fix(terraform_plan): Correctly handle complex types for after_unknown (#7333)

bo156 · web-flow · commit 3466ef521fea · 2025-10-15T14:14:10.000+03:00
* Correctly handle complex types for after_unknown

* Fixed typo
diff --git a/checkov/terraform/plan_parser.py b/checkov/terraform/plan_parser.py
@@ -265,20 +265,60 @@ def _handle_complex_after_unknown(k: str, resource_conf: dict[str, Any], v: Any)
         if inner_key not in resource_conf_value and isinstance(resource_conf_value, list):
             for i in range(len(resource_conf_value)):
                 if isinstance(resource_conf_value[i], dict):
-                    if _validate_after_unknown_list_not_empty(inner_key, k, resource_conf_value[i]):
-                        resource_conf_value[i][inner_key] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])
+                    _update_after_unknown_in_complex_types(inner_key, resource_conf_value[i])
                 elif isinstance(resource_conf_value[i], list) and isinstance(resource_conf_value[i][0], dict):
-                    if _validate_after_unknown_list_not_empty(inner_key, k, resource_conf_value[i][0]):
-                        resource_conf_value[i][0][inner_key] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])
+                    _update_after_unknown_in_complex_types(inner_key, resource_conf_value[i][0])
 
 
-def _validate_after_unknown_list_not_empty(inner_key: str, k: str, value: dict[str, Any]) -> bool:
+def _update_after_unknown_in_complex_types(inner_key: str, value: dict[str, Any]) -> None:
     """
-    If the inner key is a list - we want to check it's not empty, if not we handle it in the original way.
+    Based on terraform docs, in complex types like list/dict some values might be known while others are not.
+    So when trying to update the info shared from the `after_unknown`, we only want to update the specific items in
+    those objects which are unknown.
+    For example, in the conf:
+    ```
+    "after": {
+        "outer": [
+            {"tag1": 1}
+        ]
+    },
+    "after_unknown": {
+        "outer": [
+            {},  -> the value is known from the "after" section, we don't want to touch it
+            true -> the value is unknown, we want to replace it with `TRUE_AFTER_UNKNOWN`
+        ]
+    }.
+
+    Full result for resource conf:
+    ```
+    "outer": [{"tag1": 1}, `TRUE_AFTER_UNKNOWN`]
+    ```
+    ```
     """
-    return ((inner_key not in value) or
-            (inner_key in value and not isinstance(value[inner_key], list)) or
-            (isinstance(value[inner_key], list) and value[inner_key] != [] and value[inner_key][0] != []))
+    if inner_key not in value:
+        value[inner_key] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])
+        return
+    inner_value = value[inner_key]
+    if isinstance(inner_value, str) and inner_value.lower() == "true":
+        value[inner_key] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])
+    if isinstance(inner_value, list):
+        for i, v in enumerate(inner_value):
+            if isinstance(v, str) and v.lower() == "true":
+                inner_value[i] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])
+            if isinstance(v, dict):
+                _handle_after_unknown_dict(v)
+    if isinstance(inner_value, dict):
+        for k, v in inner_value.items():
+            if isinstance(v, str) and v.lower() == "true":
+                inner_value[k] = _clean_simple_type_list([TRUE_AFTER_UNKNOWN])
+            if isinstance(v, dict):
+                _handle_after_unknown_dict(v)
+    return
+
+
+def _handle_after_unknown_dict(v: dict[str, Any]) -> None:
+    for k in v.keys():
+        _update_after_unknown_in_complex_types(k, v)
 
 
 def _find_child_modules(
diff --git a/tests/terraform/parser/test_plan_parser.py b/tests/terraform/parser/test_plan_parser.py
@@ -10,7 +10,7 @@
 
 from checkov.common.util.consts import TRUE_AFTER_UNKNOWN
 from checkov.terraform.plan_parser import parse_tf_plan, _sanitize_count_from_name, _handle_complex_after_unknown, \
-    _validate_after_unknown_list_not_empty
+    _update_after_unknown_in_complex_types
 from checkov.common.parsers.node import StrNode
 
 
@@ -148,7 +148,7 @@ def test_handle_complex_after_unknown(self):
             }
         ]
         _handle_complex_after_unknown(key, resource, value)
-        assert resource == {'tags': [[{'custom_tags': ['true_after_unknown']}]]}
+        assert resource["tags"] == [value]
 
     def test_handle_complex_after_unknown_with_empty_list(self):
         resource = {"network_configuration": [
@@ -162,6 +162,23 @@ def test_handle_complex_after_unknown_with_empty_list(self):
         _handle_complex_after_unknown(key, resource, value)
         assert resource == {'network_configuration': [{"endpoint_configuration": []}]}
 
+    def test_handle_complex_after_unknown_with_some_known_values(self):
+        original_resource = {
+            "tags": [
+                {"tag1": "my_tag"},
+                {"tag2": "true"},
+            ]
+        }
+        _update_after_unknown_in_complex_types("tags", original_resource)
+        assert original_resource == {
+            "tags": [
+                {"tag1": "my_tag"},
+                {"tag2": ["true_after_unknown"]},
+            ]
+        }
+
+
+
 @pytest.mark.parametrize("inner_key, k, is_inner_list", [
     ("endpoint_configuration", "network_configuration", False),
     ("endpoint_configuration", "network_configuration", True)
