Suppression Comments for resources using for_each or count do not evaluate to SKIP

[rkuhlke]

Describe the issue
Suppression comments for Resource blocks that use for_each or count are not evaluated and will show as failed not skipped. This is for Terraform Plan frameworks with the --repo-root-for-plan-enrichment enabled.

Examples
locals {
hosted_zone_names = [
"example.com",
"example2.eu",

]
}

resource "aws_route53_zone" "example" {
for_each = toset(local.hosted_zone_names)

checkov:skip=CKV2_AWS_38

name = each.value
}

Expected aws_route53_zone.example["example2.eu"] and aws_route53_zone.example["example.com"] to be SKIPPED and got FAILED

Version (please complete the following information):

• Checkov Version 3.2.472

Additional context

[maxamel]

Hi, can you provide the full checkov command you're using and the files needed to reproduce this issue? You mentioned TF_PLAN but the code in the description seems to be TF.

[marceldevroed]

Looks like this issue: #7143

[rkuhlke]

Hello below is the TF_PLAN output of the above terraform code. The command I used was checkov -f tf_plan.json --repo-root-for-plan-enrichment . So it should have gotten the suppression comment from above
{
"address": "aws_route53_zone.example["example.com"]",
"mode": "managed",
"type": "aws_route53_zone",
"name": "example",
"index": "example.com",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"comment": "Managed by Terraform",
"delegation_set_id": null,
"force_destroy": false,
"name": "example.com",
"tags": null,
"vpc": []
},
"sensitive_values": {
"name_servers": [],
"tags_all": {},
"vpc": []
}
},
{
"address": "aws_route53_zone.example["example2.eu"]",
"mode": "managed",
"type": "aws_route53_zone",
"name": "example",
"index": "example2.eu",
"provider_name": "registry.terraform.io/hashicorp/aws",
"schema_version": 0,
"values": {
"comment": "Managed by Terraform",
"delegation_set_id": null,
"force_destroy": false,
"name": "example2.eu",
"tags": null,
"vpc": []
},
"sensitive_values": {
"name_servers": [],
"tags_all": {},
"vpc": []
}
}

[maxamel]

You are correct, the root cause is that in for_each/count the resource id in the tf_plan is slightly different than the raw resource as it appears in the TF file. There is a gap currently in how we match between the tf_plan resources and the raw TF resource in the presence of for_each/count.
Without for_each/count the matching between tf_plan and the original TF resources should work.