fix(terraform_plan): Add provisioners to TF Plan parser

[tsmithv11]

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

Add provisioners to TF Plan parser to support local-exec policies

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have added tests that prove my feature, policy, or fix is effective and works
• New and existing tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

[gruebel]

I think the problem with this approach is, that the provisioners in HCL looks different than in the plan file. So, a custom policy would need to cover both cases.

[tsmithv11]

@gruebel good callout. I've updated it to match as best I could, but note that Terraform transforms the command and removes some of it, so it won't match completely. Now this policy:

metadata:
 name: "Test"
 id: "CKV2_CUSTOM_1"
 guidelines: "Policy description"
 category: "GENERAL_SECURITY"
scope:
  provider: "aws"
definition:
  cond_type: attribute
  resource_types:
    - aws_instance
  attribute: "provisioner/local-exec"
  operator: not_exists

Works for both TF and Plan files using all methods documented here: https://developer.hashicorp.com/terraform/language/resources/provisioners/syntax

[gruebel]

sounds good

[gruebel]

🍻

[junhu73]

@tsmithv11 , do you think there is bug here with item['expressions']['command'] since type is not checked and remote and file provisioners (or future provisioners) does not have the key "command" in the Terraform plan file. We are seeing this error with checkov (where checkov just exits silently and indicates nothing scanned.

Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/checkov/common/parallelizer/parallel_runner.py", line 72, in func_wrapper
result = original_func(*item)
File "/usr/local/lib/python3.9/dist-packages/checkov/common/runners/runner_registry.py", line 835, in _parallel_run
report = runner.run(
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/plan_runner.py", line 118, in run
self.definitions, definitions_raw = create_definitions(root_folder, files, runner_filter, parsing_errors)
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/plan_utils.py", line 54, in create_definitions
current_tf_definitions, current_definitions_raw = parse_tf_plan(file, out_parsing_errors)
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/plan_parser.py", line 395, in parse_tf_plan
module_blocks = _find_child_modules(
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/plan_parser.py", line 258, in _find_child_modules
resource_block, block_type, prepared = _prepare_resource_block(
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/plan_parser.py", line 209, in _prepare_resource_block
resource_conf["provisioner"] = _get_provisioner(provisioners)
File "/usr/local/lib/python3.9/dist-packages/checkov/terraform/plan_parser.py", line 425, in _get_provisioner
command_value = item['expressions']['command']
KeyError: 'command'

def _get_provisioner(input_data: List[Any]) -> List[Any]:
result = []
for item in input_data:
key = item['type']
command_value = item['expressions']['command']
if not isinstance(command_value, list):
command_value = [command_value]
transformed_item = {key: {'command': command_value}}
result.append(transformed_item)
return result

[tsmithv11]

Thanks, @junhu73. Fixed here: #6606