search

oxsecurity / megalinter

🦙 MegaLinter analyzes 50 languages, 22 formats, 21 tooling formats, excessive copy-pastes, spelling mistakes and security issues in your repository sources with a GitHub Action, other CI tools or locally.
https://megalinter.io
GNU Affero General Public License v3.0
1.94k stars 237 forks source link

tflint doesn't work in megalinter 7.0.x #2699

Closed ruzickap closed 1 year ago

ruzickap commented 1 year ago

Describe the bug

It looks like tflint doesn't work in megalinter 7.0.x. Details: https://github.com/ruzickap/k8s-tf-eks-gitops/actions/runs/5114199496/jobs/9194202870

❌ Linted [TERRAFORM] files with [tflint]: Found 5 error(s) - (0.37s) (expand for details)
  - Using [tflint v0.46.1] https://megalinter.io/7.0.3/descriptors/terraform_tflint
  - MegaLinter key: [TERRAFORM_TFLINT]
  - Rules config: [.tflint.hcl]
  - Number of files analyzed: [5]
  [Pre][TERRAFORM_TFLINT] run: [tflint --init --config /action/lib/.automation/.tflint.hcl] in cwd [/github/workspace]
  [Pre][TERRAFORM_TFLINT] error:
  Installing `aws` plugin...
  Failed to install a plugin; Failed to fetch GitHub releases: GET https://api.github.com/repos/terraform-linters/tflint-ruleset-aws/releases/tags/v0.17.0: 401 Bad credentials []

  [tflint] terraform/aws-mgmt/data.tf - ERROR - 1 error(s)
  --Error detail:
  WARNING: "tflint FILE/DIR" is deprecated and will error in a future version. Use --chdir or --filter instead.
  Failed to initialize plugins; Plugin `aws` not found. Did you run `tflint --init`?

  [tflint] terraform/aws-mgmt/eks.tf - ERROR - 1 error(s)
  --Error detail:
  WARNING: "tflint FILE/DIR" is deprecated and will error in a future version. Use --chdir or --filter instead.
  Failed to initialize plugins; Plugin `aws` not found. Did you run `tflint --init`?

Megalinter 6.x.x works fine with tflint: https://github.com/ruzickap/k8s-tf-eks-gitops/actions/runs/5112503034/jobs/9190611249

✅ Linted [TERRAFORM] files with [tflint] successfully - (4.78s) (expand for details)
  - Using [tflint v0.45.0] https://megalinter.io/6.22.2/descriptors/terraform_tflint
  - MegaLinter key: [TERRAFORM_TFLINT]
  - Rules config: [.tflint.hcl]
  - Number of files analyzed: [5]
  [Pre][TERRAFORM_TFLINT] run: [tflint --init --config /action/lib/.automation/.tflint.hcl] in cwd [/github/workspace]
  [Pre][TERRAFORM_TFLINT] Installing `aws` plugin...
  Installed `aws` (source: github.com/terraform-linters/tflint-ruleset-aws, version: 0.17.0)

Thanks for checking it...

nvuillam commented 1 year ago

It's because of secured env variables :/

Probably tflint fetches aws plugin from github.com ,and as we hide GITHUB_TOKEN he doesn't like it...

I'll make a fix to allow variables just for one linter !

nvuillam commented 1 year ago

@ruzickap once the PR will be merged & the beta generated, you'll be able to define

TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES:
- GITHUB_TOKEN

That way , GITHUB_TOKEN will be hidden in env for all linters, except tflint :)

ruzickap commented 1 year ago

Thanks. It is working fine with the beta :-)

Wouldn't it make sense to add note to the docs/descriptors/terraform_tflint.md that it is recommended to use TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN to make tflint working in "GitHub Actions"?

It may not be clear for the end users, that you need this "by default" otherwise tflint may not work...

I know that TERRAFORM_TFLINT_UNSECURED_ENV_VARIABLES is properly documented, but when enduser got the "tflint Bad credentials error" it may not be clear that the GITHUB_TOKEN needs to be added there.

nvuillam commented 1 year ago

@ruzickap indeed :) Wanna make a PR on the terraform descriptor file, or I'll do it later ? :)

ruzickap commented 1 year ago

Let me create the PR :-)