fix(terraform_json): support CDKTF output in CKV_TF_3 (#6918)

support CDKTF output in CKV_TF_3

checkov/terraform/checks/terraform/terraform/StateLock.py

@@ -23,7 +23,11 @@ def scan_terraform_block_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
             return CheckResult.UNKNOWN
 
         s3_config = backend["s3"]
-        if ("use_lockfile" not in s3_config or not s3_config["use_lockfile"]) and "dynamodb_table" not in s3_config:
+        if isinstance(s3_config, list):
+            # this can happen for CDKTF output files
+            s3_config = s3_config[0]
+
+        if not s3_config.get("use_lockfile") and "dynamodb_table" not in s3_config:
             return CheckResult.FAILED
         return CheckResult.PASSED
 

tests/terraform/checks/terraform/terraform/resources/lock/fail.cdk.tf.json

@@ -0,0 +1,13 @@
+{
+  "terraform": {
+    "backend": {
+      "s3": {
+        "bucket": "example-bucket",
+        "encrypt": true,
+        "key": "path/to/state",
+        "profile": "example",
+        "region": "eu-central-1"
+      }
+    }
+  }
+}

tests/terraform/checks/terraform/terraform/resources/lock/pass.cdk.tf.json

@@ -0,0 +1,14 @@
+{
+  "terraform": {
+    "backend": {
+      "s3": {
+        "bucket": "example-bucket",
+        "dynamodb_table": "terraform-locks",
+        "encrypt": true,
+        "key": "path/to/state",
+        "profile": "example",
+        "region": "eu-central-1"
+      }
+    }
+  }
+}

tests/terraform/checks/terraform/terraform/test_StateLock.py

@@ -1,10 +1,11 @@
 import os
 import unittest
+from pathlib import Path
 
 from checkov.runner_filter import RunnerFilter
 from checkov.terraform.checks.terraform.terraform.StateLock import check
-from checkov.common.models.enums import CheckResult
 from checkov.terraform.runner import Runner
+from checkov.terraform_json.runner import TerraformJsonRunner
 
 
 class TestStateLock(unittest.TestCase):
@@ -18,23 +19,53 @@ def test(self):
         )
         summary = report.get_summary()
 
-        passing_resources = {
-            "terraform",
+        # using file paths, because the resources have all the same name
+        passing_file_paths = {
+            "pass.tf",
+            "pass_dynamodb_table.tf",
         }
-        failing_resources = {
-            "terraform",
+        failing_file_paths = {
+            "fail1.tf",
         }
 
-        passed_check_resources = set([c.resource for c in report.passed_checks])
-        failed_check_resources = set([c.resource for c in report.failed_checks])
+        passed_check_file_paths = {Path(c.file_path).name for c in report.passed_checks}
+        failed_check_file_paths = {Path(c.file_path).name for c in report.failed_checks}
 
         self.assertEqual(summary["passed"], 2)
         self.assertEqual(summary["failed"], 1)
         self.assertEqual(summary["skipped"], 0)
         self.assertEqual(summary["parsing_errors"], 0)
 
-        self.assertEqual(passing_resources, passed_check_resources)
-        self.assertEqual(failing_resources, failed_check_resources)
+        self.assertEqual(passing_file_paths, passed_check_file_paths)
+        self.assertEqual(failing_file_paths, failed_check_file_paths)
+
+    def test_tf_json(self):
+        runner = TerraformJsonRunner()
+
+        test_files_dir = Path(__file__).parent / "resources/lock"
+        report = runner.run(
+            root_folder=str(test_files_dir), runner_filter=RunnerFilter(checks=[check.id])
+        )
+        summary = report.get_summary()
+
+        # using file paths, because the resources have all the same name
+        passing_file_paths = {
+            "pass.cdk.tf.json",
+        }
+        failing_file_paths = {
+            "fail.cdk.tf.json",
+        }
+
+        passed_check_file_paths = {Path(c.file_path).name for c in report.passed_checks}
+        failed_check_file_paths = {Path(c.file_path).name for c in report.failed_checks}
+
+        self.assertEqual(summary["passed"], 1)
+        self.assertEqual(summary["failed"], 1)
+        self.assertEqual(summary["skipped"], 0)
+        self.assertEqual(summary["parsing_errors"], 0)
+
+        self.assertEqual(passing_file_paths, passed_check_file_paths)
+        self.assertEqual(failing_file_paths, failed_check_file_paths)
 
 
 if __name__ == '__main__':