Support merge inside jsondecode

bridgecrewio · Oct 17, 2023 · f5f6b1d · f5f6b1d
1 parent 48d1cd6
commit f5f6b1d
Show file tree

Hide file tree

Showing 4 changed files with 85 additions and 0 deletions.
diff --git a/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py b/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py
@@ -67,9 +67,20 @@ def evaluate_terraform(input_str: Any, keep_interpolations: bool = True) -> Any:
     elif not keep_interpolations and second_evaluated_value == value_after_removing_interpolations:
         return value_before_removing_interpolations
     else:
+        second_evaluated_value = _eval_merge_as_list(second_evaluated_value)
         return second_evaluated_value
 
 
+def _eval_merge_as_list(eval_value: Any) -> Any:
+    """
+    Edge case for an eval in eval.
+    UT for this: test_jsonpath_equals_ecs_with_merge
+    """
+    if eval_value and isinstance(eval_value, list) and isinstance(eval_value[0], str) and eval_value[0].startswith('merge'):
+        return _try_evaluate(eval_value[0])
+    return eval_value
+
+
 def _try_evaluate(input_str: Union[str, bool]) -> Any:
     try:
         return evaluate(input_str)  # type:ignore[arg-type]

diff --git a/...s/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/EcsWithMerge.yaml b/...s/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/EcsWithMerge.yaml
@@ -0,0 +1,12 @@
+
+metadata:
+  id: "CUSTOM_003"
+scope:
+  provider: "AWS"
+definition:
+  cond_type: "attribute"
+  resource_types:
+    - "aws_ecs_task_definition"
+  attribute: "container_definitions.*.image"
+  operator: "equals"
+  value: "service-first"
diff --git a/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py b/tests/terraform/graph/checks_infra/attribute_solvers/jsonpath_equals_solver/test_solver.py
@@ -39,3 +39,12 @@ def test_jsonpath_equals_azure_rule(self):
         expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
 
         self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
+
+    def test_jsonpath_equals_ecs_with_merge(self):
+        root_folder = '../../../resources/ecs_with_merge'
+        check_id = "CUSTOM_003"
+        should_pass = ['aws_ecs_task_definition.service01']
+        should_fail = ['aws_ecs_task_definition.service02']
+        expected_results = {check_id: {"should_pass": should_pass, "should_fail": should_fail}}
+
+        self.run_test(root_folder=root_folder, expected_results=expected_results, check_id=check_id)
diff --git a/tests/terraform/graph/resources/ecs_with_merge/main.tf b/tests/terraform/graph/resources/ecs_with_merge/main.tf
@@ -0,0 +1,53 @@
+resource "aws_ecs_task_definition" "service01" {
+  family = "service"
+  container_definitions = jsonencode([
+    merge(
+      {
+        name  = "first"
+        image = "service-first"
+      },
+      {
+        cpu       = 10
+        memory    = 512
+        essential = true
+        portMappings = [
+          {
+            containerPort = 80
+            hostPort      = 80
+          }
+        ]
+      }
+    )
+  ])
+  volume {
+    name      = "service-storage"
+    host_path = "/ecs/service-storage"
+  }
+}
+
+resource "aws_ecs_task_definition" "service02" {
+  family = "service"
+  container_definitions = jsonencode([
+    merge(
+      {
+        name  = "first"
+        image = "service"
+      },
+      {
+        cpu       = 10
+        memory    = 512
+        essential = true
+        portMappings = [
+          {
+            containerPort = 80
+            hostPort      = 80
+          }
+        ]
+      }
+    )
+  ])
+  volume {
+    name      = "service-storage"
+    host_path = "/ecs/service-storage"
+  }
+}