bug(misconf): terraform local cache is ignored #6603
Description
Discussed in #6552
Originally posted by cawolf April 24, 2024
Description
When using trivy for our terraform configuration, we ran into an issue regarding the local terraform cache located in .terraform. Trivy 0.50.2 seems to ignore the local cache completely, and instead tries to fetch the modules remotely. In our special case, this leads to a subsequent error (we are using the GitLab terraform registry, which is currently not supported by trivy), which makes trivy not runnable for us.
After some debugging, we found that the filesystem used to open the .terraform/modules/modules.json file is filtered down to terraform files only (".tf", ".tf.json", ".tfvars"), and thus is not able to open the modules.json file ever. Naively fixing the file pkg/iac/detection/detect.go:247 to also contain the modules.json file fixes the problem locally for us.
Desired Behavior
The terraform cache in .terraform should be used.
Actual Behavior
The terraform cache in .terraform is ignored, the debug log outputs:
Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
Reproduction Steps
1. create a minimal terraform file `main.tf` with e.g. the AWS IAM user module
# main.tf
# example copied from the module documentation
module "iam_user" {
source = "terraform-aws-modules/iam/aws//modules/iam-user"
name = "vasya.pupkin"
force_destroy = true
pgp_key = "keybase:test"
password_reset_required = false
}- run
terraform version
Terraform v1.8.1
on linux_amd64
- run
terraform init
Initializing the backend...
Initializing modules...
Downloading registry.terraform.io/terraform-aws-modules/iam/aws 5.39.0 for iam_user...
- iam_user in .terraform/modules/iam_user/modules/iam-user
Initializing provider plugins...
- Finding hashicorp/aws versions matching ">= 4.0.0"...
- Installing hashicorp/aws v5.46.0...
- Installed hashicorp/aws v5.46.0 (signed by HashiCorp)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
- run
trivy config .
### Target
None
### Scanner
Misconfiguration
### Output Format
Table
### Mode
Standalone
### Debug Output
```bash
...
2024-04-24T08:54:59.920+0200 DEBUG [misconf] 54:59.920196191 terraform.parser.<root> Added file main.tf.
2024-04-24T08:54:59.920+0200 DEBUG [misconf] 54:59.920225787 terraform.parser.<root> Evaluating module...
2024-04-24T08:54:59.920+0200 DEBUG [misconf] 54:59.920340745 terraform.parser.<root> Read 1 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-04-24T08:54:59.920+0200 DEBUG [misconf] 54:59.920378577 terraform.parser.<root> Added 5 variables from tfvars.
2024-04-24T08:54:59.920+0200 DEBUG [misconf] 54:59.920406751 terraform.parser.<root> Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-04-24T08:54:59.920+0200 DEBUG [misconf] 54:59.920446767 terraform.parser.<root> Working directory for module evaluation is '/tmp/trivy-modules-json'
...
Operating System
Ubuntu 22.04.4 LTS
Version
Version: 0.50.2
Vulnerability DB:
Version: 2
UpdatedAt: 2024-04-23 06:12:13.734267443 +0000 UTC
NextUpdate: 2024-04-23 12:12:13.734267082 +0000 UTC
DownloadedAt: 2024-04-23 10:15:27.780912418 +0000 UTC
Policy Bundle:
Digest: sha256:aa1640957b796d93a0ffc5d91237ee6b7ed9467b8f1825279384d29f91b9e590
DownloadedAt: 2024-04-23 08:54:28.796570668 +0000 UTCChecklist
- Run
trivy image --reset - Read the troubleshooting
Metadata
Metadata
Assignees
Type
Projects
Status