From 3c54627e38132ffcd749787f7271fad6a9bae000 Mon Sep 17 00:00:00 2001
From: Ori Bendet <oribendet@Oris-MacBook-Pro.local>
Date: Sat, 28 Feb 2026 18:30:52 -0500
Subject: [PATCH] fix(terraform): skip label validation for unresolved
 Terraform references

KICS's HCL converter wraps bare Terraform references (local.*, var.*, etc.)
in \${...} notation since it cannot resolve them at parse time. These wrapped
strings (e.g. \"\${local.resource_name}\") fail the Kubernetes label value
regex because of the \${} characters, causing false positives.

Add two guards before the regex check:
- is_string(): skip non-string values (e.g. nested objects from dotted keys)
- not contains(labels[key], \"\${\"):  skip unresolved Terraform references

Also fix a pre-existing typo in result messages: \"metada\" -> \"metadata\".
Add negative test cases for a Terraform local reference and a prefixed label
key (gateway.istio.io/defaults-for-class).

Fixes #7944

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../kubernetes/metadata_label_is_invalid/query.rego         | 6 ++++--
 .../kubernetes/metadata_label_is_invalid/test/negative.tf   | 4 +++-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego
index fac01d34dc4..a1121880d51 100644
--- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego
+++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/query.rego
@@ -8,6 +8,8 @@ CxPolicy[result] {
 
 	labels := resource[name].metadata.labels
 
+	is_string(labels[key])
+	not contains(labels[key], "${")
 	regex.match("^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", labels[key]) == false
 
 	result := {
@@ -16,8 +18,8 @@ CxPolicy[result] {
 		"resourceName": tf_lib.get_resource_name(resource, name),
 		"searchKey": sprintf("%s[%s].metadata.labels", [resourceType, name]),
 		"issueType": "IncorrectValue",
-		"keyExpectedValue": sprintf("%s[%s].metada.labels[%s] has valid label", [resourceType, name, key]),
-		"keyActualValue": sprintf("%s[%s].metada.labels[%s] has invalid label", [resourceType, name, key]),
+		"keyExpectedValue": sprintf("%s[%s].metadata.labels[%s] has valid label", [resourceType, name, key]),
+		"keyActualValue": sprintf("%s[%s].metadata.labels[%s] has invalid label", [resourceType, name, key]),
 		"searchLine": common_lib.build_search_line(["resource", resourceType, name, "metadata"], ["labels", key]),
 	}
 }
diff --git a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf
index 30e30393a79..1b78cebf957 100644
--- a/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf
+++ b/assets/queries/terraform/kubernetes/metadata_label_is_invalid/test/negative.tf
@@ -3,7 +3,9 @@ resource "kubernetes_pod" "test2" {
     name = "terraform-example"
 
     labels = {
-      app = "MyApp"
+      app                                   = "MyApp"
+      "gateway.istio.io/defaults-for-class" = "something"
+      environment                           = local.env_name
     }
   }