Open abhisek opened 2 weeks ago
The current terraform parser supports parsing .terraform.lock.hcl to extract Terraform Providers. We need to extend it to be able to collect Terraform modules as well.
.terraform.lock.hcl
See following for more details: https://github.com/safedep/vet/blob/main/pkg/parser/terraform.go
Once this support is added, vet should be able to identify a Terraform module using its internal package model. Refer models/models.go.
vet
models/models.go
Handling module is not straight forward because
At present, the dependency lock file tracks only provider dependencies.
https://developer.hashicorp.com/terraform/language/files/dependency-lock
So we have a few options:
.terraform/modules/modules.json
terraform init
.tf
Example module definition:
module "eks" { source = "terraform-aws-modules/eks/aws" version = "20.28.0" }
We are interested only in remote modules i.e. those that do not start with . or .. Read module about module sources at: https://developer.hashicorp.com/terraform/language/modules/sources
.
..
The current terraform parser supports parsing
.terraform.lock.hclto extract Terraform Providers. We need to extend it to be able to collect Terraform modules as well.See following for more details: https://github.com/safedep/vet/blob/main/pkg/parser/terraform.go
Once this support is added,
vetshould be able to identify a Terraform module using its internal package model. Refermodels/models.go.Handling module is not straight forward because
https://developer.hashicorp.com/terraform/language/files/dependency-lock
So we have a few options:
.terraform/modules/modules.jsonwhich seems to be created byterraform initif a TF configuration uses modules.tffiles and look for remote modules. We are already parsing HCL, so parsing.tffor modules should not be a problemExample module definition:
We are interested only in remote modules i.e. those that do not start with
.or..Read module about module sources at: https://developer.hashicorp.com/terraform/language/modules/sources