fix(terraform): fix invalid value in CKV_AWS_304 (#5301)

fix invalid value in CKV_AWS_304
bridgecrewio · Jul 9, 2023 · b830f21 · b830f21
1 parent ff8cec7
commit b830f21
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 13 deletions.
diff --git a/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py b/checkov/terraform/checks/resource/aws/SecretManagerSecret90days.py
@@ -1,23 +1,27 @@
+from __future__ import annotations
 
+from typing import Any
+
+from checkov.common.util.type_forcers import force_int
 from checkov.terraform.checks.resource.base_resource_check import BaseResourceCheck
 from checkov.common.models.enums import CheckCategories, CheckResult
 
 
 class SecretManagerSecret90days(BaseResourceCheck):
-
-    def __init__(self):
+    def __init__(self) -> None:
         name = "Ensure Secrets Manager secrets should be rotated within 90 days"
         id = "CKV_AWS_304"
-        supported_resources = ["aws_secretsmanager_secret_rotation"]
-        categories = [CheckCategories.GENERAL_SECURITY]
+        supported_resources = ("aws_secretsmanager_secret_rotation",)
+        categories = (CheckCategories.GENERAL_SECURITY,)
         super().__init__(name=name, id=id, categories=categories, supported_resources=supported_resources)
 
-    def scan_resource_conf(self, conf) -> CheckResult:
-        if conf.get("rotation_rules") and isinstance(conf.get("rotation_rules"), list):
-            rule = conf.get("rotation_rules")[0]
-            if rule.get('automatically_after_days') and isinstance(rule.get('automatically_after_days'), list):
-                days = rule.get('automatically_after_days')[0]
-                if days < 90:
+    def scan_resource_conf(self, conf: dict[str, list[Any]]) -> CheckResult:
+        rules = conf.get("rotation_rules")
+        if rules and isinstance(rules, list):
+            days = rules[0].get('automatically_after_days')
+            if days and isinstance(days, list):
+                days = force_int(days[0])
+                if days is not None and days < 90:
                     return CheckResult.PASSED
         return CheckResult.FAILED
 

diff --git a/tests/terraform/checks/resource/aws/example_SecretManagerSecret90days/main.tf b/tests/terraform/checks/resource/aws/example_SecretManagerSecret90days/main.tf
@@ -14,4 +14,13 @@ resource "aws_secretsmanager_secret_rotation" "fail" {
   rotation_rules {
     automatically_after_days = 90
   }
-}
+}
+
+resource "aws_secretsmanager_secret_rotation" "fail_2" {
+  secret_id           = aws_secretsmanager_secret.example.id
+  rotation_lambda_arn = aws_lambda_function.example.arn
+
+  rotation_rules {
+    automatically_after_days = var.days
+  }
+}
diff --git a/tests/terraform/checks/resource/aws/test_SecretManagerSecret90days.py b/tests/terraform/checks/resource/aws/test_SecretManagerSecret90days.py
@@ -20,10 +20,11 @@ def test(self):
         }
         failing_resources = {
             "aws_secretsmanager_secret_rotation.fail",
+            "aws_secretsmanager_secret_rotation.fail_2",
         }
 
-        passed_check_resources = set([c.resource for c in report.passed_checks])
-        failed_check_resources = set([c.resource for c in report.failed_checks])
+        passed_check_resources = {c.resource for c in report.passed_checks}
+        failed_check_resources = {c.resource for c in report.failed_checks}
 
         self.assertEqual(summary["passed"], len(passing_resources))
         self.assertEqual(summary["failed"], len(failing_resources))