diff --git a/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py b/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py index 905c8e875ab..c47a1809e59 100644 --- a/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py +++ b/checkov/terraform/checks/resource/gcp/GoogleComputeDefaultServiceAccountFullAccess.py @@ -23,9 +23,13 @@ def scan_resource_conf(self, conf): :param conf: google_compute_instance configuration :return: """ - if 'name' in conf and conf['name'][0].startswith('gke-'): - self.evaluated_keys = ['name'] - return CheckResult.PASSED + + if 'name' in conf: + if not isinstance(conf['name'][0], str): + return CheckResult.UNKNOWN + if conf['name'][0].startswith('gke-'): + self.evaluated_keys = ['name'] + return CheckResult.PASSED if 'source_instance_template' in conf.keys() and 'service_account' not in conf.keys(): # if the source_instance_template value is there (indicating a google_compute_instance_from_template), diff --git a/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py b/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py index 53ed2d75935..ec49b1a7d4d 100644 --- a/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py +++ b/checkov/terraform/checks/resource/gcp/GoogleComputeIPForward.py @@ -31,6 +31,8 @@ def get_excluded_key(self): return "name" def check_excluded_condition(self, value): + if not isinstance(value, str): + return False return value.startswith('gke-') diff --git a/tests/terraform/checks/resource/gcp/test_GoogleComputeDefaultServiceAccountFullAccess.py b/tests/terraform/checks/resource/gcp/test_GoogleComputeDefaultServiceAccountFullAccess.py index b49804d5f80..4c9d8257876 100644 --- a/tests/terraform/checks/resource/gcp/test_GoogleComputeDefaultServiceAccountFullAccess.py +++ b/tests/terraform/checks/resource/gcp/test_GoogleComputeDefaultServiceAccountFullAccess.py @@ -122,6 +122,17 @@ def test_unknown(self): resource_conf = hcl_res['resource'][0]['google_compute_instance_from_template']['default'] scan_result = check.scan_resource_conf(conf=resource_conf) self.assertEqual(CheckResult.UNKNOWN, scan_result) + + def test_unknown2(self): + hcl_res = hcl2.loads(""" + resource "google_compute_instance_from_template" "default" { + name = {} + source_instance_template = google_compute_instance_template.tpl.id + } + """) + resource_conf = hcl_res['resource'][0]['google_compute_instance_from_template']['default'] + scan_result = check.scan_resource_conf(conf=resource_conf) + self.assertEqual(CheckResult.UNKNOWN, scan_result) if __name__ == '__main__':