From 1758a786f3221512147821247d9fc742a9615958 Mon Sep 17 00:00:00 2001
From: Nikita Pivkin <nikita.pivkin@smartforce.io>
Date: Sat, 8 Jul 2023 00:36:29 +0600
Subject: [PATCH] feat(terraform): support for multiple instances of the same
 resource

---
 pkg/scanners/terraform/parser/evaluator.go   |  2 +-
 pkg/scanners/terraform/parser/parser_test.go | 63 ++++++++++++++++++++
 2 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/pkg/scanners/terraform/parser/evaluator.go b/pkg/scanners/terraform/parser/evaluator.go
index f49b3be0e..3ec73d3d7 100644
--- a/pkg/scanners/terraform/parser/evaluator.go
+++ b/pkg/scanners/terraform/parser/evaluator.go
@@ -399,7 +399,7 @@ func (e *evaluator) getValuesByBlockType(blockType string) cty.Value {
 				continue
 			}
 
-			blockMap, ok := values[b.Label()]
+			blockMap, ok := values[b.Labels()[0]]
 			if !ok {
 				values[b.Labels()[0]] = cty.ObjectVal(make(map[string]cty.Value))
 				blockMap = values[b.Labels()[0]]
diff --git a/pkg/scanners/terraform/parser/parser_test.go b/pkg/scanners/terraform/parser/parser_test.go
index 1b623a66c..2f18f8b63 100644
--- a/pkg/scanners/terraform/parser/parser_test.go
+++ b/pkg/scanners/terraform/parser/parser_test.go
@@ -666,3 +666,66 @@ resource "aws_s3_bucket" "default" {
 	require.NotNil(t, attr)
 	assert.Equal(t, "default", attr.Value().AsString())
 }
+
+func Test_MultipleInstancesOfSameResource(t *testing.T) {
+	fs := testutil.CreateFS(t, map[string]string{
+		"test.tf": `
+
+resource "aws_kms_key" "key1" {
+	description         = "Key #1"
+	enable_key_rotation = true
+}
+
+resource "aws_kms_key" "key2" {
+	description         = "Key #2"
+	enable_key_rotation = true
+}
+
+resource "aws_s3_bucket" "this" {
+	bucket        = "test"
+  }
+
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "this1" {
+	bucket = aws_s3_bucket.this.id
+  
+	rule {
+	  apply_server_side_encryption_by_default {
+		kms_master_key_id = aws_kms_key.key1.arn
+		sse_algorithm     = "aws:kms"
+	  }
+	}
+}
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "this2" {
+	bucket = aws_s3_bucket.this.id
+  
+	rule {
+	  apply_server_side_encryption_by_default {
+		kms_master_key_id = aws_kms_key.key2.arn
+		sse_algorithm     = "aws:kms"
+	  }
+	}
+}
+`,
+	})
+
+	parser := New(fs, "", OptionStopOnHCLError(true))
+	if err := parser.ParseFS(context.TODO(), "."); err != nil {
+		t.Fatal(err)
+	}
+	modules, _, err := parser.EvaluateAll(context.TODO())
+	assert.NoError(t, err)
+	assert.Len(t, modules, 1)
+
+	rootModule := modules[0]
+
+	blocks := rootModule.GetResourcesByType("aws_s3_bucket_server_side_encryption_configuration")
+	assert.Len(t, blocks, 2)
+
+	for _, block := range blocks {
+		attr := block.GetNestedAttribute("rule.apply_server_side_encryption_by_default.kms_master_key_id")
+		assert.NotNil(t, attr)
+		assert.NotEmpty(t, attr.Value().AsString())
+	}
+}