Error validando funciones en los tags

[cajlopezor]

Describe the issue
We are trying to execute checkov in a template which makes use of a function (IF) in the tags:

    - 'Fn::If':
       - cPdnEnv
       -
         Key: "Schedule"
         Value: "VISOR-02"
       - !Ref "AWS::NoValue"    

but it throws the following error message:

Failed to parse tags for entity {'rEC2Instance': ...

We updated to the latest version of checkov but the error continues

According to the AWS documentation, this IF function can be used on tags.

[gruebel]

hey @cajlopezor thanks for reaching out. Can you provide the whole resource as an example? from the error message it looks like you added tags to an EC2 instance, right?

[cajlopezor]

Hi @gruebel, I shareyou the yaml of the resource and the error

Resources:

  rEC2Instance:
    Condition: cAditionalEc2
    Type: AWS::EC2::Instance
    Properties:
      DisableApiTermination: true 
      NetworkInterfaces: 
        - AssociatePublicIpAddress: "false"              
          DeviceIndex: "0"
          GroupSet: 
            - !Join ["", ["{{resolve:ssm:", !Ref pPSGASt, "}}"]]
          SubnetId: !Ref pSubnetPriv5
      InstanceType: !Ref pEC2InstanceTypeSSAStqP
      ImageId: !FindInMap
        - EnvironmentToAMI
        - !Ref pEnvironment
        - AMIID
      IamInstanceProfile: !Join ["", ["{{resolve:ssm:", !Ref pInstanceProfile, "}}"]]
      BlockDeviceMappings:
        - DeviceName: /dev/sda1
          Ebs:
            VolumeSize: !Ref pOSSizeDisk
            VolumeType: !Ref pTypeDisk          
            Encrypted: 'true' 
            KmsKeyId: !Join ["", ["{{resolve:ssm:", !Ref pPSKMSARN, "}}"]]
        - DeviceName: /dev/sdb
          Ebs:
            VolumeSize: 50
            VolumeType: !Ref pTypeDisk
            Encrypted: 'true' 
            KmsKeyId: !Join ["", ["{{resolve:ssm:", !Ref pPSKMSARN, "}}"]]
      UserData:
        Fn::Base64:
          Fn::Sub:
            - |
              <powershell>
               query here
              </powershell>
      Tags:
        - Key: Name
          Value: !Ref xxxx
        - 'Fn::If':
           - cPdnEnv
           -
             Key: "Schedule"
             Value: "xxxx"
           - !Ref "AWS::NoValue"

The error is:

Current File Scanned=/template (4).yaml2022-11-09 09:30:23,665 [ThreadPoolEx] [WARNI] Failed to parse tags for entity {'rEC2Instance': {'Type': 'AWS::EC2::Instance', 'Properties': {'DisableApiTermination': True, 'NetworkInterfaces': [{'AssociatePublicIpAddress': 'false', 'DeviceIndex': '0', 'GroupSet': [{'Fn::Join': ['', ['{{resolve:ssm:', {'Ref': 'pPSGASt'}, '}}']]}], 'SubnetId': {'Ref': 'pSubnetPriv5'}, '__startline__': 134, '__endline__': 139}], 'InstanceType': {'Ref': 'pEC2InstanceTypeSSAStqP'}, 'ImageId': {'Fn::FindInMap': ['EnvironmentToAMI', {'Ref': 'pEnvironment'}, 'AMIID']}, 'IamInstanceProfile': {'Fn::Join': ['', ['{{resolve:ssm:', {'Ref': 'pInstanceProfile'}, '}}']]}, 'BlockDeviceMappings': [{'DeviceName': '/dev/sda1', 'Ebs': {'VolumeSize': {'Ref': 'pOSSizeDisk'}, 'VolumeType': {'Ref': 'pTypeDisk'}, 'Encrypted': 'true', 'KmsKeyId': {'Fn::Join': ['', ['{{resolve:ssm:', {'Ref': 'pPSKMSARN'}, '}}']]}, '__startline__': 148, '__endline__': 152}, '__startline__': 146, '__endline__': 152}, {'DeviceName': '/dev/sdb', 'Ebs': {'VolumeSize': 50, 'VolumeType': {'Ref': 'pTypeDisk'}, 'Encrypted': 'true', 'KmsKeyId': {'Fn::Join': ['', ['{{resolve:ssm:', {'Ref': 'pPSKMSARN'}, '}}']]}, '__startline__': 154, '__endline__': 158},

thanks

[gruebel]

great thanks!