Nested modules and multi-hop variable rendering 🔍

We’ve added a few more advanced Terraform capabilities to Checkov and the Bridgecrew platform!

We now support nested modules, where modules are built in a tree structure with one module referencing other sub-modules. Checkov and the platform are now able to render these into the final resource to scan for misconfigurations and drift.

We also now support multi-hop variable rendering, where there may be multiple references between the initial variable and the final value. This is possible because we now build edges in our graph that span multiple hops.

It’s a best practice to scan the Terraform code rather than the plan files as the code has more context and we support most use cases (thanks to recent advancements). However, for users who are, for whatever reason, unable to scan their Terraform code, scanning Terraform Plan files is a good alternative method. Terraform Plan files have all of the variables and modules in one file. However, making variable connections in some cases is not possible in some situations, like with locals. We now support this by augmenting the plan file with the generating HCL using the --deep-analysis-flag.