fix(misconf): safely parse rotation_period in google_kms_crypto_key (#9980)

Signed-off-by: nikpivkin <nikita.pivkin@smartforce.io>
2026-01-31 05:43:14 +08:00 · 2026-01-15 01:44:08 +06:00
parent 92d3465cee
commit a0ecc8e926
2 changed files with 28 additions and 2 deletions
--- a/pkg/iac/adapters/terraform/google/kms/adapt.go
+++ b/pkg/iac/adapters/terraform/google/kms/adapt.go
@@ -2,6 +2,7 @@ package kms

 import (
 	"strconv"
+	"strings"

 	"github.com/aquasecurity/trivy/pkg/iac/providers/google/kms"
 	"github.com/aquasecurity/trivy/pkg/iac/terraform"
@@ -45,10 +46,12 @@ func adaptKey(resource *terraform.Block) kms.Key {
 		return key
 	}
 	rotationStr := rotationPeriodAttr.Value().AsString()
-	if rotationStr[len(rotationStr)-1:] != "s" {
+	secondsStr, ok := strings.CutSuffix(rotationStr, "s")
+	if !ok {
 		return key
 	}
-	seconds, err := strconv.Atoi(rotationStr[:len(rotationStr)-1])
+
+	seconds, err := strconv.Atoi(secondsStr)
 	if err != nil {
 		return key
 	}
--- a/pkg/iac/adapters/terraform/google/kms/adapt_test.go
+++ b/pkg/iac/adapters/terraform/google/kms/adapt_test.go
@@ -81,6 +81,29 @@ func Test_adaptKeyRings(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "invalid rotation period",
+			terraform: `
+			resource "google_kms_key_ring" "keyring" {
+  name = "keyring-example"
+}
+			  
+resource "google_kms_crypto_key" "example-key" {
+  name     = "crypto-key-example"
+  key_ring = google_kms_key_ring.keyring.id
+	rotation_period = ""
+}
+`,
+			expected: []kms.KeyRing{
+				{
+					Keys: []kms.Key{
+						{
+							RotationPeriodSeconds: iacTypes.IntTest(-1),
+						},
+					},
+				},
+			},
+		},
 	}

 	for _, test := range tests {