Skip to content

Syntax errors when terraform functions are used #7161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tberreis opened this issue May 16, 2025 · 2 comments
Closed

Syntax errors when terraform functions are used #7161

tberreis opened this issue May 16, 2025 · 2 comments
Labels
noise

Comments

@tberreis
Copy link
Contributor

Describe the issue
With release 3.2.415, PR #7116 checkov started to throw syntax errors when functions are used in terraform code.

Examples
Minimal example

# cat main.tf
locals {
  suffix = basename(abspath(path.module))
  name   = "foo-${local.suffix}"
}

output "test" {
  value = local.name
}

With checkov 3.2.414:

# docker run -v $PWD:/data --rm -it docker.io/bridgecrew/checkov:3.2.414 -d /data --compact


       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By Prisma Cloud | version: 3.2.414
Update available 3.2.414 -> 3.2.424
Run pip3 install -U checkov to update

With checkov 3.2.415:

# docker run -v $PWD:/data --rm -it docker.io/bridgecrew/checkov:3.2.415 -d /data --compact
   foo-${basename(abspath(path.module))}
SyntaxError: invalid syntax (<unknown>, line 1)
   ${basename(abspath(path.module))}
SyntaxError: invalid syntax (<unknown>, line 1)
   foo-${basename(abspath(path.module))}
SyntaxError: invalid syntax (<unknown>, line 1)


       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By Prisma Cloud | version: 3.2.415
Update available 3.2.415 -> 3.2.424
Run pip3 install -U checkov to update

However the policies are checked correctly.

Example:

locals {
  suffix = basename(abspath(path.module))
  name   = "foo-${local.suffix}"
}

output "test" {
  value = local.name
}

resource "azurerm_storage_account" "this" {
  #checkov:skip=CKV2_AZURE_33
  name                            = "storageaccountname"
  resource_group_name             = azurerm_resource_group.example.name
  location                        = azurerm_resource_group.example.location
  account_tier                    = "Standard"
  account_replication_type        = "GRS"
  min_tls_version                 = TLS1_2
  public_network_access_enabled   = false
  shared_access_key_enabled       = false
  allow_nested_items_to_be_public = false

  blob_properties {
    delete_retention_policy {
      days = 7
    }
  }

  tags = {
    environment = "staging"
  }
}

With 3.2.414:

# docker run -v $PWD:/data --rm -it docker.io/bridgecrew/checkov:3.2.414 -d /data --quiet --compact
terraform scan results:

Passed checks: 12, Failed checks: 2, Skipped checks: 1

Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:10-31
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:10-31
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key

With 3.2.415:

# docker run -v $PWD:/data --rm -it docker.io/bridgecrew/checkov:3.2.415 -d /data --quiet --compact
   foo-${basename(abspath(path.module))}
SyntaxError: invalid syntax (<unknown>, line 1)
   ${basename(abspath(path.module))}
SyntaxError: invalid syntax (<unknown>, line 1)
   foo-${basename(abspath(path.module))}
SyntaxError: invalid syntax (<unknown>, line 1)
   ${azurerm_resource_group.example.location}
SyntaxError: invalid syntax (<unknown>, line 1)
   ${TLS1_2}
SyntaxError: invalid syntax (<unknown>, line 1)
   ${azurerm_resource_group.example.name}
SyntaxError: invalid syntax (<unknown>, line 1)
terraform scan results:

Passed checks: 12, Failed checks: 2, Skipped checks: 1

Check: CKV_AZURE_33: "Ensure Storage logging is enabled for Queue service for read, write and delete requests"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:10-31
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-logging-policies/enable-requests-on-storage-logging-for-queue-service
Check: CKV2_AZURE_1: "Ensure storage for critical data are encrypted with Customer Managed Key"
        FAILED for resource: azurerm_storage_account.this
        File: /main.tf:10-31
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/azure-policies/azure-general-policies/ensure-storage-for-critical-data-are-encrypted-with-customer-managed-key

Version (please complete the following information):

  • Checkov Version 3.2.415+

Additional context
-/-
@tberreis tberreis added the noise label May 16, 2025
@tberreis tberreis changed the title Syntax errors Syntax errors when terraform functions are used May 16, 2025
@olefemmy
Copy link

This is related to #7144.

@tsmithv11 tsmithv11 mentioned this issue May 20, 2025
Merged
5 tasks
@tsmithv11
Copy link
Collaborator

Should be fixed with #7172

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
noise
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@olefemmy @tsmithv11 @tberreis