False Positive: Metadata Label Is Invalid (bc3dabb6) for Terraform local variable interpolation

[DLTKYugalGarg]

Query ID: bc3dabb6-fd50-40f8-b9ba-7429c9f1fb0e
Query Name: Metadata Label Is Invalid
Severity: LOW
Platform: Terraform

Problem Statement

KICS incorrectly flags Kubernetes service labels as invalid when using Terraform local.* variable interpolation, even though the resolved values are valid according to Kubernetes label syntax rules.

Expected Behavior

KICS should either:

1. Resolve Terraform variables before validating label values, OR
2. Skip validation when label values contain variable interpolations, OR
3. Document this limitation in the query description

Actual Behavior

KICS validates the literal string local.variable_name against the regex pattern without resolving the Terraform variable.

Minimal Reproducible Example

# variables.tf
variable "resource_prefix" {
  type = string
  default = "my-app-"
}

variable "name" {
  type = string
  default = "service"
}

locals {
  resource_name = "${var.resource_prefix}${var.name}"
}

# service.tf
resource "kubernetes_service_v1" "example" {
  metadata {
    name      = "my-service"
    namespace = "default"
    labels = {
      app = local.resource_name  # KICS flags this as invalid
    }
  }

  spec {
    selector = {
      app = local.resource_name
    }

    port {
      port        = 80
      target_port = 8080
    }
  }
}

KICS Output

Metadata Label Is Invalid, Severity: LOW, Results: 1

Expected: kubernetes_service_v1[example].metadata.labels[app] has valid label
Actual: kubernetes_service_v1[example].metadata.labels[app] has invalid label

Analysis

The query uses this regex: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$

The literal string local.resource_name fails validation, but when resolved it becomes "my-app-service" which is perfectly valid per Kubernetes RFC 1123.

Impact

Affects projects using Terraform variables (local.*, var.*, data.*) in Kubernetes labels.

Environment

• KICS Version: 2.1.19
• Platform: Terraform
• Provider: hashicorp/kubernetes

Suggested Fix

Skip validation when label values contain Terraform interpolation syntax or use Terraform plan output for validation.

Related

Similar to #591 regarding variable interpolation support.

[kicsbot]

Please, follow the guideline for an issue title:

For bug:

bug(<scope>): <title starting with lowercase letter>

For query:

query(<platform>): <title starting with lowercase letter>

For feature request:

feat(<scope>): <title starting with lowercase letter>

Thank you!
KICS Team

[DLTKYugalGarg]

Additional Testing & Confirmation

I've confirmed the root cause through testing:

Test Case:

resource "kubernetes_service_v1" "test1" {
  metadata {
    labels = {
      app = "hardcoded-value"  # ✅ KICS PASSES
    }
  }
}

resource "kubernetes_service_v1" "test2" {
  metadata {
    labels = {
      app = local.resource_name  # ❌ KICS FAILS
    }
  }
}

Result: Only test2 triggers the violation. Hardcoded string values pass validation.

Root Cause: KICS cannot resolve Terraform variable references (local.*, var.*) and treats any label value containing variable interpolation as invalid, regardless of what the resolved value would be.

The regex pattern itself is correct and would accept the resolved value, but KICS performs static analysis on the unparsed Terraform syntax.

[DLTKYugalGarg]

Context from KICS Documentation & Related Issues

KICS Variable Resolution Capabilities

According to KICS Terraform documentation:

What KICS Supports:

• Variables from *.auto.tfvars files and default variable values
• --terraform-vars-path flag to specify variable files
• Comment-based variable file references: // kics_terraform_vars: path/to/terraform/vars.tf

What KICS Does NOT Support:

• Functions and environment variables
• Variables used as function parameters (parsed as wrapped expressions)
• Unofficial or custom Terraform modules

Related Issues

Issue #591 (Support data sources for queries related with policies) - RESOLVED

• Similar problem: KICS couldn't parse ${data.aws_iam_policy_document.iam_policy_eks.json}
• Fixed in PR feat(engine): Added data source policy to terraform #4409 for data sources in policies
• However, this fix appears specific to IAM policy data sources, not general local variable resolution

Current Gap

While KICS can resolve variables from .tfvars files, it does not appear to resolve Terraform locals blocks during static analysis. This is the root cause of our false positive:

# KICS cannot resolve this
locals {
  resource_name = "${var.resource_prefix}${var.name}"
}

# Even if we provide all variables via --terraform-vars-path
# KICS still flags this as invalid
labels = {
  app = local.resource_name  # Treated as literal string, not resolved
}

Suggestion: Extend variable resolution support to include locals blocks, similar to how issue #591 added support for data sources.