Add Support for Terraform Modules in Terraform Parser

[abhisek]

The current terraform parser supports parsing .terraform.lock.hcl to extract Terraform Providers. We need to extend it to be able to collect Terraform modules as well.

See following for more details:
https://github.com/safedep/vet/blob/main/pkg/parser/terraform.go

Once this support is added, vet should be able to identify a Terraform module using its internal package model. Refer models/models.go.

Handling module is not straight forward because

At present, the dependency lock file tracks only provider dependencies.

https://developer.hashicorp.com/terraform/language/files/dependency-lock

So we have a few options:

• Leverage .terraform/modules/modules.json which seems to be created by terraform init if a TF configuration uses modules
• Parser .tf files and look for remote modules. We are already parsing HCL, so parsing .tf for modules should not be a problem

Example module definition:

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "20.28.0"
}

We are interested only in remote modules i.e. those that do not start with . or ..
Read module about module sources at: https://developer.hashicorp.com/terraform/language/modules/sources

[hanshal101]

would like to work on this !

[abhisek]

Hey @hanshal101 Thanks for your interest. Let me know what you need from me to get started.

[hanshal101]

yeah sure!

[hanshal101]

Just want to make sure, I am on the right path.

• This is my main.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
    }
  }

  required_version = ">= 1.0"
}

provider "aws" {
  region = "us-east-1"
}

• This is the .terraform.lock.hcl file generated after the init command

# This file is maintained automatically by "terraform init".
# Manual edits may be lost in future updates.

provider "registry.terraform.io/hashicorp/aws" {
  version = "5.84.0"
  hashes = [
    "h1:dwpeFUdcxgXVAc0JSqO57xf0/r2qOBLPloombCQWFz8=",
    "zh:078f77438aba6ec8bf9154b7d223e5c71c48d805d6cd3bcf9db0cc1e82668ac3",
    "zh:1f6591ff96be00501e71b792ed3a5a14b21ff03afec9a1c4a3fd9300e6e5b674",
    "zh:2ab694e022e81dd74485351c5836148a842ed71cf640664c9d871cb517b09602",
    "zh:33c8ccb6e3dc496e828a7572dd981366c6271075c1189f249b9b5236361d7eff",
    "zh:6f31068ebad1d627e421c72ccdaafe678c53600ca73714e977bf45ff43ae5d17",
    "zh:7488623dccfb639347cae66f9001d39cf06b92e8081975235a1ac3a0ac3f44aa",
    "zh:7f042b78b9690a8725c95b91a70fc8e264011b836605bcc342ac297b9ea3937d",
    "zh:88b56ac6c7209dc0a775b79975a371918f3aed8f015c37d5899f31deff37c61a",
    "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425",
    "zh:a1979ba840d704af0932f8de5f541cbb4caa9b6bbd25ed552a24e6772175ba07",
    "zh:b058c0533dae580e69d1adbc1f69e6a80632374abfc10e8634d06187a108e87b",
    "zh:c88610af9cf957f8dcf4382e0c9ca566ef10e3290f5de01d4d90b2d81b078aa8",
    "zh:e9562c055a2247d0c287772b55abef468c79f8d66a74780fe1c5e5dae1a284a9",
    "zh:f7a7c71d28441d925a25c08c4485c015b2d9f0338bc9707443e91ff8e161d3d9",
    "zh:fee533e81976d0900aa6fa443dc54ef171cbd901847f28a6e8edb1d161fa6fde",
  ]
}

• This is the output I got from the vet scan -M .terraform.lock.hcl --type terraform
  

So is this what vet does for terraform? Can you please explain in detail what does is actually do?
What are it's use case etc.

Thank You.

[abhisek]

@hanshal101 Try running vet scan -M .terraform.lock.hcl --filter='true'

You will see that vet can identify the Terraform Providers and list them. We are still working on identifying risks in the Terraform provider hence you don't see any risky provider yet.

The .terraform.lock.hcl file however only contains providers and not modules.

https://developer.hashicorp.com/terraform/language/files/dependency-lock

If you refer to official docs, you will see:

At present, the dependency lock file tracks only provider dependencies.

Hence, you need to actually parse the .tf files and identify the module blocks. We are already parsing .tf files. See here for example: https://github.com/safedep/vet/blob/main/pkg/parser/terraform.go

You can probably write another parser called terraform_module.go which parses a given .tf files and identify the source and version of a module definition such as

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "20.28.0"
}

[hanshal101]

@hanshal101 Try running vet scan -M .terraform.lock.hcl --filter='true'

You will see that vet can identify the Terraform Providers and list them. We are still working on identifying risks in the Terraform provider hence you don't see any risky provider yet.

The .terraform.lock.hcl file however only contains providers and not modules.

https://developer.hashicorp.com/terraform/language/files/dependency-lock

If you refer to official docs, you will see:

At present, the dependency lock file tracks only provider dependencies.

Hence, you need to actually parse the .tf files and identify the module blocks. We are already parsing .tf files. See here for example: https://github.com/safedep/vet/blob/main/pkg/parser/terraform.go

You can probably write another parser called terraform_module.go which parses a given .tf files and identify the source and version of a module definition such as

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "20.28.0"
}

cool, understood working on it!