Intermittent error running terrascan - rego_parse_error: unexpected assign token: non-terminated set

[jamiet-msm]

• terrascan version: unsure because we're calling it from super-linter
• Operating System: linux

Description

We run terrascan as part of github's super-linter https://github.com/github/super-linter

Today we've experienced an intermittent error where terrascan failed with this error:

2022-03-03 10:15:09 [ERROR]   Found errors in [terrascan] linter!
2022-03-03 10:15:09 [ERROR]   Error code: 1. Command output:
------
2022-03-03T10:15:09.312Z	error	opa/engine.go:231	error compiling rego files{rule 15 0 allUsersReadWriteAccess <nil>} {raw rego 15 0 package accurics

allUsersReadWriteAccess[retVal] {
    bucket := input.aws_s3_bucket[_]
    bucket.config.acl == "public-read-write"
    traverse = "acl"
    retVal := { "Id": bucket.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "acl", "AttributeDataType": "string", "Expected": "private", "Actual": bucket.config.acl }
}

allUsersReadWriteAccess<no value>[retVal] {
    bucket := input.aws_s3_bucket_acl[_]
    bucket.config.acl == "public-read-write"
    traverse = "acl"
    retVal := { "Id": bucket.id, "ReplaceType": "edit", "CodeType": "attribute", "Traverse": traverse, "Attribute": "acl", "AttributeDataType": "string", "Expected": "private", "Actual": bucket.config.acl }
} <nil>} {error 26 0  1 error occurred: allUsersReadWriteAccess:11: rego_parse_error: unexpected assign token: non-terminated set
	    bucket := input.aws_s3_bucket_acl[_]
	           ^}
2022-03-03T10:15:09.312Z	error	opa/engine.go:267	error compiling rego files{policy path 15 0 /github/home/.terrascan/pkg/policies/opa/rego/aws <nil>} {error 26 0  1 error occurred: allUsersReadWriteAccess:11: rego_parse_error: unexpected assign token: non-terminated set
	    bucket := input.aws_s3_bucket_acl[_]
	           ^}
2022-03-03T10:15:09.312Z	error	runtime/executor.go:198	failed to initialize policy engine for path /github/home/.terrascan/pkg/policies/opa/rego/aws, error: failed to initialize OPA policy engine
2022-03-03T10:15:09.312Z	error	runtime/executor.go:199	perform 'terrascan init' command and then try running the scan command again
2022-03-03T10:15:09.312Z	error	cli/run.go:135	scan run failed{error 26 0  failed to initialize OPA policy engine}

This occurred in two separate github actions workflow runs, at

• 2022-03-03 10:15 GMT
• 2022-03-03 10:57 GMT

We have had subsequent runs which have gotten past this point of failure so it does seem like an intermittent error. I thought it was worth reporting so that you folks are aware and in case you might want to build in some mitigation.

As I say subsequent runs have succeeded so there is no issue for us.

What I Did

We don't explicitly run the command, we run it from super-linter. Here is our super-linter configuration.

  super-lint:
    name: Lint Code Base
    runs-on: [self-hosted, ubuntu, dataplatform]
    steps:
      - name: Checkout code
        uses: actions/checkout@v2
      - name: Run Super-Linter
        uses: github/super-linter/slim@v4
        env:
          DEFAULT_BRANCH: main
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          VALIDATE_ALL_CODEBASE: false
          VALIDATE_PYTHON_ISORT: false
          VALIDATE_DOCKERFILE: false
          VALIDATE_DOCKERFILE_HADOLINT: false
          VALIDATE_GITHUB_ACTIONS: false # disabling until https://github.com/rhysd/actionlint/issues/114 is fixed
          VALIDATE_SQLFLUFF: false

Unfortunately I can't provide a link to the failing job because its in a private repository.

Hope this is useful.

[harkirat22]

@jamiet-msm thanks for reporting this issue. We just fixed it, and have a thread related to this.