From 336c000846300d6e377193cbb1600ccaee865e66 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kaan=20Kat=C4=B1rc=C4=B1o=C4=9Flu?=
 <32440802+Kudbettin@users.noreply.github.com>
Date: Fri, 15 Jan 2021 13:50:11 +0300
Subject: [PATCH] Handling unresolvable references (#446)

* partial fix

* tests and Changelog
---
 CHANGELOG.md                                  |  3 ++
 terraform_compliance/extensions/terraform.py  | 43 +++++++++++++++-
 tests/functional/test_issue-424/main.tf       | 28 ++++++++++
 .../test_issue-424/modules/ecr_module/main.tf | 51 +++++++++++++++++++
 tests/functional/test_issue-424/plan.out.json |  1 +
 tests/functional/test_issue-424/test.feature  |  8 +++
 tests/functional/test_issue-424/variables.tf  | 25 +++++++++
 7 files changed, 158 insertions(+), 1 deletion(-)
 create mode 100644 tests/functional/test_issue-424/main.tf
 create mode 100644 tests/functional/test_issue-424/modules/ecr_module/main.tf
 create mode 100644 tests/functional/test_issue-424/plan.out.json
 create mode 100644 tests/functional/test_issue-424/test.feature
 create mode 100644 tests/functional/test_issue-424/variables.tf

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 496b90a4..05328623 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # CHANGELOG
 
+## Unreleased
+* Fixed an issue where ambigious references were breaking during parsing. ([#446](https://github.com/terraform-compliance/cli/pull/446))
+
 ## 1.3.9 (2020-01-10)
 * Fixed an issue where incorrect `ref_type` format were breaking during parsing. ([#444](https://github.com/eerkunt/terraform-compliance/pull/444))
 * Fixed an issue where \x08 character was breaking JUnit XML conversion during provider version_constraint checks. ([#432](https://github.com/eerkunt/terraform-compliance/pull/432))
diff --git a/terraform_compliance/extensions/terraform.py b/terraform_compliance/extensions/terraform.py
index 8174cce1..c48bc147 100644
--- a/terraform_compliance/extensions/terraform.py
+++ b/terraform_compliance/extensions/terraform.py
@@ -2,6 +2,7 @@
 from terraform_compliance.common.helper import seek_key_in_dict, flatten_list, Match, merge_dicts, remove_constant_values
 import sys
 from copy import deepcopy
+from radish.utils import console_write
 from terraform_compliance.common.defaults import Defaults
 from terraform_compliance.extensions.cache import Cache
 from terraform_compliance.common.exceptions import TerraformComplianceInternalFailure
@@ -357,7 +358,47 @@ def _mount_references(self):
                             valid_references = [r for r in ref['references'] if not r.startswith(invalid_references)]
 
                     for ref in valid_references:
-                        if key not in ref_list:
+                        # if ref is not in the correct format, handle it
+                        if len(ref.split('.')) < 3 and ref.startswith('module'):
+                            
+                            # Using for_each and modules together may introduce an issue where the plan.out.json won't include the necessary third part of the reference
+                            # It is partially resolved by mounting the reference to all instances belonging to the module
+                            if 'for_each_expression' in self.configuration['resources'][resource]:
+
+                                # extract source resources
+                                assumed_source_resources = [k for k in self.resources.keys() if k.startswith(resource)]
+                                # extract for_each keys
+                                assumed_for_each_keys = [k[len(resource):].split('.')[0] for k in assumed_source_resources]
+                                # combine ref with for each keys
+                                assumed_refs = ['{}{}'.format(ref, key) for key in assumed_for_each_keys]
+                                # get all the resources that start with updated ref
+                                ambigious_references = []
+                                for r in self.resources.keys():
+                                    for assumed_ref in assumed_refs:
+                                        if r.startswith(assumed_ref):
+                                            if key in ref_list:
+                                                ref_list[key].append(r)
+                                            else:
+                                                ref_list[key] = [r]
+
+                                            ambigious_references.append(r)
+
+                                # throw a warning
+                                defaults = Defaults()
+                                console_write('{} {}: {}'.format(defaults.warning_icon,
+                                       defaults.warning_colour('WARNING (Mounting)'),
+                                       defaults.info_colour('The reference "{}" in resource {} is ambigious.'
+                                        ' It will be mounted to the following resources:').format(ref, resource)))
+                                for i, r in enumerate(ambigious_references, 1):
+                                    console_write(defaults.info_colour('{}. {}'.format(i, r)))
+                                
+                            # if the reference can not be resolved, warn the user and continue.
+                            else: 
+                                console_write('{} {}: {}'.format(Defaults().warning_icon,
+                                       Defaults().warning_colour('WARNING (Mounting)'),
+                                       Defaults().info_colour('The reference "{}" in resource {} is ambigious. It will not be mounted.'.format(ref, resource))))
+                                continue
+                        elif key not in ref_list:
                             ref_list[key] = self._find_resource_from_name(ref)
                         else:
                             ref_list[key].extend(self._find_resource_from_name(ref))
diff --git a/tests/functional/test_issue-424/main.tf b/tests/functional/test_issue-424/main.tf
new file mode 100644
index 00000000..c4b03dcd
--- /dev/null
+++ b/tests/functional/test_issue-424/main.tf
@@ -0,0 +1,28 @@
+module "ecr_repository" {
+  source   = "./modules/ecr_module"
+  for_each = var.ecr_repositories
+
+  name          = each.key
+  scan_on_push  = each.value.scan_on_push
+}
+
+
+resource "aws_iam_role" "test_iam_role" {
+  for_each           = var.ecr_repositories
+  name               = module.ecr_repository[each.key].ecr_name
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "ec2.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+}
\ No newline at end of file
diff --git a/tests/functional/test_issue-424/modules/ecr_module/main.tf b/tests/functional/test_issue-424/modules/ecr_module/main.tf
new file mode 100644
index 00000000..b5f62427
--- /dev/null
+++ b/tests/functional/test_issue-424/modules/ecr_module/main.tf
@@ -0,0 +1,51 @@
+variable "name" {
+  type = string
+}
+
+variable "scan_on_push" {
+  type    = string
+  default = true
+}
+
+resource "aws_ecr_repository" "ecr_repository" {
+  name                 = var.name
+  image_tag_mutability =  "IMMUTABLE" 
+
+  image_scanning_configuration {
+    scan_on_push = var.scan_on_push
+  }
+
+}
+
+data "aws_ami" "ubuntu" {
+  most_recent = true
+
+  filter {
+    name   = "name"
+    values = ["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]
+  }
+
+  filter {
+    name   = "virtualization-type"
+    values = ["hvm"]
+  }
+
+  owners = ["099720109477"] # Canonical
+}
+
+resource "aws_instance" "ecr_repository" {
+  ami           = data.aws_ami.ubuntu.id
+  instance_type = "t3.micro"
+
+  tags = {
+    Name = "HelloWorld"
+  }
+}
+
+output "ecr_name" {
+  value = aws_ecr_repository.ecr_repository.id
+}
+
+output "not_ecr_name" {
+  value = 1234
+}
\ No newline at end of file
diff --git a/tests/functional/test_issue-424/plan.out.json b/tests/functional/test_issue-424/plan.out.json
new file mode 100644
index 00000000..00a15258
--- /dev/null
+++ b/tests/functional/test_issue-424/plan.out.json
@@ -0,0 +1 @@
+{"format_version":"0.1","terraform_version":"0.13.5","variables":{"ecr_repositories":{"value":{"repository_1":{"image_tag_mutability":"MUTABLE","name":"bar3","scan_on_push":false},"repository_2":{"image_tag_mutability":"MUTABLE","name":"bar2","scan_on_push":true}}}},"planned_values":{"root_module":{"resources":[{"address":"aws_iam_role.test_iam_role[\"repository_1\"]","mode":"managed","type":"aws_iam_role","name":"test_iam_role","index":"repository_1","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"assume_role_policy":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": \"sts:AssumeRole\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      },\n      \"Effect\": \"Allow\",\n      \"Sid\": \"\"\n    }\n  ]\n}\n","description":null,"force_detach_policies":false,"max_session_duration":3600,"name":"1234","name_prefix":null,"path":"/","permissions_boundary":null,"tags":null}},{"address":"aws_iam_role.test_iam_role[\"repository_2\"]","mode":"managed","type":"aws_iam_role","name":"test_iam_role","index":"repository_2","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"assume_role_policy":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": \"sts:AssumeRole\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      },\n      \"Effect\": \"Allow\",\n      \"Sid\": \"\"\n    }\n  ]\n}\n","description":null,"force_detach_policies":false,"max_session_duration":3600,"name":"1234","name_prefix":null,"path":"/","permissions_boundary":null,"tags":null}}],"child_modules":[{"resources":[{"address":"module.ecr_repository[\"repository_1\"].aws_ecr_repository.ecr_repository","mode":"managed","type":"aws_ecr_repository","name":"ecr_repository","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"encryption_configuration":[],"image_scanning_configuration":[{"scan_on_push":false}],"image_tag_mutability":"IMMUTABLE","name":"repository_1","tags":null,"timeouts":null}},{"address":"module.ecr_repository[\"repository_1\"].aws_instance.ecr_repository","mode":"managed","type":"aws_instance","name":"ecr_repository","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":1,"values":{"ami":"ami-034bf895b736be04a","credit_specification":[],"disable_api_termination":null,"ebs_optimized":null,"get_password_data":false,"hibernation":null,"iam_instance_profile":null,"instance_initiated_shutdown_behavior":null,"instance_type":"t3.micro","monitoring":null,"source_dest_check":true,"tags":{"Name":"HelloWorld"},"timeouts":null,"user_data":null,"user_data_base64":null}}],"address":"module.ecr_repository[\"repository_1\"]"},{"resources":[{"address":"module.ecr_repository[\"repository_2\"].aws_ecr_repository.ecr_repository","mode":"managed","type":"aws_ecr_repository","name":"ecr_repository","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"encryption_configuration":[],"image_scanning_configuration":[{"scan_on_push":true}],"image_tag_mutability":"IMMUTABLE","name":"repository_2","tags":null,"timeouts":null}},{"address":"module.ecr_repository[\"repository_2\"].aws_instance.ecr_repository","mode":"managed","type":"aws_instance","name":"ecr_repository","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":1,"values":{"ami":"ami-034bf895b736be04a","credit_specification":[],"disable_api_termination":null,"ebs_optimized":null,"get_password_data":false,"hibernation":null,"iam_instance_profile":null,"instance_initiated_shutdown_behavior":null,"instance_type":"t3.micro","monitoring":null,"source_dest_check":true,"tags":{"Name":"HelloWorld"},"timeouts":null,"user_data":null,"user_data_base64":null}}],"address":"module.ecr_repository[\"repository_2\"]"}]}},"resource_changes":[{"address":"aws_iam_role.test_iam_role[\"repository_1\"]","mode":"managed","type":"aws_iam_role","name":"test_iam_role","index":"repository_1","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"assume_role_policy":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": \"sts:AssumeRole\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      },\n      \"Effect\": \"Allow\",\n      \"Sid\": \"\"\n    }\n  ]\n}\n","description":null,"force_detach_policies":false,"max_session_duration":3600,"name":"1234","name_prefix":null,"path":"/","permissions_boundary":null,"tags":null},"after_unknown":{"arn":true,"create_date":true,"id":true,"unique_id":true}}},{"address":"aws_iam_role.test_iam_role[\"repository_2\"]","mode":"managed","type":"aws_iam_role","name":"test_iam_role","index":"repository_2","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"assume_role_policy":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": \"sts:AssumeRole\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      },\n      \"Effect\": \"Allow\",\n      \"Sid\": \"\"\n    }\n  ]\n}\n","description":null,"force_detach_policies":false,"max_session_duration":3600,"name":"1234","name_prefix":null,"path":"/","permissions_boundary":null,"tags":null},"after_unknown":{"arn":true,"create_date":true,"id":true,"unique_id":true}}},{"address":"module.ecr_repository[\"repository_1\"].aws_ecr_repository.ecr_repository","module_address":"module.ecr_repository[\"repository_1\"]","mode":"managed","type":"aws_ecr_repository","name":"ecr_repository","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"encryption_configuration":[],"image_scanning_configuration":[{"scan_on_push":false}],"image_tag_mutability":"IMMUTABLE","name":"repository_1","tags":null,"timeouts":null},"after_unknown":{"arn":true,"encryption_configuration":[],"id":true,"image_scanning_configuration":[{}],"registry_id":true,"repository_url":true}}},{"address":"module.ecr_repository[\"repository_1\"].aws_instance.ecr_repository","module_address":"module.ecr_repository[\"repository_1\"]","mode":"managed","type":"aws_instance","name":"ecr_repository","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"ami":"ami-034bf895b736be04a","credit_specification":[],"disable_api_termination":null,"ebs_optimized":null,"get_password_data":false,"hibernation":null,"iam_instance_profile":null,"instance_initiated_shutdown_behavior":null,"instance_type":"t3.micro","monitoring":null,"source_dest_check":true,"tags":{"Name":"HelloWorld"},"timeouts":null,"user_data":null,"user_data_base64":null},"after_unknown":{"arn":true,"associate_public_ip_address":true,"availability_zone":true,"cpu_core_count":true,"cpu_threads_per_core":true,"credit_specification":[],"ebs_block_device":true,"enclave_options":true,"ephemeral_block_device":true,"host_id":true,"id":true,"instance_state":true,"ipv6_address_count":true,"ipv6_addresses":true,"key_name":true,"metadata_options":true,"network_interface":true,"outpost_arn":true,"password_data":true,"placement_group":true,"primary_network_interface_id":true,"private_dns":true,"private_ip":true,"public_dns":true,"public_ip":true,"root_block_device":true,"secondary_private_ips":true,"security_groups":true,"subnet_id":true,"tags":{},"tenancy":true,"volume_tags":true,"vpc_security_group_ids":true}}},{"address":"module.ecr_repository[\"repository_2\"].aws_ecr_repository.ecr_repository","module_address":"module.ecr_repository[\"repository_2\"]","mode":"managed","type":"aws_ecr_repository","name":"ecr_repository","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"encryption_configuration":[],"image_scanning_configuration":[{"scan_on_push":true}],"image_tag_mutability":"IMMUTABLE","name":"repository_2","tags":null,"timeouts":null},"after_unknown":{"arn":true,"encryption_configuration":[],"id":true,"image_scanning_configuration":[{}],"registry_id":true,"repository_url":true}}},{"address":"module.ecr_repository[\"repository_2\"].aws_instance.ecr_repository","module_address":"module.ecr_repository[\"repository_2\"]","mode":"managed","type":"aws_instance","name":"ecr_repository","provider_name":"registry.terraform.io/hashicorp/aws","change":{"actions":["create"],"before":null,"after":{"ami":"ami-034bf895b736be04a","credit_specification":[],"disable_api_termination":null,"ebs_optimized":null,"get_password_data":false,"hibernation":null,"iam_instance_profile":null,"instance_initiated_shutdown_behavior":null,"instance_type":"t3.micro","monitoring":null,"source_dest_check":true,"tags":{"Name":"HelloWorld"},"timeouts":null,"user_data":null,"user_data_base64":null},"after_unknown":{"arn":true,"associate_public_ip_address":true,"availability_zone":true,"cpu_core_count":true,"cpu_threads_per_core":true,"credit_specification":[],"ebs_block_device":true,"enclave_options":true,"ephemeral_block_device":true,"host_id":true,"id":true,"instance_state":true,"ipv6_address_count":true,"ipv6_addresses":true,"key_name":true,"metadata_options":true,"network_interface":true,"outpost_arn":true,"password_data":true,"placement_group":true,"primary_network_interface_id":true,"private_dns":true,"private_ip":true,"public_dns":true,"public_ip":true,"root_block_device":true,"secondary_private_ips":true,"security_groups":true,"subnet_id":true,"tags":{},"tenancy":true,"volume_tags":true,"vpc_security_group_ids":true}}}],"prior_state":{"format_version":"0.1","terraform_version":"0.13.5","values":{"root_module":{"child_modules":[{"resources":[{"address":"module.ecr_repository[\"repository_1\"].data.aws_ami.ubuntu","mode":"data","type":"aws_ami","name":"ubuntu","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"architecture":"x86_64","arn":"arn:aws:ec2:us-west-1::image/ami-034bf895b736be04a","block_device_mappings":[{"device_name":"/dev/sda1","ebs":{"delete_on_termination":"true","encrypted":"false","iops":"0","snapshot_id":"snap-071154d47d9e5bbd0","volume_size":"8","volume_type":"gp2"},"no_device":"","virtual_name":""},{"device_name":"/dev/sdb","ebs":{},"no_device":"","virtual_name":"ephemeral0"},{"device_name":"/dev/sdc","ebs":{},"no_device":"","virtual_name":"ephemeral1"}],"creation_date":"2021-01-09T01:45:28.000Z","description":"Canonical, Ubuntu, 20.04 LTS, amd64 focal image build on 2021-01-08","executable_users":null,"filter":[{"name":"name","values":["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]},{"name":"virtualization-type","values":["hvm"]}],"hypervisor":"xen","id":"ami-034bf895b736be04a","image_id":"ami-034bf895b736be04a","image_location":"099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210108","image_owner_alias":null,"image_type":"machine","kernel_id":null,"most_recent":true,"name":"ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210108","name_regex":null,"owner_id":"099720109477","owners":["099720109477"],"platform":null,"product_codes":[],"public":true,"ramdisk_id":null,"root_device_name":"/dev/sda1","root_device_type":"ebs","root_snapshot_id":"snap-071154d47d9e5bbd0","sriov_net_support":"simple","state":"available","state_reason":{"code":"UNSET","message":"UNSET"},"tags":{},"virtualization_type":"hvm"}}],"address":"module.ecr_repository[\"repository_1\"]"},{"resources":[{"address":"module.ecr_repository[\"repository_2\"].data.aws_ami.ubuntu","mode":"data","type":"aws_ami","name":"ubuntu","provider_name":"registry.terraform.io/hashicorp/aws","schema_version":0,"values":{"architecture":"x86_64","arn":"arn:aws:ec2:us-west-1::image/ami-034bf895b736be04a","block_device_mappings":[{"device_name":"/dev/sda1","ebs":{"delete_on_termination":"true","encrypted":"false","iops":"0","snapshot_id":"snap-071154d47d9e5bbd0","volume_size":"8","volume_type":"gp2"},"no_device":"","virtual_name":""},{"device_name":"/dev/sdb","ebs":{},"no_device":"","virtual_name":"ephemeral0"},{"device_name":"/dev/sdc","ebs":{},"no_device":"","virtual_name":"ephemeral1"}],"creation_date":"2021-01-09T01:45:28.000Z","description":"Canonical, Ubuntu, 20.04 LTS, amd64 focal image build on 2021-01-08","executable_users":null,"filter":[{"name":"name","values":["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]},{"name":"virtualization-type","values":["hvm"]}],"hypervisor":"xen","id":"ami-034bf895b736be04a","image_id":"ami-034bf895b736be04a","image_location":"099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210108","image_owner_alias":null,"image_type":"machine","kernel_id":null,"most_recent":true,"name":"ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20210108","name_regex":null,"owner_id":"099720109477","owners":["099720109477"],"platform":null,"product_codes":[],"public":true,"ramdisk_id":null,"root_device_name":"/dev/sda1","root_device_type":"ebs","root_snapshot_id":"snap-071154d47d9e5bbd0","sriov_net_support":"simple","state":"available","state_reason":{"code":"UNSET","message":"UNSET"},"tags":{},"virtualization_type":"hvm"}}],"address":"module.ecr_repository[\"repository_2\"]"}]}}},"configuration":{"root_module":{"resources":[{"address":"aws_iam_role.test_iam_role","mode":"managed","type":"aws_iam_role","name":"test_iam_role","provider_config_key":"aws","expressions":{"assume_role_policy":{"constant_value":"{\n  \"Version\": \"2012-10-17\",\n  \"Statement\": [\n    {\n      \"Action\": \"sts:AssumeRole\",\n      \"Principal\": {\n        \"Service\": \"ec2.amazonaws.com\"\n      },\n      \"Effect\": \"Allow\",\n      \"Sid\": \"\"\n    }\n  ]\n}\n"},"name":{"references":["module.ecr_repository","each.key"]}},"schema_version":0,"for_each_expression":{"references":["var.ecr_repositories"]}}],"module_calls":{"ecr_repository":{"source":"./modules/ecr_module","expressions":{"name":{"references":["each.key"]},"scan_on_push":{"references":["each.value"]}},"for_each_expression":{"references":["var.ecr_repositories"]},"module":{"outputs":{"ecr_name":{"expression":{"references":["aws_ecr_repository.ecr_repository"]}},"not_ecr_name":{"expression":{"constant_value":1234}}},"resources":[{"address":"aws_ecr_repository.ecr_repository","mode":"managed","type":"aws_ecr_repository","name":"ecr_repository","provider_config_key":"ecr_repository:aws","expressions":{"image_scanning_configuration":[{"scan_on_push":{"references":["var.scan_on_push"]}}],"image_tag_mutability":{"constant_value":"IMMUTABLE"},"name":{"references":["var.name"]}},"schema_version":0},{"address":"aws_instance.ecr_repository","mode":"managed","type":"aws_instance","name":"ecr_repository","provider_config_key":"ecr_repository:aws","expressions":{"ami":{"references":["data.aws_ami.ubuntu"]},"instance_type":{"constant_value":"t3.micro"},"tags":{"constant_value":{"Name":"HelloWorld"}}},"schema_version":1},{"address":"data.aws_ami.ubuntu","mode":"data","type":"aws_ami","name":"ubuntu","provider_config_key":"ecr_repository:aws","expressions":{"filter":[{"name":{"constant_value":"name"},"values":{"constant_value":["ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*"]}},{"name":{"constant_value":"virtualization-type"},"values":{"constant_value":["hvm"]}}],"most_recent":{"constant_value":true},"owners":{"constant_value":["099720109477"]}},"schema_version":0}],"variables":{"name":{},"scan_on_push":{"default":"true"}}}}},"variables":{"ecr_repositories":{"default":{"repository_1":{"image_tag_mutability":"MUTABLE","name":"bar3","scan_on_push":false},"repository_2":{"image_tag_mutability":"MUTABLE","name":"bar2","scan_on_push":true}}}}}}}
diff --git a/tests/functional/test_issue-424/test.feature b/tests/functional/test_issue-424/test.feature
new file mode 100644
index 00000000..143086d5
--- /dev/null
+++ b/tests/functional/test_issue-424/test.feature
@@ -0,0 +1,8 @@
+Feature: Feature for issue 424
+	
+	Scenario: Dummy scenario
+		Given I have aws_ecr_repository defined
+		Then it must have image_scanning_configuration
+		Given I have aws_iam_role defined
+		Then it must have Statement
+		
\ No newline at end of file
diff --git a/tests/functional/test_issue-424/variables.tf b/tests/functional/test_issue-424/variables.tf
new file mode 100644
index 00000000..c7c7dfb4
--- /dev/null
+++ b/tests/functional/test_issue-424/variables.tf
@@ -0,0 +1,25 @@
+variable ecr_repositories {
+	type = map
+	default = {
+		repository_1 = {
+			name                 = "bar1"
+			image_tag_mutability = "MUTABLE"
+
+			scan_on_push = true
+		},
+		repository_2 = {
+			name                 = "bar2"
+			image_tag_mutability = "MUTABLE"
+
+			scan_on_push = true
+		},
+		repository_1 = {
+			name                 = "bar3"
+			image_tag_mutability = "MUTABLE"
+
+			scan_on_push = false
+		}
+
+	}
+}
+