fix(terraform): handle no action in aws_dlm_lifecycle_policy (#5905)

* handle no action * check if dict
bridgecrewio · Jan 4, 2024 · 70c36a6 · 70c36a6
1 parent 5b7286a
commit 70c36a6
Show file tree

Hide file tree

Showing 4 changed files with 72 additions and 0 deletions.
diff --git a/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py b/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py
@@ -16,6 +16,8 @@ def scan_resource_conf(self, conf):
             if policy.get("action") and isinstance(policy.get("action"), list):
                 actions = policy.get("action")
                 for idx, action in enumerate(actions):
+                    if not isinstance(action, dict) or not action:
+                        return CheckResult.UNKNOWN
                     if action.get("cross_region_copy") and isinstance(action.get("cross_region_copy"), list):
                         cross = action.get("cross_region_copy")[0]
                         if cross.get("encryption_configuration") and isinstance(cross.get("encryption_configuration"), list):

diff --git a/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py b/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py
@@ -16,6 +16,8 @@ def scan_resource_conf(self, conf):
             if policy.get("action") and isinstance(policy.get("action"), list):
                 actions = policy.get("action")
                 for idx, action in enumerate(actions):
+                    if not isinstance(action, dict) or not action:
+                        return CheckResult.UNKNOWN
                     if action.get("cross_region_copy") and isinstance(action.get("cross_region_copy"), list):
                         cross = action.get("cross_region_copy")[0]
                         if cross.get("encryption_configuration") and isinstance(cross.get("encryption_configuration"), list):

diff --git a/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryption/main.tf b/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryption/main.tf
@@ -107,4 +107,38 @@ resource "aws_dlm_lifecycle_policy" "fail2" {
       }
     }
   }
+}
+
+resource "aws_dlm_lifecycle_policy" "unknown" {
+  description        = "example DLM lifecycle policy"
+  execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
+  state              = "ENABLED"
+
+  policy_details {
+    resource_types = ["VOLUME"]
+
+    schedule {
+      name = "2 weeks of daily snapshots"
+
+      create_rule {
+        interval      = 24
+        interval_unit = "HOURS"
+        times         = ["23:45"]
+      }
+
+      retain_rule {
+        count = 14
+      }
+
+      tags_to_add = {
+        SnapshotCreator = "DLM"
+      }
+
+      copy_tags = false
+    }
+
+    target_tags = {
+      Snapshot = "true"
+    }
+  }
 }
diff --git a/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryptionWithCMK/main.tf b/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryptionWithCMK/main.tf
@@ -106,4 +106,38 @@ resource "aws_dlm_lifecycle_policy" "fail2" {
       }
     }
   }
+}
+
+resource "aws_dlm_lifecycle_policy" "unknown" {
+  description        = "example DLM lifecycle policy"
+  execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn
+  state              = "ENABLED"
+
+  policy_details {
+    resource_types = ["VOLUME"]
+
+    schedule {
+      name = "2 weeks of daily snapshots"
+
+      create_rule {
+        interval      = 24
+        interval_unit = "HOURS"
+        times         = ["23:45"]
+      }
+
+      retain_rule {
+        count = 14
+      }
+
+      tags_to_add = {
+        SnapshotCreator = "DLM"
+      }
+
+      copy_tags = false
+    }
+
+    target_tags = {
+      Snapshot = "true"
+    }
+  }
 }