checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

[Terraform] Parsing failure due to provider-defined functions in terraform

Open gdowmont opened this issue 11 months ago • 2 comments

Checkov should not have parsing errors with files containing provider-defined functions in terraform.

This was implemented in terraform 1.8 (https://www.hashicorp.com/blog/terraform-1-8-improves-extensibility-with-provider-defined-functions).

Example syntax (this is specific to AWS provider https://registry.terraform.io/providers/hashicorp/aws/latest/docs/functions/arn_build ) looks like: identifiers = [provider::aws::arn_build("aws", "iam", "", data.aws_caller_identity.current.account_id, "root")]

Steps to replicate/test:

  1. Create a policy.tf file containing:
data "aws_iam_policy_document" "firehose_key_policy" {
  statement {
    sid       = "Enable IAM User Permissions"
    effect    = "Allow"
    resources = ["*"]
    actions   = ["kms:*"]

    principals {
      type        = "AWS"
      identifiers = [provider::aws::arn_build("aws", "iam", "", data.aws_caller_identity.current.account_id, "root")]
    }
  }
  1. Run checkov against the file

gdowmont avatar Jan 13 '25 10:01 gdowmont

As we're more widely adopting provider-defined functions, we're having more and more of a gap with our checkov results that are now silently failing to parse files.

bushong1 avatar Mar 07 '25 15:03 bushong1

This is currently blocking our usage of Checkov with the latest azurerm 4.x provider. Will provider functions be supported with Checkov scanning?

folksgl avatar Apr 09 '25 20:04 folksgl

Any idea when this will be fixed?

jethrovaneetvelde avatar Jul 14 '25 07:07 jethrovaneetvelde

My team is also currently blocked - any update on a fix here?

cooperglavin avatar Jul 18 '25 14:07 cooperglavin

Hi, this was fixed on this PR, available since checkov version 3.2.451.

bo156 avatar Jul 27 '25 13:07 bo156