fix(terraform): Fix crash when version isn't a float (#6783)

* Catch non-floats * Add tests * fix test
bridgecrewio · Oct 21, 2024 · a873b20 · a873b20
1 parent 398496e
commit a873b20
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 2 deletions.
diff --git a/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py b/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py
@@ -26,7 +26,10 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
             splitter = raw.split(".")
             if len(splitter) >= 2:
                 str_version = splitter[0] + "." + splitter[1]
-                version = float(str_version)
+                try:
+                    version = float(str_version)
+                except (ValueError, IndexError):
+                    return CheckResult.UNKNOWN
                 if version < 1.25:
                     if conf.get('pod_security_policy_config') and isinstance(conf.get('pod_security_policy_config'), list):
                         policy = conf.get('pod_security_policy_config')[0]

diff --git a/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py b/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py
@@ -21,7 +21,10 @@ def scan_resource_conf(self, conf):
             splitter = raw.split(".")
 
             if len(splitter) >= 2:
-                version = float(splitter[0] + "." + splitter[1])
+                try:
+                    version = float(splitter[0] + "." + splitter[1])
+                except (ValueError, IndexError):
+                    return CheckResult.UNKNOWN
                 if version >= 1.24:
                     return CheckResult.UNKNOWN
 

diff --git a/tests/terraform/checks/resource/gcp/example_GKEPodSecurityPolicyEnabled/main.tf b/tests/terraform/checks/resource/gcp/example_GKEPodSecurityPolicyEnabled/main.tf
@@ -24,5 +24,12 @@ resource "google_container_cluster" "fail2" {
   }
 }
 
+resource "google_container_cluster" "unknown3" {
+  min_master_version = "not_a_float"
+    pod_security_policy_config {
+    enabled = false
+  }
+}
+
 
 
diff --git a/tests/terraform/checks/resource/gcp/example_GKEUseCosImage/main.tf b/tests/terraform/checks/resource/gcp/example_GKEUseCosImage/main.tf
@@ -172,3 +172,61 @@ resource "google_container_node_pool" "unknown" {
   version = "1.25.10-gke.36"
   zone    = "us-west1"
 }
+
+
+resource "google_container_node_pool" "unknown2" {
+  autoscaling {
+    max_node_count = "4"
+    min_node_count = "1"
+  }
+
+  cluster            = google_container_cluster.tfer.name
+  initial_node_count = "2"
+  location           = "us-west1"
+
+  management {
+    auto_repair  = "true"
+    auto_upgrade = "true"
+  }
+
+  max_pods_per_node = "110"
+  name              = "async-pool-2"
+
+  node_config {
+    disk_size_gb = "400"
+    disk_type    = "pd-ssd"
+
+    labels = {
+      async = "true"
+    }
+
+    local_ssd_count = "0"
+    machine_type    = "custom-32-65536"
+
+    metadata = {
+      async                    = "true"
+      disable-legacy-endpoints = "true"
+    }
+
+    oauth_scopes    = ["https://www.googleapis.com/auth/cloud-platform"]
+    preemptible     = "false"
+    service_account = "default"
+
+    shielded_instance_config {
+      enable_integrity_monitoring = "true"
+      enable_secure_boot          = "true"
+    }
+  }
+
+  node_count     = "1"
+  node_locations = ["us-west1-b", "us-west1-a"]
+  project        = "test-project"
+
+  upgrade_settings {
+    max_surge       = "1"
+    max_unavailable = "0"
+  }
+
+  version = lookup(each.value,"auto_upgrade",True) ? "" : lookup(each.value,"version",latest)
+  zone    = "us-west1"
+}