super-linter: terrascan throws error on terraform moved blocks

Describe the bug

terraform 1.1 introduced a new feature - moved blocks. Read more at https://www.terraform.io/language/modules/develop/refactoring if you wish to understand them.

super-linter is failing when my code includes a moved block with error:

Unsupported block type; Blocks of type “moved” are not expected here.

It is the terrascan linter that is failing.

Expected behavior

moved blocks are valid syntax so terrascan should support them and not throw this error

Steps to Reproduce

  1. Createa a new repository in github
  2. Add a file main.tf with the following code:
resource "null_resource" "bar" {}

moved {
  from = null_resource.foo
  to = null_resource.bar
}
  1. add a file .githib/workflows/workflow.yaml with:
name: demo
on:
  workflow_dispatch:

jobs:
  super-lint:
    name: Lint Code Base
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Run Super-Linter
        uses: github/super-linter/slim@v4
        env:
          DEFAULT_BRANCH: main
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  1. Manually trigger a run of workflow. It will (at the time of writing) fail with the error above.

You can see a repro of this problem at https://github.com/jamiet-msm/demo-super-linter-terrascan-issue/runs/6913423542?check_suite_focus=true#step:4:159

Additional context

Obviously the problem lies with terrascan but as the error is being raised via the use of super-linter I thought better to inform folks here of this issue. According to terrascan’s changelog moved blocks are supported since v1.14.0 (perhaps even earlier)

Closed issues: Blocks of type “moved” not supported https://github.com/accurics/terrascan/issues/1182

https://github.com/tenable/terrascan/blob/3ee999ad6f0936494a85501d66aebe312d0d1d0e/CHANGELOG.md#v1140-2022-04-01

and I believe super-linter is using a later version

➜ docker run -it --entrypoint bash ghcr.io/github/super-linter:slim-v4.9.4 -c "terrascan version"
version: v1.15.1

so I’m confused what the issue might be

About this issue

  • Original URL
  • State: closed
  • Created 2 years ago
  • Reactions: 4
  • Comments: 21 (10 by maintainers)

Most upvoted comments

Seeing the exact same issue you are having

+3
stefenAMZ on Jul 28, 2022

Would there be any worth in having a toggle to get Super Linter to check Terrascan individual files vs the whole directory? I’ve seen a couple of cases where Terrascan has thrown errors when scanning through Super Linter which I don’t see locally as I run it differently. I realise that Super Linter can be set up to only scan the files which have changed but I think there is value to getting a full Terrascan run.

+1
adhodgson1 on Apr 13, 2023

Look into this code. I think it might be that since superliner individually scans files https://github.com/github/super-linter/blob/1e1f71f145d50ddd3a6e68d49ff3f80a091d9ad4/lib/linter.sh#L968 it throws the error but if you run terrascan -l terraform in a repo it doesn’t.

So basically terrascan scan -i terraform -t all -f main.tf & terrascan scan -i terraform outputs are working differently

+1
codezninja on Aug 24, 2022
Read more comments on GitHub
← super-linter: Super-linter algorithm for finding changed files is broken
super-linter: tflint failing in slim-v4.9.3 "Plugin `aws` not found in /github/home/.tflint.d/plugins" →