diff --git a/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py b/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py index 314759268ff..266043f7f99 100644 --- a/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py +++ b/checkov/terraform/checks/resource/gcp/GKEPodSecurityPolicyEnabled.py @@ -26,7 +26,10 @@ def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult: splitter = raw.split(".") if len(splitter) >= 2: str_version = splitter[0] + "." + splitter[1] - version = float(str_version) + try: + version = float(str_version) + except (ValueError, IndexError): + return CheckResult.UNKNOWN if version < 1.25: if conf.get('pod_security_policy_config') and isinstance(conf.get('pod_security_policy_config'), list): policy = conf.get('pod_security_policy_config')[0] diff --git a/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py b/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py index 5995d9771ed..6ef354c255a 100644 --- a/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py +++ b/checkov/terraform/checks/resource/gcp/GKEUseCosImage.py @@ -21,7 +21,10 @@ def scan_resource_conf(self, conf): splitter = raw.split(".") if len(splitter) >= 2: - version = float(splitter[0] + "." + splitter[1]) + try: + version = float(splitter[0] + "." + splitter[1]) + except (ValueError, IndexError): + return CheckResult.UNKNOWN if version >= 1.24: return CheckResult.UNKNOWN diff --git a/tests/terraform/checks/resource/gcp/example_GKEPodSecurityPolicyEnabled/main.tf b/tests/terraform/checks/resource/gcp/example_GKEPodSecurityPolicyEnabled/main.tf index 2cce34d39fa..0920dac8e04 100644 --- a/tests/terraform/checks/resource/gcp/example_GKEPodSecurityPolicyEnabled/main.tf +++ b/tests/terraform/checks/resource/gcp/example_GKEPodSecurityPolicyEnabled/main.tf @@ -24,5 +24,12 @@ resource "google_container_cluster" "fail2" { } } +resource "google_container_cluster" "unknown3" { + min_master_version = "not_a_float" + pod_security_policy_config { + enabled = false + } +} + diff --git a/tests/terraform/checks/resource/gcp/example_GKEUseCosImage/main.tf b/tests/terraform/checks/resource/gcp/example_GKEUseCosImage/main.tf index 236c141fde1..f9f92fb9dd9 100644 --- a/tests/terraform/checks/resource/gcp/example_GKEUseCosImage/main.tf +++ b/tests/terraform/checks/resource/gcp/example_GKEUseCosImage/main.tf @@ -172,3 +172,61 @@ resource "google_container_node_pool" "unknown" { version = "1.25.10-gke.36" zone = "us-west1" } + + +resource "google_container_node_pool" "unknown2" { + autoscaling { + max_node_count = "4" + min_node_count = "1" + } + + cluster = google_container_cluster.tfer.name + initial_node_count = "2" + location = "us-west1" + + management { + auto_repair = "true" + auto_upgrade = "true" + } + + max_pods_per_node = "110" + name = "async-pool-2" + + node_config { + disk_size_gb = "400" + disk_type = "pd-ssd" + + labels = { + async = "true" + } + + local_ssd_count = "0" + machine_type = "custom-32-65536" + + metadata = { + async = "true" + disable-legacy-endpoints = "true" + } + + oauth_scopes = ["https://www.googleapis.com/auth/cloud-platform"] + preemptible = "false" + service_account = "default" + + shielded_instance_config { + enable_integrity_monitoring = "true" + enable_secure_boot = "true" + } + } + + node_count = "1" + node_locations = ["us-west1-b", "us-west1-a"] + project = "test-project" + + upgrade_settings { + max_surge = "1" + max_unavailable = "0" + } + + version = lookup(each.value,"auto_upgrade",True) ? "" : lookup(each.value,"version",latest) + zone = "us-west1" +}