CKV_AZURE_35 - false positive if single file was checked

[t3mi]

Describe the issue CKV_AZURE_35 triggers a false positive for azurerm_storage_account_network_rules if single file was checked and variable default value is located in a separate file.

Examples

# variables.tf
variable "default_action" {
  default = "Deny"
}

# main.tf
provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]
}

resource "azurerm_storage_account" "example" {
  # checkov:skip=CKV_AZURE_35:False positive
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  min_tls_version          = "TLS1_2"

  tags = {
    environment = "staging"
  }
}
resource "azurerm_storage_account_network_rules" "example" {
  storage_account_id = azurerm_storage_account.example.id

  default_action             = var.default_action
  ip_rules                   = ["1.1.1.0/8"]
  virtual_network_subnet_ids = [azurerm_subnet.example.id]
  bypass                     = ["AzureServices"]
}

Check only main.tf file with checkov --file /tf/main.tf and observe a false positive.

Version (please complete the following information):

• 2.1.210