fix(terraform_plan): Run provider checks against all providers in plan (#7061)

fix(terraform): plan scanning only runs provider checks against first provider

Co-authored-by: Taylor <[email protected]>

Author: alanszlosek

checkov/terraform/plan_parser.py

@@ -333,19 +333,36 @@ def _is_provider_key(key: str) -> bool:
     return (key.startswith('module.') or key.startswith('__') or key in {'start_line', 'end_line'})
 
 
-def _get_provider(template: dict[str, dict[str, Any]]) -> dict[str, dict[str, Any]]:
-    """Returns the provider dict"""
-
-    provider_map: dict[str, dict[str, Any]] = {}
+def _get_providers(template: dict[str, dict[str, Any]]) -> list[dict[str, dict[str, Any]]]:
+    """Returns a list of provider dicts"""
+
+    # `providers` should be a list of dicts, one dict for each provider:
+    # [
+    #     {
+    #         "aws": {
+    #             "region": ["us-east-1"],
+    #             . . .
+    #         }
+    #     },
+    #     {
+    #         "aws.west": {
+    #             "region": ["us-west-1"],
+    #             "alias": ["west"],
+    #             . . .
+    #         }
+    #     }
+    # ]
+    providers: list[dict[str, dict[str, Any]]] = []
     provider_config = template.get("configuration", {}).get("provider_config")
 
     if provider_config and isinstance(provider_config, dict):
         for provider_key, provider_data in provider_config.items():
             if _is_provider_key(key=provider_key):
                 # Not a provider, skip
                 continue
-            provider_map[provider_key] = {}
             provider_alias = provider_data.get("alias", "default")
+            provider_map: dict[str, dict[str, Any]] = {}
+            provider_map[provider_key] = {}
             provider_map_entry = provider_map[provider_key]
             for field, value in provider_data.get('expressions', {}).items():
                 if field in LINE_FIELD_NAMES or not isinstance(value, dict):
@@ -360,9 +377,14 @@ def _get_provider(template: dict[str, dict[str, Any]]) -> dict[str, dict[str, An
             provider_map_entry[start_line] = [provider_data.get(START_LINE, 1) - 1]
             provider_map_entry[end_line] = [provider_data.get(END_LINE, 1)]
             provider_map_entry['alias'] = [provider_alias]
-            provider_map_entry[TF_PLAN_RESOURCE_ADDRESS] = f"{provider_key}.{provider_alias}"
+            # provider_key already contains the alias (ie "aws.east") for non-default providers
+            if provider_alias == "default":
+                provider_map_entry[TF_PLAN_RESOURCE_ADDRESS] = f"{provider_key}.{provider_alias}"
+            else:
+                provider_map_entry[TF_PLAN_RESOURCE_ADDRESS] = provider_key
+            providers.append(provider_map)
 
-    return provider_map
+    return providers
 
 
 def _get_resource_changes(template: dict[str, Any]) -> dict[str, dict[str, Any]]:
@@ -421,9 +443,7 @@ def parse_tf_plan(tf_plan_file: str, out_parsing_errors: Dict[str, str]) -> Tupl
     if not template:
         return None, None
 
-    provider = _get_provider(template=template)
-    if bool(provider):
-        tf_definition["provider"].append(provider)
+    tf_definition["provider"] = _get_providers(template=template)
 
     resource_changes = _get_resource_changes(template=template)
 

tests/terraform/parser/resources/plan_multiple_providers/multiple_providers.tf

@@ -0,0 +1,12 @@
+provider "aws" {
+    region = "us-east-1"
+}
+
+provider "aws" {
+    region = "us-east-2"
+    alias = "ohio"
+}
+provider "aws" {
+    region = "us-west-2"
+    alias = "oregon"
+}

tests/terraform/parser/resources/plan_multiple_providers/tfplan.json

@@ -0,0 +1 @@
+{"format_version":"1.2","terraform_version":"1.10.5","planned_values":{"root_module":{}},"configuration":{"provider_config":{"aws":{"name":"aws","full_name":"registry.terraform.io/hashicorp/aws","expressions":{"region":{"constant_value":"us-east-1"}}},"aws.ohio":{"name":"aws","full_name":"registry.terraform.io/hashicorp/aws","alias":"ohio","expressions":{"region":{"constant_value":"us-east-2"}}},"aws.oregon":{"name":"aws","full_name":"registry.terraform.io/hashicorp/aws","alias":"oregon","expressions":{"region":{"constant_value":"us-west-2"}}}},"root_module":{}},"timestamp":"2025-03-19T18:18:14Z","applyable":false,"complete":true,"errored":false}

tests/terraform/parser/test_plan_parser.py

@@ -30,6 +30,25 @@ def test_provider_is_included(self):
         file_provider_definition = tf_definition['provider']
         self.assertTrue(file_provider_definition)  # assert a provider exists
         assert file_provider_definition[0].get('aws', {}).get('region', None) == ['us-west-2']
+    
+    def test_plan_multiple_providers(self):
+        current_dir = os.path.dirname(os.path.realpath(__file__))
+        valid_plan_path = current_dir + "/resources/plan_multiple_providers/tfplan.json"
+        tf_definition, _ = parse_tf_plan(valid_plan_path, {})
+        providers = tf_definition['provider']
+        self.assertEqual( len(providers), 3)
+        provider_keys = []
+        provider_aliases = []
+        provider_addresses = []
+        for provider in providers:
+            key = next(iter(provider))
+            provider_keys.append(key)
+            provider_aliases.append( provider[key]['alias'][0] )
+            provider_addresses.append( provider[key]['__address__'] )
+        
+        self.assertEqual(provider_keys, ["aws", "aws.ohio", "aws.oregon"])
+        self.assertEqual(provider_aliases, ["default", "ohio", "oregon"])
+        self.assertEqual(provider_addresses, ["aws.default", "aws.ohio", "aws.oregon"])
 
     def test_more_tags_values_are_flattened(self):
         current_dir = os.path.dirname(os.path.realpath(__file__))