tenable/terrascan

now terrascan just hangs in a pre-commit

balq60 opened this issue · 1 comments

balq60 commented

  • repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.81.0
    hooks:

    • id: terraform_providers_lock
    • id: terraform_checkov
      exclude: (^generate-code/)
      args:
      • --args=--framework=all
      • --args=--quiet
      • --args=--include-all-checkov-policies
    • id: terraform_docs
      files: ^IaC/environments/2-test|^IaC/environments/3-staging|^IaC/environments/4-prod|^IaC/modules
      exclude: (.template/.$|./examples/.|./test/.*)
      args:
      • --args=--config=.terraform-docs.yaml
      • --hook-config=--path-to-file=README.md
      • --hook-config=--add-to-existing-file=true
      • --hook-config=--create-file-if-not-exist=true
    • id: terraform_fmt
      exclude: (^generate-code/)
      #AC_AWS_0369 - I do have Flow Logs Enabled. It is done dynamically so terrascan does not see it
      #AC_AWS_0479 - this is being done, line 91 of modules/ec2_complete/main.tf sets it. It is done dynamically so terrascan does not see it
      #AC_AWS_0480 - detailed monitoring is set to true via variables. Line 52 of modules/ec2_complete/main.tf consumes and sets the variables. They are set to true
      ###terrascan is INCORRECTLY flagged 'optional' as an Experiment. It was released in 1.3.0 of terraform.
      ###I have opened this issue - #1580
      ###I see no way to ignore checking for experiments after hours of googling. So commenting out for now
    • id: terrascan
      args:
      • --args=--iac-dir=IaC/environments/2-test
      • --args=--policy-type=aws
      • --args=--verbose
      • --args=--non-recursive
      • --args=--skip-rules="AC_AWS_0369,AC_AWS_0479,AC_AWS_0480"

    #aws-ec2-enable-at-rest-encryption - They are set to be encrypted. It is done dynamically so terraform_tfsec does not see it
    #aws-ec2-require-vpc-flow-logs-for-all-vpcs - I am setting Flow Logs. It is done dynamically so terraform_tfsec does not see it
    #aws-s3-enable-bucket-logging - I do have logging enabled. It is done dynamically so terraform_tfsec does not see it
    #aws-ec2-enforce-http-token-imds - Yes this is set dynamically. It is done dynamically so terraform_tfsec does not see it

    • id: terraform_tfsec
      files: ^IaC/environments/2-test|^IaC/environments/3-staging|^IaC/environments/4-prod|^IaC/modules

files: ^generate-code

  args:
    - >
      --args=--format json
      --no-color
      -e aws-ec2-require-vpc-flow-logs-for-all-vpcs,aws-ec2-enable-at-rest-encryption,aws-s3-enable-bucket-logging,aws-ec2-enforce-http-token-imds

NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

Description

Trying to run the above configuration and now terrascan just hangs and never completes.

What I Did

I let it run for 20 minutes.
Command pasted above.
terrascanjusthangs

jonny-wg2 commented

Does a verbose flag show any log?