fix(terraform): Fix an issue for loading tfvars + issue in the dynami…

…c rendering (#6360)

* Fix an issue for loading tfvars + issue in the dynamic rendering

* mypy and UTs fixes

checkov/terraform/graph_builder/variable_rendering/renderer.py

@@ -363,6 +363,9 @@ def _process_dynamic_blocks(dynamic_blocks: list[dict[str, Any]] | dict[str, Any
 
             dynamic_arguments: list[str] = []
             TerraformVariableRenderer._extract_dynamic_arguments(block_name, block_content, dynamic_arguments, [])
+            if not dynamic_arguments and len(dynamic_values) == 1:
+                for argument, _ in block_content.items():
+                    dynamic_arguments.append(argument)
             if dynamic_arguments and isinstance(dynamic_values, list):
                 block_confs = []
                 for dynamic_value in dynamic_values:

checkov/terraform/tf_parser.py

@@ -699,13 +699,15 @@ def load_or_die_quietly(
     file: str | Path | os.DirEntry[str], parsing_errors: dict[str, Exception], clean_definitions: bool = True
 ) -> Optional[_Hcl2Payload]:
     """
-Load JSON or HCL, depending on filename.
+    Load JSON or HCL, depending on filename.
     :return: None if the file can't be loaded
     """
-
     file_path = os.fspath(file)
     file_name = os.path.basename(file_path)
 
+    if file_name.endswith('.tfvars'):
+        clean_definitions = False
+
     try:
         logging.debug(f"Parsing {file_path}")
 

tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/main.tf

@@ -410,4 +410,23 @@ resource "azurerm_application_gateway" "pass2" {
     policy_type = "Predefined"
     policy_name = "AppGwSslPolicy20220101S"
   }
+}
+
+resource "azurerm_application_gateway" "pass_dynamic_bug" {
+
+  enable_http2        = false
+  location            = ""
+  name                = ""
+  resource_group_name = ""
+
+  dynamic "ssl_policy" {
+    for_each = var.ssl_policy == null ? [] : [1]
+    content {
+      disabled_protocols   = lookup(var.ssl_policy, "disabled_protocols", [])
+      policy_type          = lookup(var.ssl_policy, "policy_type", "Predefined")
+      policy_name          = lookup(var.ssl_policy, "policy_type") == "Predefined" ? lookup(var.ssl_policy, "policy_name", "AppGwSslPolicy20170401S") : null
+      cipher_suites        = lookup(var.ssl_policy, "cipher_suites", [])
+      min_protocol_version = lookup(var.ssl_policy, "min_protocol_version", null)
+    }
+  }
 }

tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/terraform.auto.tfvars

@@ -0,0 +1,9 @@
+ssl_policy = {
+  disabled_protocols = []
+  policy_type        = "Custom"
+  cipher_suites = [
+    "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+    "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+  ]
+  min_protocol_version = "TLSv1_2"
+}

tests/terraform/checks/resource/azure/example_AppGWDefinesSecureProtocols/variables.tf

@@ -0,0 +1,6 @@
+variable "ssl_policy" {
+  description = "bla bla"
+  type        = any
+  default     = {}
+}
+

tests/terraform/checks/resource/azure/test_AppGWDefinesSecureProtocols.py

@@ -19,7 +19,8 @@ def test(self):
 
         passing_resources = {
             'azurerm_application_gateway.pass',
-            'azurerm_application_gateway.pass2'
+            'azurerm_application_gateway.pass2',
+            'azurerm_application_gateway.pass_dynamic_bug'
         }
         failing_resources = {
             'azurerm_application_gateway.fail',