Possibility to use with Terragrunt?

[aodj]

I'm currently exploring available Terraform static analysis tools, and stumbled across Terrascan and was wondering if it could be used against a code base that's using Terragrunt and remote backends.

Our Terraform code is organised in the suggested module layout:

terraform/
├── README.md
├── gcp/
│   ├── README.md
│   ├── backend.tf
│   ├── main.tf
│   ├── outputs.tf
│   ├── providers.tf
│   ├── variables.tf
│   ├── modules/
│   │   ├── database/
│   │   │   ├── main.tf
│   │   │   ├── outputs.tf
│   │   │   └── variables.tf
...

But when directing terrascan at the folder I get an IndexError: string index out of range exception.

Has anyone run Terrascan this way?

[aodj]

I see that only AWS resources are supported, and even though my TF code is for GCP, my original question is still valid.

[cesar-rodriguez]

Hi @aodj,

You should be able to scan that directory structure if you run terrascan on your terraform directory like this:

terrascan -l .

[davidjeddy]

I am using AWS and Terragrunt; would like to leverage terrascan.

[ismailyenigul]

Hi @davidjeddy @aodj If terrrascan supports terraform plan file in json, it will work for terragrunt too. Please comment/vote for #407 :)

[tx-kstav]

I would also like to be able to use terrascan with terragrunt.

[suckowbiz]

Today I was evaluating terrascan to verify if it adds value to our Terraform project. We do use Terragrunt to stay DRY.

Unfortunately I get a bunch of unhandled errors when running terrascan out of the box:

# docker run -it -v $PWD:/local --entrypoint /usr/bin/env accurics/terrascan:latest sh
/ $ cd /local/terraform
/local/terraform $ /go/bin/terrascan scan
2021-03-09T14:02:21.045Z        error   opa/engine.go:82        failed to load rego file{file 15 0 /home/terrascan/.terrascan/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDisabled.rego <nil>} {error 26 0  open /home/terrascan/.terrascan/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDisabled.rego: no such file or directory}
2021-03-09T14:02:35.822Z        error   commons/load-dir.go:121 failed to build unified config. errors:
<nil>: Failed to read module directory; Module directory /tmp/20k3rh/modules/generator/modules/budget does not exist or cannot be read., and 11 other diagnostic(s)

2021-03-09T14:02:35.844Z        error   cli/run.go:110  scan run failed{error 26 0  failed to build terraform allResourcesConfig}

I guess terrascan just does not support terragrunt.

[suckowbiz]

Today I was evaluating terrascan to verify if it adds value to our Terraform project. We do use Terragrunt to stay DRY.

Unfortunately I get a bunch of unhandled errors when running terrascan out of the box:

# docker run -it -v $PWD:/local --entrypoint /usr/bin/env accurics/terrascan:latest sh
/ $ cd /local/terraform
/local/terraform $ /go/bin/terrascan scan
2021-03-09T14:02:21.045Z        error   opa/engine.go:82        failed to load rego file{file 15 0 /home/terrascan/.terrascan/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDisabled.rego <nil>} {error 26 0  open /home/terrascan/.terrascan/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDisabled.rego: no such file or directory}
2021-03-09T14:02:35.822Z        error   commons/load-dir.go:121 failed to build unified config. errors:
<nil>: Failed to read module directory; Module directory /tmp/20k3rh/modules/generator/modules/budget does not exist or cannot be read., and 11 other diagnostic(s)

2021-03-09T14:02:35.844Z        error   cli/run.go:110  scan run failed{error 26 0  failed to build terraform allResourcesConfig}

I guess terrascan just does not support terragrunt.

I figured out how to use terrascan together with terragrunt. Thanks for the hint @ismailyenigul !

You can run it like this:

terragrunt plan -out plan.tfplan
terragrunt show -json plan.tfplan > plan.json
terrascan scan --iac-type tfplan --iac-file plan.json

[kanchwala-yusuf]

Thanks for the hint @ismailyenigul , Thanks for trying out @suckowbiz.

Do keep us posted on how you use terrascan with terragrunt!

[amirbenv]

Hi, Terrascan has supported tfplan scanning for a few months now. using a tfplan scan, one can use terrascan with terragrunt. Can this ticket be closed? @aodj

[suckowbiz]

From my point of view using Terrascan with a Terragrunt project could improve on some drawbacks that come up when scanning just a tfplan file:

• Terrascan cannot cannot report a line number because the plan file is just the diff of current changes
• policy violations of previous, already staged, changes are not covered when scanning a plan file because the plan file contains just the upcoming changes
• there might be uncovered policy violations with the overall Terraform/Terragrunt configuration etc that cannot be considered when scanning a plan file
• (one needs the addition steps of producing a plan file and "translating" it into JSON)

[amirbenv]

Thanks for your feedback @suckowbiz! This helps us prioritize.

[RootMePLS]

any news here?

[jbrule]

We have a team using Terragrunt too. I've been trying out the tfplan solution. I don't see why one couldn't map back to the line number of the resource.values as present in the tfplan file when displaying the test output. Helps narrow down the culprit somewhat.

[thisurawijesekera]

Much needed feature