Open
Description
Describe the issue
The Checkov parser's ForeachEntityHandler is not correctly handling resources when Terraform functions (like concat()) are used within a locals block and in a for_each statement.
Examples
Failing Example
locals {
fail = concat([
"mail1",
"mail2"
], ["mail3"])
}
resource "aws_sns_topic_subscription" "fail" {
for_each = toset(local.fail)
topic_arn = aws_sns_topic.topic.arn
protocol = "email"
endpoint = each.value
}
This produces a single resource configuration in the graph instead of three separate resources:
{'__end_line__': 65, '__start_line__': 59, 'endpoint': ['each.value'], 'for_each': [{'mail3', 'mail1', 'mail2'}], 'protocol': ['email'], 'topic_arn': ['aws_sns_topic.topic.arn'], '__address__': 'aws_sns_topic_subscription.fail'}
Working Examples
- Using toset() in the locals definition:
locals {
good = toset(concat([
"mail1",
"mail2"
], ["mail3"]))
}
resource "aws_sns_topic_subscription" "good2" {
for_each = local.good
topic_arn = aws_sns_topic.topic.arn
protocol = "email"
endpoint = each.value
}
- Using the function directly in the for_each:
resource "aws_sns_topic_subscription" "good" {
for_each = toset(concat(["mail1", "mail2"], ["mail3"]))
topic_arn = aws_sns_topic.topic.arn
protocol = "email"
endpoint = each.value
}
These working examples correctly expand to three separate resources:
{'__end_line__': 50, '__start_line__': 44, 'endpoint': ['mail3'], 'protocol': ['email'], 'topic_arn': ['aws_sns_topic.topic.arn'], '__address__': 'aws_sns_topic_subscription.good2["mail3"]'}
{'__end_line__': 50, '__start_line__': 44, 'endpoint': ['mail1'], 'protocol': ['email'], 'topic_arn': ['aws_sns_topic.topic.arn'], '__address__': 'aws_sns_topic_subscription.good2["mail1"]'}
{'__end_line__': 50, '__start_line__': 44, 'endpoint': ['mail2'], 'protocol': ['email'], 'topic_arn': ['aws_sns_topic.topic.arn'], '__address__': 'aws_sns_topic_subscription.good2["mail2"]'}
Desktop:
- OS: macOS 15 Sequoia
- Checkov Version: 3.2.440