fix(terraform): fix an issue with dynamics replacing a whole block (#…

…3846) fix an issue with dynamics replacing a whole block
bridgecrewio · Nov 11, 2022 · 22a2bd0 · 22a2bd0
1 parent af9b0c5
commit 22a2bd0
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/checkov/terraform/parser_functions.py b/checkov/terraform/parser_functions.py
@@ -199,7 +199,8 @@ def process_dynamic_values(conf: Dict[str, List[Any]]) -> bool:
                 conf[element_name] = element_value["content"]
             else:
                 # this should be the result of a successful dynamic block rendering
-                conf[element_name] = element_value
+                # in some cases a whole dict is added, which doesn't have a list around it
+                conf[element_name] = element_value if isinstance(element_value, list) else [element_value]
 
         has_dynamic_block = True
 

diff --git a/tests/terraform/graph/resources/dynamic_lambda_function/lambda.tf b/tests/terraform/graph/resources/dynamic_lambda_function/lambda.tf
@@ -9,4 +9,11 @@ resource "aws_lambda_function" "lambda" {
       target_arn = dead_letter_config.value.target_arn
     }
   }
+
+  dynamic "environment" {
+    for_each = var.environment == null ? [] : [var.environment]
+    content {
+      variables = environment.value.variables
+    }
+  }
 }
diff --git a/tests/terraform/graph/runner/test_runner.py b/tests/terraform/graph/runner/test_runner.py
@@ -0,0 +1,30 @@
+from pathlib import Path
+
+from checkov.runner_filter import RunnerFilter
+from checkov.terraform.runner import Runner
+
+
+def test_dynamics():
+    # given
+    test_files_dir = Path(__file__).parent.parent / "resources/dynamic_lambda_function"
+
+    # when
+    report = Runner().run(
+        root_folder=str(test_files_dir),
+        runner_filter=RunnerFilter(
+            checks=[
+                "CKV_AWS_45",
+                "CKV_AWS_116",
+                "CKV_AWS_173",
+                "CKV_AWS_272",
+            ]
+        ),
+    )
+
+    # then
+    summary = report.get_summary()
+
+    assert summary["passed"] == 2
+    assert summary["failed"] == 2
+    assert summary["skipped"] == 0
+    assert summary["parsing_errors"] == 0