concatenated AWS policy statements fail with data type error #7090
Description
Describe the issue
When scanning an aws_s3_bucket_policy where the statements are the result of a "concat" operation, checkov errors with the following:
TypeError: string indices must be integers, not 'str'
Examples
The culprit resource is:
resource "aws_s3_bucket_policy" "logs" {
bucket = aws_s3_bucket.logs.id
policy = jsonencode({
Version = "2012-10-17"
Statement = concat(
jsondecode(data.aws_iam_policy_document.logs-cloudtrail-policy-acl-check.json).Statement,
jsondecode(data.aws_iam_policy_document.s3-logs-cloudtrail-policy-write.json).Statement,
jsondecode(data.aws_iam_policy_document.s3-logs-vpc-flow-logs-policy.json).Statement,
)
})
}
Each referenced aws_iam_policy_document is valid in of itself. The problem appears to be that the statement is not evaluated to a real dict value before checkov attempts to introspect it. Instead, checkov is looking at the string concat(....), not a data structure.
Exception Trace
2025-04-08 12:52:24,558 [ThreadPoolEx] [ERROR] Failed to run check CKV_AWS_70 on /s3.tf:aws_s3_bucket_policy.homeboost_logs
Traceback (most recent call last):
File "/Users/myddryn/venv/localpy/lib/python3.11/site-packages/checkov/common/checks/base_check.py", line 68, in run
check_result["result"] = self.scan_entity_conf(entity_configuration, entity_type)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/myddryn/venv/localpy/lib/python3.11/site-packages/checkov/terraform/checks/resource/base_resource_check.py", line 43, in scan_entity_conf
return self.scan_resource_conf(conf)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Users/myddryn/venv/localpy/lib/python3.11/site-packages/checkov/terraform/checks/resource/aws/S3AllowsAnyPrincipal.py", line 86, in scan_resource_conf
if statement['Effect'] == 'Deny' or 'Principal' not in statement:
~~~~~~~~~^^^^^^^^^^
TypeError: string indices must be integers, not 'str'
Desktop (please complete the following information):
- OS: Mac OS, 15.3.2
- Checkov Version: 3.2.400