fix(terraform): fix port is bool ingress rule (#3606)

* fix port is bool ingress rule * fix sub_rule is not dict * fix and add test
bridgecrewio · Oct 3, 2022 · 18fea5e · 18fea5e
1 parent dcd5782
commit 18fea5e
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 1 deletion.
diff --git a/checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py b/checkov/terraform/checks/resource/aws/AbsNACLUnrestrictedIngress.py
@@ -34,6 +34,8 @@ def scan_resource_conf(self, conf):
                 if not isinstance(rule_lst, list):
                     rule_lst = [rule_lst]
                 for sub_rule in rule_lst:
+                    if not isinstance(sub_rule, dict):
+                        return CheckResult.UNKNOWN
                     if not self.check_rule(sub_rule):
                         return CheckResult.FAILED
             return CheckResult.PASSED

diff --git a/tests/terraform/checks/resource/aws/example_NetworkACLUnrestrictedIngress22/main.tf b/tests/terraform/checks/resource/aws/example_NetworkACLUnrestrictedIngress22/main.tf
@@ -262,3 +262,48 @@ resource "aws_network_acl_rule" "public_ingress" {
   rule_action    = "allow"
   cidr_block     = "0.0.0.0/0"
 }
+
+
+resource "aws_network_acl_rule" "pass3" {
+  vpc_id = aws_network_acl.pass.id
+
+  egress {
+    rule_no    = 200
+    action     = "allow"
+    cidr_block = "10.3.0.0/18"
+    from_port  = false
+    to_port    = false
+  }
+
+  ingress {
+    rule_no    = 100
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = false
+    to_port    = false
+  }
+  ingress {
+    rule_no    = 110
+    action     = "allow"
+    cidr_block = "0.0.0.0/0"
+    from_port  = false
+    to_port    = false
+  }
+
+
+  tags = {
+    Name = "main"
+    test = "fail"
+  }
+}
+
+resource "aws_network_acl_rule" "unknown2" {
+  vpc_id = aws_network_acl.pass.id
+  rule_number    = 100
+  ingress         = true
+  protocol       = "-1"
+  rule_action    = "allow"
+  cidr_block     = "0.0.0.0/0"
+  from_port      = 80
+  to_port        = 80
+}
diff --git a/tests/terraform/checks/resource/aws/test_NetworkACLUnrestrictedIngress22.py b/tests/terraform/checks/resource/aws/test_NetworkACLUnrestrictedIngress22.py
@@ -22,6 +22,7 @@ def test(self):
             "aws_network_acl.pass2",
             "aws_network_acl_rule.pass",
             "aws_network_acl_rule.pass2",
+            "aws_network_acl_rule.pass3"
         }
         failing_resources = {
             "aws_network_acl.fail",
@@ -35,7 +36,7 @@ def test(self):
         passed_check_resources = {c.resource for c in report.passed_checks}
         failed_check_resources = {c.resource for c in report.failed_checks}
 
-        self.assertEqual(summary["passed"], 4)
+        self.assertEqual(summary["passed"], 5)
         self.assertEqual(summary["failed"], 6)
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)