Issue on Azure DevOps Agents since 1.3.2 : failed to initialize terrascan

[alex-3sr]

• terrascan version: 1.3.3
• Operating System: Windows Azure DevOps Agent Hosted

Description

Until 1.3.1, we didn't have any issue, and since 1.3.2 all pipelines failed with warning. The issue still present with 1.3.3.
It seem that the issue is coming with the last fix about downlaod policies on 1.3.2 #521

When we add debug log, we can see that Terrascan are unable to init because can't install policies. I think it's because the target folder is write protected, but on Hosted Azure Devops Agent we can't change it.

So, I'm a bit confused if it's a limitation of Azure DevOps and at same time like it's worked until 1.3.1 if last update can break the usage of terrascan on Azure DevOps. Is it really an issue ? BTW in anycase, works perfectly locally on my Windows Computer. Maybe it's just be an improvement that we need for still use in Azure DevOps by using an extra arguments for say where policies need to be downloaded (on a non protected write folder) for workaround, but I didn't find a way to add this extra args.

Thanks for your help/advice, Regards
Alex

What I Did

terrascan.exe scan -t azure -i terraform --iac-version v14 -o json

Here the error log that I can have with just a terrascan init on Azure DevOps

2021-02-19T19:46:40.347Z	debug	config/global.go:59	global config env variable is not specified
2021-02-19T19:46:40.380Z	debug	initialize/run.go:40	initializing terrascan
2021-02-19T19:46:40.380Z	debug	initialize/run.go:60	downloading policies
2021-02-19T19:46:40.380Z	debug	initialize/run.go:69	cloning terrascan repo at C:\Users\VSSADM~1\AppData\Local\Temp\terrascan-756921911
2021-02-19T19:46:50.958Z	error	cli/init.go:42	failed to initialize terrascan. error : failed to install policies to '/.terrascan'. error: 'rename C:\Users\VSSADM~1\AppData\Local\Temp\terrascan-756921911 /.terrascan: The system cannot move the file to a different disk drive.'

[amirbenv]

Hi @alex-3sr! Thanks for the report. Will follow up soon

[devang-gaur]

Hey @alex-3sr , we're working on a fix for this issue. gonna release with a patch soon.

meanwhile, could you try specifying the policy path in the config file for now? let us know if that works for you.

Also, could you let us know if there's any HOME environment variable set on the host machine?

[devang-gaur]

Could you try this terrascan binary (compiled for windows) in your pipeline and see if you face the same issue?

[alex-3sr]

Could you try this terrascan binary (compiled for windows) in your pipeline and see if you face the same issue?

Hi @dev-gaur , yes, now with this new binary file, it's working as expected ;) Thanks. I've no idea what the difference between previous one, but it's work again now.

About HOME environnements variables, we had some, i exported all environnent ->

agent.jobstatus => Succeeded
AGENT_BUILDDIRECTORY => D:\a\1
AGENT_DISABLELOGPLUGIN_TESTFI†=> ¦ true
AGENT_DISABLELOGPLUGIN_TESTRE†=> ¦ true
AGENT_HOMEDIRECTORY => C:\agents\2.182.1
AGENT_ID => 12
AGENT_JOBNAME => DEV_Plan
AGENT_JOBSTATUS => Succeeded
AGENT_MACHINENAME => WIN-APPQUH30VIN
AGENT_NAME => Hosted Agent
AGENT_OS => Windows_NT
AGENT_OSARCHITECTURE => X64
AGENT_READONLYVARIABLES => TRUE
AGENT_RETAINDEFAULTENCODING => FALSE
AGENT_ROOTDIRECTORY => D:\a
AGENT_SERVEROMDIRECTORY => C:\agents\2.182.1\externals\vstsom
AGENT_TEMPDIRECTORY => D:\a\_temp
AGENT_TOOLSDIRECTORY => C:\hostedtoolcache\windows
AGENT_USEWORKSPACEID => TRUE
AGENT_VERSION => 2.182.1
AGENT_WORKFOLDER => D:\a
ALLUSERSPROFILE => C:\ProgramData
ANDROID_HOME => C:\Android\android-sdk
ANDROID_NDK_HOME => C:\Android\android-sdk\ndk-bundle
ANDROID_NDK_LATEST_HOME => C:\Android\android-sdk\ndk\22.0.7026061
ANDROID_NDK_PATH => C:\Android\android-sdk\ndk-bundle
ANDROID_NDK_ROOT => C:\Android\android-sdk\ndk-bundle
ANDROID_SDK_ROOT => C:\Android\android-sdk
ANT_HOME => C:\ProgramData\chocolatey\lib\ant\tools\apache-ant-1.10.9
APPDATA => C:\Users\VssAdministrator\AppData\Roaming
AZURE_EXTENSION_DIR => C:\Program Files\Common Files\AzureCliExtensionDirectory
AZURE_HTTP_USER_AGENT => VSTS_e7a392f3-fb84-4318-9df0-5d3cdfe25c16_build_142_0
BOOST_ROOT_1_72_0 => C:\hostedtoolcache\windows\Boost\1.72.0\x86_64
BUILD_ARTIFACTSTAGINGDIRECTORY => D:\a\1\a
BUILD_BINARIESDIRECTORY => D:\a\1\b
BUILD_BUILDID => 23320
BUILD_BUILDURI => vstfs:///Build/Build/23320
BUILD_CONTAINERID => 1225806
BUILD_DEFINITIONVERSION => 1
BUILD_QUEUEDBY => Microsoft.VisualStudio.Services.TFS
BUILD_QUEUEDBYID => 00000002-0000-8888-8000-000000000000
BUILD_REASON => IndividualCI
BUILD_REPOSITORY_CLEAN => FALSE
BUILD_REPOSITORY_GIT_SUBMODUL†=> ¦ False
BUILD_REPOSITORY_ID => de55eadd-3741-470d-b816-0bbe4ad02a12
BUILD_REPOSITORY_LOCALPATH => D:\a\1\s
BUILD_REPOSITORY_PROVIDER => TfsGit
BUILD_SOURCEBRANCH => refs/heads/master
BUILD_SOURCEBRANCHNAME => master
BUILD_SOURCESDIRECTORY => D:\a\1\s
BUILD_SOURCEVERSION => 2e0054d9ed8b1e24709b9f5771c0630ca7272e59
BUILD_SOURCEVERSIONAUTHOR => 3SR DevOps
BUILD_SOURCEVERSIONMESSAGE => change path
BUILD_STAGINGDIRECTORY => D:\a\1\a
ChocolateyInstall => C:\ProgramData\chocolatey
ChromeWebDriver => C:\SeleniumWebDrivers\ChromeDriver
COBERTURA_HOME => C:\cobertura-2.1.1
COMMON_TESTRESULTSDIRECTORY => D:\a\1\TestResults
CommonProgramFiles => C:\Program Files\Common Files
CommonProgramFiles(x86) => C:\Program Files (x86)\Common Files
CommonProgramW6432 => C:\Program Files\Common Files
COMPUTERNAME => WIN-APPQUH30VIN
ComSpec => C:\windows\system32\cmd.exe
CONDA => C:\Miniconda
DOTNET_MULTILEVEL_LOOKUP => 0
DriverData => C:\Windows\System32\Drivers\DriverData
EdgeWebDriver => C:\SeleniumWebDrivers\EdgeDriver
GCM_INTERACTIVE => Never
GeckoWebDriver => C:\SeleniumWebDrivers\GeckoDriver
GIT_TERMINAL_PROMPT => 0
GOROOT => C:\hostedtoolcache\windows\go\1.15.8\x64
GOROOT_1_13_X64 => C:\hostedtoolcache\windows\go\1.13.15\x64
GOROOT_1_14_X64 => C:\hostedtoolcache\windows\go\1.14.15\x64
GOROOT_1_15_X64 => C:\hostedtoolcache\windows\go\1.15.8\x64
GRADLE_HOME => C:\ProgramData\chocolatey\lib\gradle\tools\gradle-6.8
HOMEDRIVE => C:
HOMEPATH => \Users\VssAdministrator
IEWebDriver => C:\SeleniumWebDrivers\IEDriver
ImageOS => win19
ImageVersion => 20210211.1
JAVA_HOME => C:\Program Files\Java\jdk8u282-b08
JAVA_HOME_11_X64 => C:\Program Files\Java\jdk-11.0.10+9
JAVA_HOME_13_X64 => C:\Program Files\Java\jdk-13.0.2+8
JAVA_HOME_8_X64 => C:\Program Files\Java\jdk8u282-b08
LOCALAPPDATA => C:\Users\VssAdministrator\AppData\Local
LOCATION => West Europe
LOGONSERVER => \\WIN-APPQUH30VIN
M2 => C:\ProgramData\chocolatey\lib\maven\apache-maven-3.6.3\bin
M2_HOME => C:\ProgramData\chocolatey\lib\maven\apache-maven-3.6.3
M2_REPO => C:\ProgramData\m2
MAVEN_OPTS => #NAME?
MonAgentClientLocation => C:\Packages\Plugins\Microsoft.Azure.Geneva.GenevaMonitoring\2.20.0.1\Monitoring\Agent
MSDEPLOY_HTTP_USER_AGENT => VSTS_e7a392f3-fb84-4318-9df0-5d3cdfe25c16_build_142_0
npm_config_prefix => C:\npm\prefix
NUMBER_OF_PROCESSORS => 4
OS => Windows_NT
Path => C:\Program Files\PowerShell\7;C:\agents\2.182.1\externals\git\cmd;C:\Users\VssAdministr…
PATHEXT => .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
PGBIN => C:\Program Files\PostgreSQL\13\bin
PGDATA => C:\Program Files\PostgreSQL\13\data
PGPASSWORD => root
PGROOT => C:\Program Files\PostgreSQL\13
PGUSER => postgres
PHPROOT => c:\tools\php
PIPELINE_WORKSPACE => D:\a\1
PIPX_BIN_DIR => C:\Program Files (x86)\pipx_bin
PIPX_HOME => C:\Program Files (x86)\pipx
POWERSHELL_DISTRIBUTION_CHANN†=> ¦ Azure-DevOps-win19
POWERSHELL_UPDATECHECK => Off
PROCESSOR_ARCHITECTURE => AMD64
PROCESSOR_IDENTIFIER => Intel64 Family 6 Model 85 Stepping 4, GenuineIntel
PROCESSOR_LEVEL => 6
PROCESSOR_REVISION => 5504
ProgramData => C:\ProgramData
ProgramFiles => C:\Program Files
ProgramFiles(x86) => C:\Program Files (x86)
ProgramW6432 => C:\Program Files
PSExecutionPolicyPreference => Unrestricted
PSModulePath => C:\Users\VssAdministrator\Documents\PowerShell\Modules;C:\Program Files\PowerShell\Modu…
PUBLIC => C:\Users\Public
PWSH_ARCHI => x64
PWSH_OS => win
RESOURCES_TRIGGERINGALIAS => 
RESOURCES_TRIGGERINGCATEGORY => 
RTOOLS40_HOME => C:\rtools40
RUNNER_TOOLSDIRECTORY => C:\hostedtoolcache\windows
SBT_HOME => C:\Program Files (x86)\sbt\
SELENIUM_JAR_PATH => C:\selenium\selenium-server-standalone.jar
SYSTEM => build
SYSTEM_ARTIFACTSDIRECTORY => D:\a\1\a
SYSTEM_CULTURE => en-US
SYSTEM_DEFAULTWORKINGDIRECTORY => D:\a\1\s
SYSTEM_DEFINITIONID => 142
SYSTEM_ENABLEACCESSTOKEN => SecretVariable
SYSTEM_HOSTTYPE => build
SYSTEM_ISSCHEDULED => FALSE
SYSTEM_JOBATTEMPT => 1
SYSTEM_JOBNAME => __default
SYSTEM_JOBPARALLELISMTAG => Private
SYSTEM_JOBPOSITIONINPHASE => 1
SYSTEM_JOBTIMEOUT => 60
SYSTEM_PHASEATTEMPT => 1
SYSTEM_PIPELINESTARTTIME => 2021-02-25 10:53:15+01:00
SYSTEM_PULLREQUEST_ISFORK => FALSE
SYSTEM_SERVERTYPE => Hosted
SYSTEM_STAGEATTEMPT => 1
SYSTEM_TOTALJOBSINPHASE => 1
SYSTEM_WORKFOLDER => D:\a
SystemDrive => C:
SystemRoot => C:\windows
TEMP => C:\Users\VSSADM~1\AppData\Local\Temp
TMP => C:\Users\VSSADM~1\AppData\Local\Temp
USERDOMAIN => WIN-APPQUH30VIN
USERDOMAIN_ROAMINGPROFILE => WIN-APPQUH30VIN
USERNAME => VssAdministrator
USERPROFILE => C:\Users\VssAdministrator
VCPKG_INSTALLATION_ROOT => C:\vcpkg
VS140COMNTOOLS => C:\Program Files (x86)\Microsoft Visual Studio 14.0\Common7\Tools\
VSTS_AGENT_PERFLOG => C:\agents\perflog
VSTS_PROCESS_LOOKUP_ID => vsts_f37049b5-e857-4ffd-8155-bc05d93268f4
windir => C:\windows
WIX => C:\Program Files (x86)\WiX Toolset v3.11\

The main environnements variables, especially TEMP if I take a look on Terrascan debug error (like bellow), who is different thant the home folder with this env HOMEPATH
cloning terrascan repo at C:\Users\VSSADM~1\AppData\Local\Temp\terrascan-488163751

Does it give you enough informations ?
Don't hesitate if need further informations
Regards
Alexandre