for_each over a map returns a resource for every key on the object

[sontek]

Description

Trivy has a bug in it when processing for_each with a map and the locals are unresolvable, here is a proof of concept terraform:

locals {
  platform_role_principals = {
    lambda    = "lambda.amazonaws.com"
    ecs-tasks = "ecs-tasks.amazonaws.com"
  }
}

data "aws_iam_policy_document" "platform_role_assume_policy" {
  for_each = local.platform_role_principals

  statement {
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = [each.value]
    }
  }
}

resource "aws_iam_role" "platform_role" {
  for_each = local.platform_role_principals
  name                 = "platform-${each.key}"
  assume_role_policy   = data.aws_iam_policy_document.platform_role_assume_policy[each.key].json
}

locals {
  platform_roles = {
    for role_key, role_res in aws_iam_role.platform_role :
    role_key => {
      role = role_res.name
    }
  }
}

data "aws_iam_policy_document" "administrative_policy_doc" {
  statement {
    resources = ["*"]
    actions   = ["Tag:GetResources", "Tag:TagResources", "Tag:UntagResources"]
  }
}

resource "aws_iam_policy" "administrative_policy" {
  name   = "administrative-policy"
  policy = data.aws_iam_policy_document.administrative_policy_doc.json
}

resource "aws_iam_role_policy_attachment" "administrative_policy_attachment" {
  for_each   = local.platform_roles
  role       = each.value.role
  policy_arn = aws_iam_policy.administrative_policy.arn
}

This ends up generating 4 resources for the policy attachment when we only have two platform_roles. This is because its making a resource for every key on the Pseudo object so there is a resource for id, arn, name, etc. instead of for the role strings.

Desired Behavior

I expect to only see two resources for the policy attachment. One for ecs-tasks and one for lambda.

Actual Behavior

Currently I see for resources, one for each key id, arn, name, assume_policy_arn.

Reproduction Steps

I'm following up with a PR that will have a test reproduction.

Target

Filesystem

Scanner

Vulnerability

Output Format

Table

Mode

Standalone

Debug Output

❯ go run cmd/trivy/main.go conf ../tfparse/tests/terraform/for_each --debug
2025-07-07T15:00:57-04:00	DEBUG	No plugins loaded
2025-07-07T15:00:57-04:00	DEBUG	Default config file "file_path=trivy.yaml" not found, using built in values
2025-07-07T15:00:57-04:00	DEBUG	Cache dir	dir="/Users/john/Library/Caches/trivy"
2025-07-07T15:00:57-04:00	DEBUG	Cache dir	dir="/Users/john/Library/Caches/trivy"
2025-07-07T15:00:57-04:00	DEBUG	Parsed severities	severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2025-07-07T15:00:57-04:00	INFO	[misconfig] Misconfiguration scanning is enabled
2025-07-07T15:00:57-04:00	DEBUG	[notification] Running version check
2025-07-07T15:00:57-04:00	DEBUG	[misconfig] Checks successfully loaded from disk
2025-07-07T15:00:57-04:00	DEBUG	[rego] Overriding filesystem for checks
2025-07-07T15:00:57-04:00	DEBUG	[rego] Embedded libraries are loaded	count=17
2025-07-07T15:00:57-04:00	DEBUG	[rego] Embedded checks are loaded	count=519
2025-07-07T15:00:57-04:00	DEBUG	[notification] Version check completed	latest_version="0.64.1"
2025-07-07T15:00:57-04:00	DEBUG	[rego] Checks from disk are loaded	count=536
2025-07-07T15:00:57-04:00	DEBUG	[rego] Overriding filesystem for data
2025-07-07T15:00:57-04:00	DEBUG	Enabling misconfiguration scanners	scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2025-07-07T15:00:57-04:00	DEBUG	Initializing scan cache...	type="memory"
2025-07-07T15:00:57-04:00	DEBUG	[fs] Analyzing...	root="../tfparse/tests/terraform/for_each"
2025-07-07T15:00:57-04:00	DEBUG	[misconfig] Scanning files for misconfigurations...	scanner="Terraform"
2025-07-07T15:00:57-04:00	DEBUG	[terraform scanner] Scanning directory	file_path="."
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Setting project/module root	module="root" file_path="."
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Parsing FS	module="root" file_path="."
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Parsing	module="root" file_path="iam.tf"
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Added file	module="root" file_path="iam.tf"
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Parsing	module="root" file_path="simple.tf"
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Added file	module="root" file_path="simple.tf"
2025-07-07T15:00:57-04:00	INFO	[terraform scanner] Scanning root module	file_path="."
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Setting project/module root	module="root" file_path="."
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Parsing FS	module="root" file_path="."
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Parsing	module="root" file_path="iam.tf"
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Added file	module="root" file_path="iam.tf"
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Parsing	module="root" file_path="simple.tf"
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Added file	module="root" file_path="simple.tf"
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Loading module	module="root" module="root"
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Read block(s) and ignore(s)	module="root" blocks=8 ignores=0
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Added input variables from tfvars	module="root" count=0
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Working directory for module evaluation	module="root" file_path="/Users/john/code/stacklet/trivy"
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Starting module evaluation...	module="root" path="."
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Starting iteration	module="root" iteration=0
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Starting iteration	module="root" iteration=1
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Starting iteration	module="root" iteration=2
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Context unchanged	module="root" iteration=2
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Expanded block into clones via 'for_each' attribute.	module="root" block="aws_iam_role.platform_role" clones=2
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Expanded block into clones via 'for_each' attribute.	module="root" block="aws_iam_role_policy_attachment.administrative_policy_attachment" clones=4
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Expanded block into clones via 'for_each' attribute.	module="root" block="aws_iam_user.the-accounts" clones=4
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Expanded block into clones via 'for_each' attribute.	module="root" block="data.aws_iam_policy_document.platform_role_assume_policy" clones=2
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Starting post-submodules evaluation...	module="root"
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Starting iteration	module="root" iteration=0
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Starting iteration	module="root" iteration=1
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Starting iteration	module="root" iteration=2
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Context unchanged	module="root" iteration=2
2025-07-07T15:00:57-04:00	DEBUG	[terraform evaluator] Module evaluation complete.	module="root"
2025-07-07T15:00:57-04:00	DEBUG	[terraform parser] Finished parsing module	module="root"
2025-07-07T15:00:57-04:00	DEBUG	[terraform executor] Adapting modules...
2025-07-07T15:00:57-04:00	DEBUG	[terraform executor] Adapted module(s) into state data.	count=1
2025-07-07T15:00:57-04:00	DEBUG	[terraform executor] Scan state data
2025-07-07T15:00:57-04:00	DEBUG	[rego] Scanning inputs	count=1
2025-07-07T15:00:57-04:00	DEBUG	[terraform executor] Finished applying checks
2025-07-07T15:00:57-04:00	DEBUG	[terraform executor] Applying ignores...
2025-07-07T15:00:57-04:00	DEBUG	OS is not detected.
2025-07-07T15:00:57-04:00	INFO	Detected config files	num=1
2025-07-07T15:00:57-04:00	DEBUG	Scanned config file	file_path="."
2025-07-07T15:00:57-04:00	DEBUG	Specified ignore file does not exist	file=".trivyignore"
2025-07-07T15:00:57-04:00	DEBUG	[vex] VEX filtering is disabled

Report Summary

┌────────┬───────────┬───────────────────┐
│ Target │   Type    │ Misconfigurations │
├────────┼───────────┼───────────────────┤
│ .      │ terraform │         0         │
└────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Operating System

MacOS

Version

❯ trivy version                                         
Version: 0.60.0
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-07-07 18:58:33.681649 +0000 UTC

and

❯ go run cmd/trivy/main.go version                                         
Version: dev
Check Bundle:
  Digest: sha256:a471e90b7c7335e914ec9075b74cf8f65e4c91e6cecfa7e39c587382808d2684
  DownloadedAt: 2025-07-07 18:58:33.681649 +0000 UTC

[sontek]

Here is the PR with the example terraform and the fix:

#9156