CKV_GCP_33 reports a false positive `true` vs `"TRUE"`

[TheMacStack]

Bug/False Positive: CKV_GCP_33 reports a false positive depending on the syntax used in the metadata block specifically true vs "TRUE"

Steps to reproduce the behavior:

resource "google_compute_project_metadata" "general" {
  metadata = {
    "enable-oslogin" = "TRUE"
    "google-compute-default-region" = "europe-west4"
    "google-compute-default-zone"   = "europe-west4-a"
  }
}

or

resource "google_compute_project_metadata" "general" {
  metadata = {
    enable-oslogin    = "TRUE"
    google-compute-default-region = "europe-west4"
    google-compute-default-zone   = "europe-west4-a"
  }
}

Expected behavior: The above examples should be valid and not flagged as failed for Check: CKV_GCP_33: "Ensure oslogin is enabled for a Project"

• Checkov Version [1.0.702]

[schosterbarak]

@arielkru is that something that can be handled at hcl2 parser?

[schosterbarak]

@TheMacStack should "TRUE" always be evaluated like true? from the HCL specification looks like capital letters "TRUE" is not necessarily a boolean value.

[TheMacStack]

@TheMacStack should "TRUE" always be evaluated like true? from the HCL specification looks like capital letters "TRUE" is not necessarily a boolean value.

No, typically not, but in this particular field it is a set of arbitrary key/value pairs, basically as plain text, not actual defined terraform params that expect a true boolean value.

So in general true != "TRUE" but for this metadata block "TRUE" is a valid value

[schosterbarak]

@TheMacStack I've just applied a fix to checkov latest version. Can you confirm it's working?

[TheMacStack]

@TheMacStack I've just applied a fix to checkov latest version. Can you confirm it's working?

Tested and confirm it now works as expected.

Many thanks for the rapid response time.

[schosterbarak]

sweet. thanks for reporting on it @TheMacStack