feat(terraform): support optional() type constraints in variable rendering#7502
Open
pszypowicz wants to merge 1 commit into
Open
feat(terraform): support optional() type constraints in variable rendering#7502pszypowicz wants to merge 1 commit into
pszypowicz wants to merge 1 commit into
Conversation
pszypowicz
had a problem deploying
to
scan-security
GitHub Actions
Failure
pszypowicz
force-pushed
the
fix/support-optional-type-constraints
branch
from
7cf76a2 to
4e1d174
Compare
pszypowicz
had a problem deploying
to
scan-security
GitHub Actions
Failure
pszypowicz
force-pushed
the
fix/support-optional-type-constraints
branch
from
4e1d174 to
8e54d12
Compare
pszypowicz
had a problem deploying
to
scan-security
GitHub Actions
Failure
pszypowicz
force-pushed
the
fix/support-optional-type-constraints
branch
from
8e54d12 to
46bc64d
Compare
pszypowicz
had a problem deploying
to
scan-security
GitHub Actions
Failure
pszypowicz
force-pushed
the
fix/support-optional-type-constraints
branch
from
46bc64d to
f182e07
Compare
pszypowicz
had a problem deploying
to
scan-security
GitHub Actions
Failure
pszypowicz
force-pushed
the
fix/support-optional-type-constraints
branch
from
f182e07 to
b1cf868
Compare
pszypowicz
had a problem deploying
to
scan-security
GitHub Actions
Failure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves #4874
When a Terraform variable uses
optional(type, default)in its type constraint and the caller omits that field, checkov does not resolve the default value. This causes false-positive/false-negative check results -- for example,optional(string, "RSA-HSM")for a Key Vault key type is not resolved, so CKV_AZURE_112 (KeyBackedByHSM) incorrectly fails.Changes
optional_type_parsermodule that parsesoptional()defaults from type constraint strings, with recursive descent into nested objects at arbitrary depth (map/list/set/object at every level)extract_value_from_vertex)each.value.a.b.cmulti-level path resolution in the for_each handler -- the old code only tooksplit('.')[-1], breaking nested object access. The fix reuses the existingfind_in_dictutility. Also handles array indexing (each.value.items[0].field) and multiple references in one expression (merge(each.value.tags, {Name = each.value.name}))Test plan
for_eachexpansion, direct variable reference, 3-level nested object resolutionlist(object)PASS/FAIL +map(object)nested PASS/FAIL