Checkov fails on `CKV_AZURE_168` if ternary condition is compared to `null`

[ppawlowski]

Describe the issue

In terraform, in ternary operation, if condition consists of null comparison, checkov fails. This particular check fails on both azurerm_kubernetes_cluster and azurerm_kubernetes_cluster_node_pool . If different value is used (tested on boolean, string and number) checkov is able to handle such comparison and check is marked as passed.

Examples

main.tf:

provider "azurerm" {
  features {}
}

variable "max_pods" {
  default = null
}

resource "azurerm_kubernetes_cluster" "example" {
    name = "checkovAksCluster"
    default_node_pool {
      name = "syspool"
      max_pods = var.max_pods == null ? 51 : 49
    }
}

checkov execution (irrelevant output omitted):

$ checkov -d . -c CKV_AZURE_168

terraform scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
        FAILED for resource: azurerm_kubernetes_cluster.example
        File: /main.tf:9-15

                9  | resource "azurerm_kubernetes_cluster" "example" {
                10 |     name = "checkovAksCluster"
                11 |     default_node_pool {
                12 |       name = "syspool"
                13 |       max_pods = var.max_pods == null ? 51 : 49
                14 |     }
                15 | }

Expected checkov output (irrelevant output omitted):

$ checkov -d . -c CKV_AZURE_168

terraform scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 0

Check: CKV_AZURE_168: "Ensure Azure Kubernetes Cluster (AKS) nodes should use a minimum number of 50 pods."
        PASSED for resource: azurerm_kubernetes_cluster.example
        File: /main.tf:9-15

Version (please complete the following information):

2.3.200

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

[ppawlowski]

Not stale.

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

[ppawlowski]

Not stale.

[itai1357]

Hi @ppawlowski

Thanks for reaching us out and for reporting! @tsmithv11, @bo156 do you know if we supported such cases? seems that the resource azurerm_kubernetes_cluster.example are not recognizing the value of var.max_pods

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

[ppawlowski]

Not stale.