Closed simar7 closed 1 month ago
I don't agree that this is a problem. Since we can't evaluate the for-each
expression, we can't be sure if instances of this block exist to make assumptions about its misconfiguration. Terraform considers such a configuration incomplete and requires all variables from the user.
I don't agree that this is a problem. Since we can't evaluate the
for-each
expression, we can't be sure if instances of this block exist to make assumptions about its misconfiguration. Terraform considers such a configuration incomplete and requires all variables from the user.
Hmm you're right, I thought we could support the case where we evaluate what we can (excluding the missing tf-vars for-each). But it seems as you mentioned that terraform deems it to be an invalid configuration so it's probably best that we follow the same.
I do think however, we should show a log output to help the user understand that their input has an issue. Silently dropping looks misleading as it signals we were unable to find any misconfiguration. WDYT?
@simar7 I agree about better logging. There are a couple of other places where the output could be improved.
For example here:
2024-07-04T11:40:15+05:30 DEBUG [misconf] 40:15.433552948 terraform.scanner Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13950371612937561924 505949398 0x794e200} <nil>} {{{0 0} {[] {} 0xc0016760c0} map[vpc.tf:0xc0010d8110] 0}}}) }] at '.'...
I do think however, we should show a log output to help the user understand that their input has an issue. Silently dropping looks misleading as it signals we were unable to find any misconfiguration. WDYT?
I think a tool like Trivy has to prominently fail when there's any issue with the inputs. I just happened across this ticket while refactoring some code which used the remote backend to use the HTTP backend, and suddenly started getting a ton of “CRITICAL” warnings from things like network ACLs which had been in use for years, which was puzzling as builds on our main branches were not reporting any issues. After spending some time bisecting my changes, the key factor appears to be a few places where we were using terraform.workspace
, which I had replaced since the HTTP backend does not support that concept. That apparently caused Trivy silently omit those checks, which I confirmed by modifying a copy of the passing branch to replace terraform.workspace
references with a local.environment
value. Terraform evaluates both of those identically, but with the hardcoded value Trivy evaluated those resources for the first time.
Fortunately they're false-positives but that could potentially have been serious. This was also complicated by the fact that these were managed by the terraform-aws-vpc
module so the errors are indirect and difficult to suppress (I'm working on a separate thread about that).
Hi @acdha ! Could you please provide an example using terraform.workspace
for which no problems were found for further investigation?
Hi @acdha ! Could you please provide an example using
terraform.workspace
for which no problems were found for further investigation?
I'm working on that but it's a large project and since Trivy takes ~70 seconds to scan it the reduction process is taking longer than I'd hoped. I'll update next week.
Discussed in https://github.com/aquasecurity/trivy/discussions/7095