terrascan icon indicating copy to clipboard operation
terrascan copied to clipboard

Published 20 hours ago verified publisher icon tenable

Possibility to use with Terragrunt?

Open aodj opened this issue 4 years ago • 14 comments

I'm currently exploring available Terraform static analysis tools, and stumbled across Terrascan and was wondering if it could be used against a code base that's using Terragrunt and remote backends.

Our Terraform code is organised in the suggested module layout:

terraform/
├── README.md
├── gcp/
│   ├── README.md
│   ├── backend.tf
│   ├── main.tf
│   ├── outputs.tf
│   ├── providers.tf
│   ├── variables.tf
│   ├── modules/
│   │   ├── database/
│   │   │   ├── main.tf
│   │   │   ├── outputs.tf
│   │   │   └── variables.tf
...

But when directing terrascan at the folder I get an IndexError: string index out of range exception.

Has anyone run Terrascan this way?

aodj avatar Jun 25 '20 10:06 aodj

I see that only AWS resources are supported, and even though my TF code is for GCP, my original question is still valid.

aodj avatar Jun 25 '20 10:06 aodj

Hi @aodj,

You should be able to scan that directory structure if you run terrascan on your terraform directory like this:

terrascan -l .

cesar-rodriguez avatar Jun 25 '20 20:06 cesar-rodriguez

I am using AWS and Terragrunt; would like to leverage terrascan.

davidjeddy avatar Aug 16 '20 18:08 davidjeddy

Hi @davidjeddy @aodj If terrrascan supports terraform plan file in json, it will work for terragrunt too. Please comment/vote for #407 :)

ismailyenigul avatar Jan 19 '21 16:01 ismailyenigul

I would also like to be able to use terrascan with terragrunt.

tx-kstav avatar Jan 29 '21 09:01 tx-kstav

Today I was evaluating terrascan to verify if it adds value to our Terraform project. We do use Terragrunt to stay DRY.

Unfortunately I get a bunch of unhandled errors when running terrascan out of the box:

# docker run -it -v $PWD:/local --entrypoint /usr/bin/env accurics/terrascan:latest sh
/ $ cd /local/terraform
/local/terraform $ /go/bin/terrascan scan
2021-03-09T14:02:21.045Z        error   opa/engine.go:82        failed to load rego file{file 15 0 /home/terrascan/.terrascan/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDisabled.rego <nil>} {error 26 0  open /home/terrascan/.terrascan/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDisabled.rego: no such file or directory}
2021-03-09T14:02:35.822Z        error   commons/load-dir.go:121 failed to build unified config. errors:
<nil>: Failed to read module directory; Module directory /tmp/20k3rh/modules/generator/modules/budget does not exist or cannot be read., and 11 other diagnostic(s)

2021-03-09T14:02:35.844Z        error   cli/run.go:110  scan run failed{error 26 0  failed to build terraform allResourcesConfig}

I guess terrascan just does not support terragrunt.

suckowbiz avatar Mar 09 '21 14:03 suckowbiz

Today I was evaluating terrascan to verify if it adds value to our Terraform project. We do use Terragrunt to stay DRY.

Unfortunately I get a bunch of unhandled errors when running terrascan out of the box:

# docker run -it -v $PWD:/local --entrypoint /usr/bin/env accurics/terrascan:latest sh
/ $ cd /local/terraform
/local/terraform $ /go/bin/terrascan scan
2021-03-09T14:02:21.045Z        error   opa/engine.go:82        failed to load rego file{file 15 0 /home/terrascan/.terrascan/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDisabled.rego <nil>} {error 26 0  open /home/terrascan/.terrascan/pkg/policies/opa/rego/aws/aws_kms_key/kmsKeyNoDisabled.rego: no such file or directory}
2021-03-09T14:02:35.822Z        error   commons/load-dir.go:121 failed to build unified config. errors:
<nil>: Failed to read module directory; Module directory /tmp/20k3rh/modules/generator/modules/budget does not exist or cannot be read., and 11 other diagnostic(s)

2021-03-09T14:02:35.844Z        error   cli/run.go:110  scan run failed{error 26 0  failed to build terraform allResourcesConfig}

I guess terrascan just does not support terragrunt.

I figured out how to use terrascan together with terragrunt. Thanks for the hint @ismailyenigul !

You can run it like this:

terragrunt plan -out plan.tfplan
terragrunt show -json plan.tfplan > plan.json
terrascan scan --iac-type tfplan --iac-file plan.json

suckowbiz avatar Mar 10 '21 14:03 suckowbiz

Thanks for the hint @ismailyenigul , Thanks for trying out @suckowbiz.

Do keep us posted on how you use terrascan with terragrunt!

kanchwala-yusuf avatar Mar 10 '21 14:03 kanchwala-yusuf

Hi, Terrascan has supported tfplan scanning for a few months now. using a tfplan scan, one can use terrascan with terragrunt. Can this ticket be closed? @aodj

amirbenv avatar May 06 '21 22:05 amirbenv

From my point of view using Terrascan with a Terragrunt project could improve on some drawbacks that come up when scanning just a tfplan file:

  • Terrascan cannot cannot report a line number because the plan file is just the diff of current changes
  • policy violations of previous, already staged, changes are not covered when scanning a plan file because the plan file contains just the upcoming changes
  • there might be uncovered policy violations with the overall Terraform/Terragrunt configuration etc that cannot be considered when scanning a plan file
  • (one needs the addition steps of producing a plan file and "translating" it into JSON)

suckowbiz avatar May 07 '21 06:05 suckowbiz

Thanks for your feedback @suckowbiz! This helps us prioritize.

amirbenv avatar May 07 '21 17:05 amirbenv

any news here?

RootMePLS avatar Jan 07 '23 22:01 RootMePLS

We have a team using Terragrunt too. I've been trying out the tfplan solution. I don't see why one couldn't map back to the line number of the resource.values as present in the tfplan file when displaying the test output. Helps narrow down the culprit somewhat.

jbrule avatar Apr 28 '23 21:04 jbrule

Much needed feature

thisurawijesekera avatar Jul 22 '24 16:07 thisurawijesekera