fix(misconf): check if for-each is known when expanding dyn block (#8808)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2025-12-12 15:50:15 -08:00 · 2025-05-02 07:43:59 +06:00
parent 6e23ca96d1
commit 5706603146
2 changed files with 14 additions and 1 deletions
--- a/pkg/iac/scanners/terraform/parser/parser_test.go
+++ b/pkg/iac/scanners/terraform/parser/parser_test.go
@@ -1588,6 +1588,15 @@ resource "test_resource" "test" {
      bar = foo.value
 	}
  }
+}`,
+			expected: []any{},
+		},
+		{
+			name: "unknown for-each",
+			src: `resource "test_resource" "test" {
+  dynamic "foo" {
+    for_each = lookup(foo, "") ? [] : []
+  }
 }`,
 			expected: []any{},
 		},
--- a/pkg/iac/terraform/block.go
+++ b/pkg/iac/terraform/block.go
@@ -583,7 +583,7 @@ func (b *Block) ExpandBlock() error {
 		if child.Type() == "dynamic" {
 			blocks, err := child.expandDynamic()
 			if err != nil {
-				errs = multierror.Append(errs, err)
+				errs = multierror.Append(errs, fmt.Errorf("block %q: %w", child.TypeLabel(), err))
 				continue
 			}
 			expanded = append(expanded, blocks...)
@@ -612,6 +612,10 @@ func (b *Block) expandDynamic() ([]*Block, error) {
 		return nil, fmt.Errorf("invalid for-each in %s block: %w", b.FullLocalName(), err)
 	}

+	if !forEachVal.IsKnown() {
+		return nil, errors.New("for-each must be known")
+	}
+
 	var (
 		expanded []*Block
 		errs     error