CKV_AWS_192: fails to recognize AWSManagedRulesKnownBadInputRuleSet as properly configured when using a dynamic configuration

[avazula]

Opening this issue which apparently stems from the same problem as described in this issue which got closed due to inactivity.

Describe the issue

Related to Terraform:
checkov fails to recognize that the rule set AWSManagedRulesKnownBadInputRuleSet is configured in a WAF web ACL if the rules configuration is set using dynamic blocks.

The other issue mentioned in the one linked above mentions input cast. Please note that I encounter the issue both when priority is set as a string or as a number (I even tried explicit cast using number()).

It also mentions that the problem could be caused by the fact that the configuration is coming from locals. I tried passing it a variable and encountered the same problem.

Examples

// other config of resource "aws_wafv2_web_acl" ...
dynamic "rule" {
    for_each = var.waf_acl_rules == null ? local.waf_acl_default_rules : var.waf_acl_rules
    content {
      name     = rule.value.name
      priority = rule.value.priority
      dynamic "override_action" {
        for_each = lookup(rule.value, "override_action", null) == null ? [] : [lookup(rule.value, "override_action")]
        content {
          dynamic "count" {
            for_each = override_action.value == "count" ? ["1"] : []
            content {}
          }
          dynamic "none" {
            for_each = override_action.value == "none" ? ["1"] : []
            content {}
          }
        }
      }
      statement {
        managed_rule_group_statement {
          name        = rule.value.managed_rule_group_statement_name
          vendor_name = rule.value.managed_rule_group_statement_vendor_name
        }
      }
      visibility_config {
        cloudwatch_metrics_enabled = rule.value.cloudwatch_metrics_enabled
        metric_name                = rule.value.cloudwatch_metric_name
        sampled_requests_enabled   = rule.value.sampled_requests_enabled
      }
    }
  }

With the rules config defined as such:

locals {
  waf_acl_default_rules = [ # also fails if passed as a variable instead of a local value
    // other rules ...
    {
      name                                     = "AWSManagedRulesKnownBadInputsRuleSet"
      priority                                 = 2 # also fails when equal to "2"
      override_action                          = "none"
      managed_rule_group_statement_name        = "AWSManagedRulesKnownBadInputsRuleSet"
      managed_rule_group_statement_vendor_name = "AWS"
      cloudwatch_metrics_enabled               = true
      cloudwatch_metric_name                   = "AWSManagedRulesKnownBadInputsRuleSet"
      sampled_requests_enabled                 = true
    }
  ]
}

Looking at the code I'm not sure what could be causing it.

Version (please complete the following information):

• Checkov Version [e.g. 22]
  3.2.293

Additional context

Terraform version: 1.9.2
AWS provider version: 5.77.0

[avazula]

FYI, I am encountering the same issue for CKV2_AWS_47