Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bug(misconf): terraform local cache is ignored #6603

Closed
1 of 2 tasks
nikpivkin opened this issue May 2, 2024 Discussed in #6552 · 0 comments · Fixed by #6607
Closed
1 of 2 tasks

bug(misconf): terraform local cache is ignored #6603

nikpivkin opened this issue May 2, 2024 Discussed in #6552 · 0 comments · Fixed by #6607
Assignees
@nikpivkin
Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Milestone
v0.52.0

Comments

@nikpivkin
Copy link
Contributor

Discussed in #6552

Originally posted by cawolf April 24, 2024

Description

When using trivy for our terraform configuration, we ran into an issue regarding the local terraform cache located in .terraform. Trivy 0.50.2 seems to ignore the local cache completely, and instead tries to fetch the modules remotely. In our special case, this leads to a subsequent error (we are using the GitLab terraform registry, which is currently not supported by trivy), which makes trivy not runnable for us.

After some debugging, we found that the filesystem used to open the .terraform/modules/modules.json file is filtered down to terraform files only (".tf", ".tf.json", ".tfvars"), and thus is not able to open the modules.json file ever. Naively fixing the file pkg/iac/detection/detect.go:247 to also contain the modules.json file fixes the problem locally for us.

Desired Behavior

The terraform cache in .terraform should be used.

Actual Behavior

The terraform cache in .terraform is ignored, the debug log outputs:

Error loading module metadata: open .terraform/modules/modules.json: file does not exist.

Reproduction Steps

1. create a minimal terraform file `main.tf` with e.g. the AWS IAM user module

# main.tf
# example copied from the module documentation
module "iam_user" {
  source  = "terraform-aws-modules/iam/aws//modules/iam-user"

  name          = "vasya.pupkin"
  force_destroy = true

  pgp_key = "keybase:test"

  password_reset_required = false
}
  1. run terraform version
Terraform v1.8.1
on linux_amd64
  1. run terraform init
Initializing the backend...
Initializing modules...
Downloading registry.terraform.io/terraform-aws-modules/iam/aws 5.39.0 for iam_user...
- iam_user in .terraform/modules/iam_user/modules/iam-user

Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 4.0.0"...
- Installing hashicorp/aws v5.46.0...
- Installed hashicorp/aws v5.46.0 (signed by HashiCorp)

Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
  1. run trivy config .


### Target

None

### Scanner

Misconfiguration

### Output Format

Table

### Mode

Standalone

### Debug Output

```bash
...
2024-04-24T08:54:59.920+0200    DEBUG   [misconf] 54:59.920196191 terraform.parser.<root>          Added file main.tf.
2024-04-24T08:54:59.920+0200    DEBUG   [misconf] 54:59.920225787 terraform.parser.<root>          Evaluating module...
2024-04-24T08:54:59.920+0200    DEBUG   [misconf] 54:59.920340745 terraform.parser.<root>          Read 1 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-04-24T08:54:59.920+0200    DEBUG   [misconf] 54:59.920378577 terraform.parser.<root>          Added 5 variables from tfvars.
2024-04-24T08:54:59.920+0200    DEBUG   [misconf] 54:59.920406751 terraform.parser.<root>          Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-04-24T08:54:59.920+0200    DEBUG   [misconf] 54:59.920446767 terraform.parser.<root>          Working directory for module evaluation is '/tmp/trivy-modules-json'
...

Operating System

Ubuntu 22.04.4 LTS

Version

Version: 0.50.2
Vulnerability DB:
  Version: 2
  UpdatedAt: 2024-04-23 06:12:13.734267443 +0000 UTC
  NextUpdate: 2024-04-23 12:12:13.734267082 +0000 UTC
  DownloadedAt: 2024-04-23 10:15:27.780912418 +0000 UTC
Policy Bundle:
  Digest: sha256:aa1640957b796d93a0ffc5d91237ee6b7ed9467b8f1825279384d29f91b9e590
  DownloadedAt: 2024-04-23 08:54:28.796570668 +0000 UTC

Checklist
@nikpivkin nikpivkin added the kind/bug Categorizes issue or PR as related to a bug. label May 2, 2024
@nikpivkin nikpivkin self-assigned this May 2, 2024
@nikpivkin nikpivkin added the scan/misconfiguration Issues relating to misconfiguration scanning label May 2, 2024
@nikpivkin nikpivkin mentioned this issue May 3, 2024
Merged
6 tasks
@simar7 simar7 added this to the v0.52.0 milestone May 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nikpivkin nikpivkin

Labels
kind/bug Categorizes issue or PR as related to a bug. scan/misconfiguration Issues relating to misconfiguration scanning
Projects
Trivy Roadmap
Archived in project
Milestone
v0.52.0
Development

Successfully merging a pull request may close this issue.

fix(misconf): load cached tf modules nikpivkin/trivy
2 participants
@simar7 @nikpivkin