From 0b6e29878fa9665519f9f967eca4cd5ae66470bb Mon Sep 17 00:00:00 2001
From: Steve Vaknin <62605534+SteveVaknin@users.noreply.github.com>
Date: Mon, 4 Mar 2024 17:51:44 +0200
Subject: [PATCH] fix(terraform): better handling of interpolation rendering in
 conditional expressions (#6062)

* Fix(terraform): better handling of interpolation rendering in conditional expressions

* fix lint missing blank space

* add tests and fix logic

---------

Co-authored-by: Steve Vaknin <svaknin@paloaltonetworks.com>
---
 .../variable_rendering/evaluate_terraform.py   | 18 +++++++++++++++---
 .../test_string_evaluation.py                  | 13 +++++++++++++
 2 files changed, 28 insertions(+), 3 deletions(-)

diff --git a/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py b/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py
index 350ee80d005..58b4f9190bd 100644
--- a/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py
+++ b/checkov/terraform/graph_builder/variable_rendering/evaluate_terraform.py
@@ -56,6 +56,7 @@ def evaluate_terraform(input_str: Any, keep_interpolations: bool = True) -> Any:
     evaluated_value = evaluate_list_access(evaluated_value)
     evaluated_value = strip_double_quotes(evaluated_value)
     evaluated_value = evaluate_directives(evaluated_value)
+    evaluated_value = strip_interpolation_marks(evaluated_value)
     evaluated_value = evaluate_conditional_expression(evaluated_value)
     evaluated_value = evaluate_compare(evaluated_value)
     evaluated_value = evaluate_json_types(evaluated_value)
@@ -193,12 +194,23 @@ def strip_double_quotes(input_str: str) -> str:
     return input_str
 
 
-def evaluate_conditional_expression(input_str: str) -> str:
+def strip_interpolation_marks(input_str: str) -> str:
     if input_str.startswith("${") and input_str.endswith("}"):
-        # just remove the needed char length of the interpolation marks
+        # remove the needed char length of the interpolation marks
         input_str = input_str[2:-1]
+    return input_str
+
+
+def evaluate_conditional_expression(input_str: str) -> str:
+    if input_str.startswith("['${") and input_str.endswith("}']"):
+        condition = find_conditional_expression_groups(input_str[5:-3])
+        if condition is not None:
+            input_str = input_str[5:-3]
+    else:
+        condition = find_conditional_expression_groups(input_str)
+    if condition is None:
+        return input_str
 
-    condition = find_conditional_expression_groups(input_str)
     while condition:
         groups, start, end = condition
         if len(groups) != 3:
diff --git a/tests/terraform/graph/variable_rendering/test_string_evaluation.py b/tests/terraform/graph/variable_rendering/test_string_evaluation.py
index 483de5c394d..38636bd46c8 100644
--- a/tests/terraform/graph/variable_rendering/test_string_evaluation.py
+++ b/tests/terraform/graph/variable_rendering/test_string_evaluation.py
@@ -24,6 +24,19 @@ def test_condition(self):
         expected = 'smaller'
         self.assertEqual(expected, evaluate_terraform(input_str).strip())
 
+    def test_conditional_expression(self):
+        input_str = '"[\'${blocked == "allowed" ? True : False}\']"'
+        expected = False
+        self.assertEqual(expected, evaluate_terraform(input_str))
+
+        input_str = '${blocked == "allowed" ? True : False}'
+        expected = False
+        self.assertEqual(expected, evaluate_terraform(input_str))
+
+        input_str = 'blocked == "allowed" ? True : False'
+        expected = False
+        self.assertEqual(expected, evaluate_terraform(input_str))
+
     def test_format(self):
         input_str = '"format("Hello, %s!", "Ander")"'
         expected = 'Hello, Ander!'