfig` - Terraform configuration for the workflows created in the StackGuardian platform
 - `UserSchedules` - Scheduled workflow run configuration for the workflow in the StackGuardian platform
@@ -80,7 +84,10 @@ After completing the export , edit the `sg-payload.json` file to provide tune ea
 
 - Fetch [sg-cli](https://github.com/StackGuardian/sg-cli.git) and set it up locally (documentation present in repo)
 - Run the following commands and pass the `sg-payload.json` as payload (represented below)
-- Get your SG API Key here: https://app.stackguardian.io/orchestrator/orgs/<ORG_ID>/settings?tab=api_key
+- Get your SG API Key here:
+  - Login to Stackguardian.
+  - Go to profile at the bottom left. Click on the eamil or the username.
+  - Click API key and click on view.
 
 ```shell
 cd ../../export
@@ -92,6 +99,16 @@ wget -q "$(wget -qO- "https://api.github.com/repos/stackguardian/sg-cli/releases
 ```
 
 if you want to update a workflow with different details, please re-run the sg-cli command with the modified sg-payload.json and your workflow will be updated with the new details, as long as the ResourceName (Workflow name) remains the same.
+
 ```shell
 ./sg-cli workflow create --bulk --org "<ORG NAME>" -- sg-payload.json
 ```
+
+## Convert hcl variables to json
+
+HCL variables in terraform cloud appear as strings in sg-payload.json, which needs to be converted to json.</br >
+It will change the file input file in place so that none of the other steps need any change.
+
+```shell
+./convert_hcl_to_json.sh <intput_file>
+```

convert_hcl_to_json.sh

@@ -0,0 +1,119 @@
+#!/bin/bash
+
+install_jq(){
+    OS=$(uname -s)
+    if [[ "$OS" == "Darwin" ]]; then
+        OS="macos"
+    elif [[ "$OS" == "Linux" ]]; then
+        OS="linux"
+    else
+        echo "Unsupported OS: $OS"
+        exit 1
+    fi
+
+    ARCH=$(uname -m)
+
+    JQ_BIN="/tmp/jq"
+    url="https://github.com/jqlang/jq/releases/download/jq-1.8.1/jq-${OS}-${ARCH}"
+    curl -L -o $JQ_BIN $url
+    chmod +x $JQ_BIN
+
+}
+
+install_hcl2json(){
+    OS=$(uname -s)
+    if [[ "$OS" == "Darwin" ]]; then
+        OS="darwin"
+    elif [[ "$OS" == "Linux" ]]; then
+        OS="linux"
+    else
+        echo "Unsupported OS: $OS"
+        exit 1
+    fi
+
+    ARCH=$(uname -m)
+
+    HCL2JSON_BIN="/tmp/hcl2json"
+
+    url="https://github.com/tmccombs/hcl2json/releases/download/v0.6.7/hcl2json_${OS}_${ARCH}"
+    echo $url
+    curl -L -o $HCL2JSON_BIN $url
+    chmod +x $HCL2JSON_BIN
+}
+
+
+INPUT_FILE_JSON="$1"
+if [ -z "$INPUT_FILE_JSON" ]; then
+    echo "Usage: $0 <input_file.json>"
+    exit 1
+fi
+
+install_jq
+install_hcl2json
+
+# Read entire JSON array into a variable
+json_data=$(cat "$INPUT_FILE_JSON")
+
+# Use jq to get the length of array
+length=$($JQ_BIN length <<<"$json_data")
+
+# Create a temporary file to store updated objects
+tmpfile=$(mktemp)
+
+for ((i=0; i<length; i++)); do
+  # Extract ith object
+  obj=$($JQ_BIN ".[$i]" <<<"$json_data")
+
+  JSON_PATH=".VCSConfig.iacInputData.data"
+
+  # Extract the value at JSON_PATH from the object
+  val=$($JQ_BIN -c "$JSON_PATH" <<<"$obj")
+
+  # If val is null or not an object, skip
+  if [[ "$val" == "null" || $($JQ_BIN 'type' <<<"$val") != "\"object\"" ]]; then
+    echo "$obj" >> "$tmpfile"
+
+    continue
+  fi
+
+  # Initialize new_val as empty object
+  new_val="{}"
+
+  # Loop over key-value pairs in val
+  keys=$($JQ_BIN -r 'keys[]' <<<"$val")
+  for key in $keys; do
+    # Get the string value for the key
+    value=$($JQ_BIN --arg k "$key" '.[$k]' <<<"$val" | sed 's/\\"/"/g')
+    value="${value%\"}"
+    value="${value#\"}"
+    value="temp = $value"
+
+    # Heuristic: if value contains '=', treat as HCL string
+    if [[ "$value" == *"="* ]]; then
+      # Convert HCL to JSON using hcl2json
+      parsed=$(echo -e "$value" | $HCL2JSON_BIN | $JQ_BIN -c '.temp')
+      if [[ $? -eq 0 && "$parsed" != "" ]]; then
+        # Add parsed json as the key's value
+        new_val=$($JQ_BIN --arg k "$key" --argjson v "$parsed" '. + {($k): $v}' <<<"$new_val")
+      else
+        # If parse fails, keep original string
+        echo "parsing failed: $value"
+        new_val=$($JQ_BIN --arg k "$key" --arg v "$value" '. + {($k): $v}' <<<"$new_val")
+      fi
+    else
+      # Not HCL, keep as string
+      new_val=$($JQ_BIN --arg k "$key" --arg v "$value" '. + {($k): $v}' <<<"$new_val")
+    fi
+  done
+
+  # Update the object by assigning new_val back at JSON_PATH
+  updated_obj=$($JQ_BIN --argjson nv "$new_val" "$JSON_PATH = \$nv" <<<"$obj")
+
+  # Save updated object
+  echo "$updated_obj" >> "$tmpfile"
+done
+
+# Combine updated objects into an array and overwrite the original file
+$JQ_BIN -s '.' "$tmpfile" > "$INPUT_FILE_JSON"
+
+rm "$tmpfile" $HCL2JSON_BIN $JQ_BIN

transformer/terraform-cloud/main.tf

@@ -15,4 +15,4 @@ terraform {
       version = "~> 3.2.1"
     }
   }
-}
+}