error: failed to fetch latest version for terraform provider with v1.17.1

[hajapy]

• terrascan version: 1.17.1
• Operating System: alpine 3.16.3

Description

I recently updated super-linter to 4.10.0, which has picked up terrascan 1.17.1. In its output I started to see the error:

error   commons/terraform-provider.go:112       failed to fetch latest version for terraform provider, error: error preparing the providers list endpoint, error: hostname can't be empty

which wasn't appearing in super-linter 4.9.7, using terrascan 1.15.2. I traced this back to https://github.com/tenable/terrascan/blob/e4a4aec1776049cdede0457fa91a8e88be8e3499/pkg/iac-providers/terraform/commons/terraform-provider.go#L112 which was added in 1.17.1. I am not sure if this error is innocuous or could be problematic as the scan does appear to proceed and complete despite its appearance.

What I Did

I can reproduce this in a minimal example. Put these two files in a folder

❯ cat main.tf
terraform {
  required_version = ">= 1.0, < 2.0.0"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.15.1, < 5.0.0"
    }
  }
}

provider "aws" {
}
❯ cat resources.tf
resource "aws_ssm_parameter" "example" {
  name  = "/example/param"
  value = "example"
}

Now run:

❯ docker run --rm -it -v "$(pwd):/iac" -w /iac tenable/terrascan:1.17.1 scan -i terraform -f resources.tf

and see output:

2023-01-13T17:18:25.896Z    error   commons/terraform-provider.go:112   failed to fetch latest version for terraform provider, error: error preparing the providers list endpoint, error: hostname can't be empty

Scan Summary -

    File/Folder         :   /iac/resources.tf
    IaC Type            :   terraform
    Scanned At          :   2023-01-13 17:18:32.931563921 +0000 UTC
    Policies Validated  :   0
    Violated Policies   :   0
    Low                 :   0
    Medium              :   0
    High                :   0

In 1.17.0, this error doesn't appear:

❯ docker run --rm -it -v "$(pwd):/iac" -w /iac tenable/terrascan:1.17.0 scan -i terraform -f resources.tf

Scan Summary -

    File/Folder         :   /iac/resources.tf
    IaC Type            :   terraform
    Scanned At          :   2023-01-13 17:22:50.002319846 +0000 UTC
    Policies Validated  :   0
    Violated Policies   :   0
    Low                 :   0
    Medium              :   0
    High                :   0

In 1.17.1, if I omit the -f flag giving it the individual file that lacks a terraform provider block, there is no problem. I think super-linter runs file-by-file so I believe that could be the reason the required provider cannot be seen when scanning the resources.tf file.

[ejether]

I'm experiencing this as well!

[Jenkins2739]

Got this annoying problem too. Does anyone have a solution to workaround this issue using the super linter ? Thanks in advance.

[ejether]

Nothing yet on my end. We've just reverted and told dependabot to ignore this dependency.

[Jenkins2739]

An idea on how to suspend this provider check using super-linter or use any config file to do so? I'd like to keep the latest version of terrascan actually. Thanks in advance for anyone having an idea

[ejether]

@Jenkins2739 this is probably what you're looking for.

[dark-vex]

I had the same problem, I have tested with terrascan 1.18.1 image and it seems is resolved (I've used the example pasted above):

 ➜ docker run --rm -it -v "$(pwd):/iac" -w /iac tenable/terrascan:1.18.11 scan -i terraform -f resources.tf
2023/12/27 21:10:00 [DEBUG] GET https://registry.terraform.io/v1/providers/hashicorp/aws/versions

Scan Summary -

    File/Folder         :   /iac/resources.tf
    IaC Type            :   terraform
    Scanned At          :   2023-12-27 21:10:02.581214144 +0000 UTC
    Policies Validated  :   0
    Violated Policies   :   0
    Low                 :   0
    Medium              :   0
    High                :   0