terraform modules

[noqcks]

What would you like to be added:

terraform modules and providers included in the SBOM components list

Why is this needed:

Would be nice to have terraform modules included in an SBOM, since they're technically 3rd party software that is used to build an application.

Additional context:

Checkcov has done a little work on this in the past
https://bridgecrew.io/blog/hacktoberfest-iac-software-bill-of-materials-checkov-cyclonedx/

[ghouscht]

Hey,
I saw a discussion on reddit (https://www.reddit.com/r/Terraform/comments/1g9go7p/what_do_you_use_to_generate_sbom_for_terraform/) and I'd like to look into this topic. I already have a working PoC for providers 🙂

However, tracking module dependencies might be a bit tricker as they don't seem to be tracked by the terraform lock file. See https://developer.hashicorp.com/terraform/language/files/dependency-lock#dependency-lock-file

At present, the dependency lock file tracks only provider dependencies. Terraform does not remember version selections for remote modules, and so Terraform will always select the newest available module version that meets the specified version constraints. You can use an exact version constraint to ensure that Terraform will always select the same module version.

[spiffcs]

I think we can close this now that #3378 has been closed and released.

If there are additional upgrades to that feature we want in the future we can reopen this or build a new issue that links to it.

[antonbabenko]

@spiffcs I think #3378 only takes care of Terraform providers, not Terraform modules. Let's keep this issue open.

[spiffcs]

@antonbabenko -- reading comprehension fail when I was going over staler issue this morning thanks for the catch here