terrascan
terrascan copied to clipboard
tenable
Terraform scan: Unsupported block type; Blocks of type "moved" are not expected here.
- terrascan version: v1.15.0
- Operating System: Ubuntu 20.04
- Terraform used for processing HCL templates: 1.1.5
Description
I am facing similar issue as like described here: https://github.com/tenable/terrascan/issues/1182
It is supposed to be solved by: https://github.com/tenable/terrascan/pull/1211
But I am using the latest version of terrascan, containing the indicated FIX and the problem still exists.
Scan Errors -
IaC Type : terraform
Directory : /infra
Error Message : failed to build unified config. errors:
/main.tf:1,1-6: Unsupported block type; Blocks of type "moved" are not expected here.
/main.tf:23,1-6: Unsupported block type; Blocks of type "moved" are not expected here.
Example Terraform block causing the issue:
moved {
from = azurerm_log_analytics_solution.default
to = azurerm_log_analytics_solution.default[0]
}
This is blocking me from using terrascan as there is no way to skip the terraform moved block check.
What I Did
cd infra && terrascan init && terrascan scan -i terraform -t azure
Confirming the same with AWS modules also:
- terrascan version: v1.17.0
- Operating System: running locally under macOS but having the same issue in CI Alpine-based containers
> terrascan scan --non-recursive -i terraform -d my_module/
2022-11-29T09:29:32.503-0700 warn commons/load-dir.go:297 failed to build unified config. errors:
/var/folders/rd/mzyhs84d0mj33vsvfwf7ttj40000gn/T/mv9zfi/migrations.tf:5,1-6: Unsupported block type; Blocks of type "moved" are not expected here.
/var/folders/rd/mzyhs84d0mj33vsvfwf7ttj40000gn/T/mv9zfi/migrations.tf:10,1-6: Unsupported block type; Blocks of type "moved" are not expected here.
/var/folders/rd/mzyhs84d0mj33vsvfwf7ttj40000gn/T/mv9zfi/migrations.tf:15,1-6: Unsupported block type; Blocks of type "moved" are not expected here.
/var/folders/rd/mzyhs84d0mj33vsvfwf7ttj40000gn/T/mv9zfi/migrations.tf:20,1-6: Unsupported block type; Blocks of type "moved" are not expected here.
2022-11-29T09:29:32.553-0700 error cli/run.go:138 scan run failed{error 26 0 1 error occurred:
* failed to build terraform allResourcesConfig
}
The worst part (for us) that it's not even caused by our code but by a module we use for AWS backend - https://registry.terraform.io/modules/nozaq/remote-state-s3-backend/aws/latest, which does have the following:
moved {
from = aws_kms_key.replica
to = aws_kms_key.replica[0]
}
...
https://github.com/nozaq/terraform-aws-remote-state-s3-backend/blob/main/migrations.tf
Upon deeper investigation, it seems the Go package github.com/hashicorp/terraform v0.15.3 is trailing behind and hasn't been updated due to the fact that its dependencies have been made internal in the newer versions (as shown in this commit).
One possible workaround could be to fork github.com/hashicorp/terraform and maintain an up-to-date version where these packages are externalized, allowing them to be used by other projects.
At the moment, this issue renders terrascan somewhat ineffective for scanning Terraform modules, particularly considering that the "moved" block type, which is not supported and breaking, is generally considered best practice for migrations.
Similar issue here using Terrascan v1.18.5 on Ubuntu 20.04 LTS.
$ terraform version
Terraform v1.6.5
on linux_amd64
$ terrascan version
version: v1.18.5
$ terrascan scan -i terraform -f resources-codepipeline/s3.tf
2023-12-06T10:47:13.043Z error cli/run.go:141 scan run failed{error 26 0 failed to load iac file 'resources-codepipeline/s3.tf'. error:
resources-codepipeline/s3.tf:49,1-6: Unsupported block type; Blocks of type "moved" are not expected here.
}
Example Terraform code causing the issue:
moved {
from = aws_s3_bucket_acl.codepipeline_bucket_acl
to = aws_s3_bucket_acl.codepipeline_bucket
}
This is blocking me from using Terrascan as there is no way to skip the Terraform moved block check.
+1 this issue is a blocker. Duplicate: https://github.com/tenable/terrascan/issues/1615
