fix(query): support for array's and some minor fixes #7844
Merged
cx-andre-pereira merged 4 commits intoNov 13, 2025
Merged
Conversation
…d values and new tests
Contributor
|
KICS version: v2.1.13
|
github-actions
Bot
added
terraform
…nd improved variable naming
…ible-Terraform/aws
cx-andre-pereira
deleted the
AST-114868_QA_sns_topic_is_publicly_accessible-Terraform/aws
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reason for Proposed Changes
The terraform query "SNS Topic Is Publicly Accessible" was recently changed to account for restrictive condition blocks to prevent False Positives. #7758
While analyzing the query i realized support for array's was lacking and samples like the 3 newly added ones would cause an error. I also noticed some other areas that could be improved.
Proposed Changes
I noticed some needless
sprintf()statements. One was removed and the other 2 were adjusted to properly inform the index of the array entry being flagged, finally note that'Statement.Policy.AWS'is supposed to be'Statement.Principal.AWS'since "Policy" is not a valid field, the target here was "Principal".The searchKey and serachLine values on the case of "topic_policy_statements" could also be improved. Ideally i would point to the specific "module[x1].topic_policy_statements[x2].principals[x3].identifiers[x4]" entry, but the KICS engine only allowed me to point as far as "principals" as seen in the implementation. This is still a big improvement over simply pointing to the "topic_policy_statements" block like before.
Finally some major adjustments were done to account for arrays with 2+ elements for the "aws_sns_topic" resource's policy, and the "terraform-aws-modules/sns/aws" module's "topic_policy" and "topic_policy_statements". All the fields were arrays but the query did not work for arrays with more than a single element. For the case of "topic_policy" and "policy", since they are represented as a single string, the index is specified through the key expected and actual values
to properly flag and inform users for each invalid entry; while the search keys point to the "policy" field.
I submit this contribution under the Apache-2.0 license.