diff --git a/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py b/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py index 78e4c8ed90c..fb8ad4f87fd 100644 --- a/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py +++ b/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryption.py @@ -16,6 +16,8 @@ def scan_resource_conf(self, conf): if policy.get("action") and isinstance(policy.get("action"), list): actions = policy.get("action") for idx, action in enumerate(actions): + if not isinstance(action, dict) or not action: + return CheckResult.UNKNOWN if action.get("cross_region_copy") and isinstance(action.get("cross_region_copy"), list): cross = action.get("cross_region_copy")[0] if cross.get("encryption_configuration") and isinstance(cross.get("encryption_configuration"), list): diff --git a/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py b/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py index ce16916360a..431f3ac2985 100644 --- a/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py +++ b/checkov/terraform/checks/resource/aws/DLMEventsCrossRegionEncryptionWithCMK.py @@ -16,6 +16,8 @@ def scan_resource_conf(self, conf): if policy.get("action") and isinstance(policy.get("action"), list): actions = policy.get("action") for idx, action in enumerate(actions): + if not isinstance(action, dict) or not action: + return CheckResult.UNKNOWN if action.get("cross_region_copy") and isinstance(action.get("cross_region_copy"), list): cross = action.get("cross_region_copy")[0] if cross.get("encryption_configuration") and isinstance(cross.get("encryption_configuration"), list): diff --git a/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryption/main.tf b/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryption/main.tf index ff4b52f46ce..7762d5cd618 100644 --- a/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryption/main.tf +++ b/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryption/main.tf @@ -107,4 +107,38 @@ resource "aws_dlm_lifecycle_policy" "fail2" { } } } +} + +resource "aws_dlm_lifecycle_policy" "unknown" { + description = "example DLM lifecycle policy" + execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn + state = "ENABLED" + + policy_details { + resource_types = ["VOLUME"] + + schedule { + name = "2 weeks of daily snapshots" + + create_rule { + interval = 24 + interval_unit = "HOURS" + times = ["23:45"] + } + + retain_rule { + count = 14 + } + + tags_to_add = { + SnapshotCreator = "DLM" + } + + copy_tags = false + } + + target_tags = { + Snapshot = "true" + } + } } \ No newline at end of file diff --git a/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryptionWithCMK/main.tf b/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryptionWithCMK/main.tf index 325c7789638..65103b3e216 100644 --- a/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryptionWithCMK/main.tf +++ b/tests/terraform/checks/resource/aws/example_DLMEventsCrossRegionEncryptionWithCMK/main.tf @@ -106,4 +106,38 @@ resource "aws_dlm_lifecycle_policy" "fail2" { } } } +} + +resource "aws_dlm_lifecycle_policy" "unknown" { + description = "example DLM lifecycle policy" + execution_role_arn = aws_iam_role.dlm_lifecycle_role.arn + state = "ENABLED" + + policy_details { + resource_types = ["VOLUME"] + + schedule { + name = "2 weeks of daily snapshots" + + create_rule { + interval = 24 + interval_unit = "HOURS" + times = ["23:45"] + } + + retain_rule { + count = 14 + } + + tags_to_add = { + SnapshotCreator = "DLM" + } + + copy_tags = false + } + + target_tags = { + Snapshot = "true" + } + } } \ No newline at end of file