checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

wip fix(terraform): evaluate inline checks for looped modules

Open Alex-Waring opened this issue 1 year ago • 5 comments

User description

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

The inline comment checker for enriched plan checking, currently works by looking up exceptions using the name of the module, in form module.module_name, even when there is a count or for_each set on the resource.

When we then loop through the resources in the plan to look up their enrichments, this lookup fails as we're using module.module_name[index]. This PR proves that this is the case by introducing a new test that fails, and then fixes that test.

Fixes https://github.com/bridgecrewio/checkov/issues/6113

Checklist:

  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [ ] I have made corresponding changes to the documentation
  • [x] I have added tests that prove my feature, policy, or fix is effective and works
  • [x] New and existing tests pass locally with my changes

Generated description

Dear maintainer, below is a concise technical summary of the changes proposed in this PR:

Fix the inline comment checker for enriched plan checking by addressing the issue with module name lookups when using count or for_each in Terraform modules. The Report class in checkov/common/output/report.py is updated to correctly handle module paths by ignoring indices in module names. New tests are added in test_runner_registry_plan_enrichment.py to validate the fix, ensuring that checks are correctly skipped for looped modules. The test setup includes Terraform configuration files and a plan JSON file to simulate the scenario.

TopicDetails
Inline Checker Fix Fix the inline comment checker for enriched plan checking by addressing the issue with module name lookups when using count or for_each in Terraform modules.
Modified files (1)
  • checkov/common/output/report.py
Latest Contributors(2)
EmailCommitDate
146818014+sourava01@us...feat-github-add-summar...May 05, 2024
[email protected]fix-graph-remove-SCA-r...February 11, 2024
Test Enhancements Add tests to validate the fix for module name lookups in looped modules, ensuring checks are correctly skipped.
Modified files (4)
  • tests/common/runner_registry/test_runner_registry_plan_enrichment.py
  • tests/common/runner_registry/plan_with_looped_module/tf/tfplan.json
  • tests/common/runner_registry/plan_with_looped_module/tf/main.tf
  • tests/common/runner_registry/plan_with_looped_module/mod_ref/main.tf
Latest Contributors(2)
EmailCommitDate
[email protected]...feat-terraform-Remove-...August 16, 2023
63583491+arielkru@user...feat-terraform-Impleme...December 01, 2022
This pull request is reviewed by Baz. Join @Alex-Waring and the rest of your team on (Baz).

Alex-Waring avatar Oct 24 '24 21:10 Alex-Waring

Hi 👋 @Alex-Waring , do you have any workaround while we are waiting for your PR to be merged?

cristian-rincon avatar Nov 13 '24 18:11 cristian-rincon

Hi @cristian-rincon, no there's no workaround. This is only WIP because it's just a partial fix, I can always come back if this gets merged.

If you have any way of getting this looked at feel free, it passes all tests so can be merged

Alex-Waring avatar Nov 13 '24 20:11 Alex-Waring

can this be merged? it is really a big blocker

adovy avatar Apr 15 '25 14:04 adovy

Hey @Alex-Waring, Could you please merge the main branch into your branch and fix the failing tests? Thanks for contributing!

MaryArmaly avatar Aug 20 '25 13:08 MaryArmaly

Hi @MaryArmaly , this PR needs a fair amount of work to fix and I do not have the capacity to do so at the moment. If someone from PaloAlto wants to pick this up they are welcome to.

Alex-Waring avatar Aug 20 '25 14:08 Alex-Waring