fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)

Signed-off-by: nikpivkin <[email protected]>
Co-authored-by: Nikita Pivkin <[email protected]>

Author: aqua-bot

pkg/iac/scanners/terraform/parser/parser_test.go

@@ -1588,6 +1588,15 @@ resource "test_resource" "test" {
       bar = foo.value
 	}
   }
+}`,
+			expected: []any{},
+		},
+		{
+			name: "unknown for-each",
+			src: `resource "test_resource" "test" {
+  dynamic "foo" {
+    for_each = lookup(foo, "") ? [] : []
+  }
 }`,
 			expected: []any{},
 		},

pkg/iac/terraform/block.go

@@ -583,7 +583,7 @@ func (b *Block) ExpandBlock() error {
 		if child.Type() == "dynamic" {
 			blocks, err := child.expandDynamic()
 			if err != nil {
-				errs = multierror.Append(errs, err)
+				errs = multierror.Append(errs, fmt.Errorf("block %q: %w", child.TypeLabel(), err))
 				continue
 			}
 			expanded = append(expanded, blocks...)
@@ -612,6 +612,10 @@ func (b *Block) expandDynamic() ([]*Block, error) {
 		return nil, fmt.Errorf("invalid for-each in %s block: %w", b.FullLocalName(), err)
 	}
 
+	if !forEachVal.IsKnown() {
+		return nil, errors.New("for-each must be known")
+	}
+
 	var (
 		expanded []*Block
 		errs     error