Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(misconf): load full Terraform module #7924

Closed
2 tasks done
nikpivkin opened this issue Nov 15, 2024 Discussed in #7920 · 0 comments · Fixed by #7925
Closed
2 tasks done

fix(misconf): load full Terraform module #7924

nikpivkin opened this issue Nov 15, 2024 Discussed in #7920 · 0 comments · Fixed by #7925
Assignees
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone

Comments

@nikpivkin
Copy link
Contributor

If the source contains a submodule, then the entire module must be loaded, not just the submodule.

Discussed in #7920

Originally posted by serpro69 November 14, 2024

Description

Trivy reports terraform modules with git sources as not found.

Terraform code works fine, so it's probably something on the trivy side that it can't handle a module with a git source?

Desired Behavior

Should resolve git-based terraform modules w/o errors

Actual Behavior

➜ trivy conf --exit-code 42 --tf-vars vars/test.tfvars .
2024-11-14T15:02:59+01:00       INFO    [misconfig] Misconfiguration scanning is enabled
2024-11-14T15:02:59+01:00       INFO    [misconfig] Need to update the built-in checks
2024-11-14T15:02:59+01:00       INFO    [misconfig] Downloading the built-in checks...
2024-11-14T15:02:59+01:00       ERROR   [misconfig] Falling back to embedded checks     err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 100.821µs, allowed: 44000/minute\n\n"
2024-11-14T15:03:02+01:00       INFO    [terraform scanner] Scanning root module        file_path="."
2024-11-14T15:03:02+01:00       WARN    [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.       module="root" variables="billing_account, sec_intercom_hmac_key, sec_kc_admin_username, sec_kc_db_username, sec_poly_api_auth_token_dev, sec_poly_api_auth_token_prod, sec_sendgrid_api_key, sec_sendgrid_template_id, sec_twilio_account_sid, sec_twilio_auth_token, sec_twilio_phone_number"
2024-11-14T15:03:02+01:00       ERROR   [terraform evaluator] Failed to load module. Maybe try 'terraform init'?        err="open modules/wif: no such file or directory"
2024-11-14T15:03:02+01:00       ERROR   [terraform evaluator] Failed to load module. Maybe try 'terraform init'?        err="open modules/project: no such file or directory"
2024-11-14T15:03:02+01:00       ERROR   [terraform evaluator] Failed to load module. Maybe try 'terraform init'?        err="open modules/project: no such file or directory"
2024-11-14T15:03:02+01:00       ERROR   [terraform evaluator] Failed to load module. Maybe try 'terraform init'?        err="open modules/project: no such file or directory"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-compute-vm-disk-encryption-customer-key" range="idp/compute_vm.tf:96-106"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-sql-encrypt-in-transit-data" range="idp/cloud_sql.tf:90-95"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-sql-enable-backup" range="idp/cloud_sql.tf:44"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-iam-no-user-granted-permissions" range="storage/iam.tf:40"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-compute-no-public-ip" range="idp/compute_vm.tf:121-125"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-iam-no-project-level-service-account-impersonation" range="../modules/service_account/main.tf:30"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-iam-no-project-level-default-service-account-assignment" range="storage/iam.tf:21"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-iam-no-project-level-default-service-account-assignment" range="storage/iam.tf:21"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-iam-no-project-level-default-service-account-assignment" range="idp/iam.tf:22"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-compute-enable-shielded-vm-sb" range="idp/compute_vm.tf:145"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-storage-no-public-access" range="storage/iam.tf:107"
2024-11-14T15:03:02+01:00       INFO    [terraform executor] Ignore finding     rule="google-storage-bucket-encryption-customer-key" range="storage/main.tf:61-115"
2024-11-14T15:03:02+01:00       INFO    Detected config files   num=52

Reproduction Steps

1. Add a module with git source


module "project" {
  source           = "github.com/serpro69/terraform-google-modules//modules/project"
  billing_account  = "0123567890"
  folder_id        = "my-folder"
  project_id       = "my-project-id"
  project_name     = "my-project-name"
}



2. `terraform init`

3. `trivy conf --exit-code 42 --tf-vars vars/default.tfvars .`

Target

None

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

2024-11-14T15:13:51+01:00       DEBUG   [terraform evaluator] Using module from Terraform cache .terraform/modules      source="./storage"
2024-11-14T15:13:51+01:00       DEBUG   [terraform evaluator] Loaded module     name="storage" file_path="storage"
2024-11-14T15:13:51+01:00       DEBUG   [terraform evaluator] Module resolved using modules.json        block="module.project[\"idp\"]" source="github.com/serpro69/terraform-google-modules//modules/project?ref=master" modulePath=".terraform/modules/project/modules/project/modules/project?ref=master"
2024-11-14T15:13:51+01:00       DEBUG   [terraform parser] Parsing FS   module="project[\"idp\"]" file_path=".terraform/modules/project/modules/project/modules/project?ref=master"
2024-11-14T15:13:51+01:00       DEBUG   [terraform evaluator] Locating non-initialized module   source="github.com/serpro69/terraform-google-modules//modules/project?ref=master"
2024-11-14T15:13:51+01:00       DEBUG   [module resolver] Resolving module      name="module.project[\"idp\"]" source="github.com/serpro69/terraform-google-modules//modules/project?ref=master"
2024-11-14T15:13:51+01:00       DEBUG   [module resolver] Trying to resolve module via cache    key="5b3ddd3477c1957ae75673655e5435ad"
2024-11-14T15:13:51+01:00       DEBUG   [module resolver] Module resolved from cache    key="5b3ddd3477c1957ae75673655e5435ad"
2024-11-14T15:13:51+01:00       DEBUG   [module resolver] Module resolved       file_path="modules/project"
2024-11-14T15:13:51+01:00       DEBUG   [terraform evaluator] Module resolved   block="module.project[\"idp\"]" source="github.com/serpro69/terraform-google-modules//modules/project?ref=master" prefix="github.com/serpro69/terraform-google-modules/modules/project?ref=master" file_path="modules/project"
2024-11-14T15:13:51+01:00       DEBUG   [terraform parser] Parsing FS   module="project[\"idp\"]" file_path="modules/project"
2024-11-14T15:13:51+01:00       ERROR   [terraform evaluator] Failed to load module. Maybe try 'terraform init'?        err="open modules/project: no such file or directory"

Operating System

Linux serenity 6.9.3-76060903-generic

Version

Version: 0.56.2
Check Bundle:
  Digest: sha256:9cc30e6eb1c0dc0b4a4791b61c3dbff8799d08daeac893c08317e7b054ecab14
  DownloadedAt: 2024-11-14 14:13:35.337774399 +0000 UTC

Checklist

@nikpivkin nikpivkin added kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning labels Nov 15, 2024
@nikpivkin nikpivkin self-assigned this Nov 15, 2024
@simar7 simar7 added this to the v0.58.0 milestone Nov 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Status: No status
Development

Successfully merging a pull request may close this issue.

2 participants