From 5f874fe89393950a4a252a62e9d24d931f713d9d Mon Sep 17 00:00:00 2001 From: ChanochShayner Date: Wed, 16 Nov 2022 09:46:43 +0200 Subject: [PATCH 1/3] Fix dynamic blocks nested module --- .../graph_builder/variable_rendering/renderer.py | 13 +++++++++---- .../graph/variable_rendering/test_renderer.py | 7 +++---- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/checkov/terraform/graph_builder/variable_rendering/renderer.py b/checkov/terraform/graph_builder/variable_rendering/renderer.py index 01671da304d..c3550ea809e 100644 --- a/checkov/terraform/graph_builder/variable_rendering/renderer.py +++ b/checkov/terraform/graph_builder/variable_rendering/renderer.py @@ -299,9 +299,9 @@ def _render_dynamic_blocks(self) -> None: if dynamic_blocks: try: rendered_blocks = self._process_dynamic_blocks(dynamic_blocks) - except Exception: + except Exception as e: logging.info(f'Failed to process dynamic blocks in file {vertex.path} of resource {vertex.name}' - f' for blocks: {dynamic_blocks}') + f' for blocks: {dynamic_blocks}, error: {e}') continue changed_attributes = [] @@ -327,7 +327,7 @@ def _extract_dynamic_arguments(block_name: str, block_content: Dict[str, Any], d @staticmethod def _process_dynamic_blocks(dynamic_blocks: list[dict[str, Any]] | dict[str, Any]) -> dict[ str, list[dict[str, Any]]]: - rendered_blocks: dict[str, list[dict[str, Any]]] = {} + rendered_blocks: dict[str, list[dict[str, Any]] | dict[str, Any]] = {} if not isinstance(dynamic_blocks, list) and not isinstance(dynamic_blocks, dict): logging.info(f"Dynamic blocks found, but of type {type(dynamic_blocks)}") @@ -379,7 +379,12 @@ def _process_dynamic_blocks(dynamic_blocks: list[dict[str, Any]] | dict[str, Any except (StopIteration, AttributeError): continue block_content[DYNAMIC_STRING][next_key]['for_each'] = dynamic_values - rendered_blocks.update(TerraformVariableRenderer._process_dynamic_blocks(block_content[DYNAMIC_STRING])) + + flatten_key = next(iter(rendered_blocks.keys())) + if next_key in rendered_blocks[flatten_key]: + rendered_blocks[flatten_key].update(TerraformVariableRenderer._process_dynamic_blocks(block_content[DYNAMIC_STRING])) + else: + rendered_blocks.update(TerraformVariableRenderer._process_dynamic_blocks(block_content[DYNAMIC_STRING])) return rendered_blocks diff --git a/tests/terraform/graph/variable_rendering/test_renderer.py b/tests/terraform/graph/variable_rendering/test_renderer.py index 4441554c0d9..25b4a6d4042 100644 --- a/tests/terraform/graph/variable_rendering/test_renderer.py +++ b/tests/terraform/graph/variable_rendering/test_renderer.py @@ -344,10 +344,9 @@ def test_dynamic_blocks_with_nested_map(self): local_graph, _ = graph_manager.build_graph_from_source_directory(path, render_variables=True) resources_vertex = list(filter(lambda v: v.block_type == BlockType.RESOURCE, local_graph.vertices)) assert len(resources_vertex[0].attributes.get('required_resource_access')) == 2 - # TODO support nested with dict. - # assert resources_vertex[0].attributes.get('required_resource_access') == \ - # {'resource_app_id': '00000003-0000-0000-c000-000000000000', - # 'resource_access': {'id': '7ab1d382-f21e-4acd-a863-ba3e13f7da61', 'type': 'Role'}} + assert resources_vertex[0].attributes.get('required_resource_access') == \ + {'resource_app_id': '00000003-0000-0000-c000-000000000000', + 'resource_access': {'id': '7ab1d382-f21e-4acd-a863-ba3e13f7da61', 'type': 'Role'}} def test_dynamic_example_for_security_rule(self): graph_manager = TerraformGraphManager('m', ['m']) From 0fbd8d75b5d91960e643a2e82684866175d982bf Mon Sep 17 00:00:00 2001 From: ChanochShayner <57212002+ChanochShayner@users.noreply.github.com> Date: Wed, 16 Nov 2022 10:18:42 +0200 Subject: [PATCH 2/3] Update checkov/terraform/graph_builder/variable_rendering/renderer.py MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Anton GrĂ¼bel --- checkov/terraform/graph_builder/variable_rendering/renderer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/terraform/graph_builder/variable_rendering/renderer.py b/checkov/terraform/graph_builder/variable_rendering/renderer.py index c3550ea809e..72a5430b5f0 100644 --- a/checkov/terraform/graph_builder/variable_rendering/renderer.py +++ b/checkov/terraform/graph_builder/variable_rendering/renderer.py @@ -301,7 +301,7 @@ def _render_dynamic_blocks(self) -> None: rendered_blocks = self._process_dynamic_blocks(dynamic_blocks) except Exception as e: logging.info(f'Failed to process dynamic blocks in file {vertex.path} of resource {vertex.name}' - f' for blocks: {dynamic_blocks}, error: {e}') + f' for blocks: {dynamic_blocks}', exc_info=True) continue changed_attributes = [] From db9422d2e4d98c2e0a432a8707414409af0b94bf Mon Sep 17 00:00:00 2001 From: ChanochShayner Date: Wed, 16 Nov 2022 10:22:25 +0200 Subject: [PATCH 3/3] Lint fix --- checkov/terraform/graph_builder/variable_rendering/renderer.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkov/terraform/graph_builder/variable_rendering/renderer.py b/checkov/terraform/graph_builder/variable_rendering/renderer.py index 72a5430b5f0..3dff7bc72fc 100644 --- a/checkov/terraform/graph_builder/variable_rendering/renderer.py +++ b/checkov/terraform/graph_builder/variable_rendering/renderer.py @@ -299,7 +299,7 @@ def _render_dynamic_blocks(self) -> None: if dynamic_blocks: try: rendered_blocks = self._process_dynamic_blocks(dynamic_blocks) - except Exception as e: + except Exception: logging.info(f'Failed to process dynamic blocks in file {vertex.path} of resource {vertex.name}' f' for blocks: {dynamic_blocks}', exc_info=True) continue