Skip to content

fix(terraform_plan): fix access to list by str in tf plan under _handle_complex_after_unknown #7299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Sep 14, 2025
Merged

fix(terraform_plan): fix access to list by str in tf plan under _handle_complex_after_unknown #7299

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c49e709
fix access to list by str in tf plan under _handle_complex_after_unknown
omriyoffe-panw Sep 11, 2025
2c94e8c
ut
omriyoffe-panw Sep 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion checkov/terraform/plan_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,7 +262,10 @@ def _handle_complex_after_unknown(k: str, resource_conf: dict[str, Any], v: Any)
# skip inner checkov keys
continue
if inner_key not in resource_conf[k]:
resource_conf[k][0][inner_key] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])
if isinstance(resource_conf[k][0], dict):
resource_conf[k][0][inner_key] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])
elif isinstance(resource_conf[k][0], list) and isinstance(resource_conf[k][0][0], dict):
resource_conf[k][0][0][inner_key] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])


def _find_child_modules(
Expand Down
37 changes: 31 additions & 6 deletions tests/terraform/parser/test_plan_parser.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,10 @@
from pytest_mock import MockerFixture

from checkov.common.util.consts import TRUE_AFTER_UNKNOWN
from checkov.terraform.plan_parser import parse_tf_plan, _sanitize_count_from_name
from checkov.terraform.plan_parser import parse_tf_plan, _sanitize_count_from_name, _handle_complex_after_unknown
from checkov.common.parsers.node import StrNode


class TestPlanFileParser(unittest.TestCase):

def test_tags_values_are_flattened(self):
Expand Down Expand Up @@ -36,15 +37,15 @@ def test_plan_multiple_providers(self):
valid_plan_path = current_dir + "/resources/plan_multiple_providers/tfplan.json"
tf_definition, _ = parse_tf_plan(valid_plan_path, {})
providers = tf_definition['provider']
self.assertEqual( len(providers), 3)
self.assertEqual(len(providers), 3)
provider_names = []
provider_aliases = []
provider_addresses = []
for provider in providers:
key = next(iter(provider))
provider_names.append(key)
provider_aliases.append( provider[key]['alias'][0] )
provider_addresses.append( provider[key]['__address__'] )
provider_aliases.append(provider[key]['alias'][0])
provider_addresses.append(provider[key]['__address__'])

self.assertEqual(provider_names, ["aws", "aws", "aws"])
self.assertEqual(provider_aliases, ["default", "ohio", "oregon"])
Expand Down Expand Up @@ -82,7 +83,7 @@ def test_encodings(self):

def test_provisioners(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
plan_files = ['tfplan.json','tfplan2.json']
plan_files = ['tfplan.json', 'tfplan2.json']

for file in plan_files:
valid_plan_path = current_dir + "/resources/plan_provisioners/" + file
Expand Down Expand Up @@ -120,6 +121,31 @@ def test___sanitize_count_from_name_with_count(self):
result = _sanitize_count_from_name(name)
self.assertEqual(result, "aws_s3_bucket.bucket")

def test_handle_complex_after_unknown(self):
resource = {
"tags": [
[
{
"custom_tags": [
{"key": "Tag1", "value": "Value1"},
{"key": "Tag2", "value": "Value2"}
]
}
]
]
}
key: str = 'tags'
value: list = [
{
'custom_tags': [
{"key": "Tag1", "value": "Value1"},
{"key": "Tag2", "value": "Value2"}
]
}
]
_handle_complex_after_unknown(key, resource, value)
assert resource == {'tags': [[{'custom_tags': ['true_after_unknown']}]]}


def test_large_file(mocker: MockerFixture):
# given
Expand All @@ -133,7 +159,6 @@ def test_large_file(mocker: MockerFixture):
assert tf_definition['resource'][0]['aws_s3_bucket']['b']['start_line'][0] == 0
assert tf_definition['resource'][0]['aws_s3_bucket']['b']['end_line'][0] == 0


def test_vpc_endpoint_policy_is_parsed(self):
current_dir = os.path.dirname(os.path.realpath(__file__))
valid_plan_path = current_dir + "/resources/plan_vpc_endpoint/tfplan.json"
Expand Down
Loading