terrascan
terrascan copied to clipboard
tenable
error: failed to fetch latest version for terraform provider with v1.17.1
- terrascan version: 1.17.1
- Operating System: alpine 3.16.3
Description
I recently updated super-linter to 4.10.0, which has picked up terrascan 1.17.1. In its output I started to see the error:
error commons/terraform-provider.go:112 failed to fetch latest version for terraform provider, error: error preparing the providers list endpoint, error: hostname can't be empty
which wasn't appearing in super-linter 4.9.7, using terrascan 1.15.2. I traced this back to https://github.com/tenable/terrascan/blob/e4a4aec1776049cdede0457fa91a8e88be8e3499/pkg/iac-providers/terraform/commons/terraform-provider.go#L112 which was added in 1.17.1. I am not sure if this error is innocuous or could be problematic as the scan does appear to proceed and complete despite its appearance.
What I Did
I can reproduce this in a minimal example. Put these two files in a folder
❯ cat main.tf
terraform {
required_version = ">= 1.0, < 2.0.0"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.15.1, < 5.0.0"
}
}
}
provider "aws" {
}
❯ cat resources.tf
resource "aws_ssm_parameter" "example" {
name = "/example/param"
value = "example"
}
Now run:
❯ docker run --rm -it -v "$(pwd):/iac" -w /iac tenable/terrascan:1.17.1 scan -i terraform -f resources.tf
and see output:
2023-01-13T17:18:25.896Z error commons/terraform-provider.go:112 failed to fetch latest version for terraform provider, error: error preparing the providers list endpoint, error: hostname can't be empty
Scan Summary -
File/Folder : /iac/resources.tf
IaC Type : terraform
Scanned At : 2023-01-13 17:18:32.931563921 +0000 UTC
Policies Validated : 0
Violated Policies : 0
Low : 0
Medium : 0
High : 0
In 1.17.0, this error doesn't appear:
❯ docker run --rm -it -v "$(pwd):/iac" -w /iac tenable/terrascan:1.17.0 scan -i terraform -f resources.tf
Scan Summary -
File/Folder : /iac/resources.tf
IaC Type : terraform
Scanned At : 2023-01-13 17:22:50.002319846 +0000 UTC
Policies Validated : 0
Violated Policies : 0
Low : 0
Medium : 0
High : 0
In 1.17.1, if I omit the -f flag giving it the individual file that lacks a terraform provider block, there is no problem. I think super-linter runs file-by-file so I believe that could be the reason the required provider cannot be seen when scanning the resources.tf file.
Got this annoying problem too. Does anyone have a solution to workaround this issue using the super linter ? Thanks in advance.
Nothing yet on my end. We've just reverted and told dependabot to ignore this dependency.
An idea on how to suspend this provider check using super-linter or use any config file to do so? I'd like to keep the latest version of terrascan actually. Thanks in advance for anyone having an idea
I had the same problem, I have tested with terrascan 1.18.1 image and it seems is resolved (I've used the example pasted above):
➜ docker run --rm -it -v "$(pwd):/iac" -w /iac tenable/terrascan:1.18.11 scan -i terraform -f resources.tf
2023/12/27 21:10:00 [DEBUG] GET https://registry.terraform.io/v1/providers/hashicorp/aws/versions
Scan Summary -
File/Folder : /iac/resources.tf
IaC Type : terraform
Scanned At : 2023-12-27 21:10:02.581214144 +0000 UTC
Policies Validated : 0
Violated Policies : 0
Low : 0
Medium : 0
High : 0
