Our team uses AWS Providers version 2.6.1 in a layer of one of our lambdas. We need to use a 2.x version as we are using TF 0.11.14. This version of the AWS Provider is being flagged by AWS Inspector as a critical security vulnerability due to the outdated version of the Go-getter library used in the provider.
There were multiple vulnerabilities identified in Go-getter last year as described in the thread below but they were all fixed in version 1.6.1.
I was looking for a recently published version of the AWS provider that supports TF 0.11 and has the fixed version of the Go-getter library.
Unfortunately, I couldn’t find one. The latest 2.7x version published in January still has Go-getter 1.4.0.
We are planning to migrate to a newer TF version but due to the size of our project and many other factors, this is going to be a slow process. In the meantime I would like to ask if there are any plans of publishing a 2.7x version with an up-to-date version of the Go-getter library?
Also, this post may look like a duplicate of an earlier topic, and you are right. Apologies, I accidentally deleted the earlier topic and re-created it now.
I can’t talk for the maintainers of that provider, but I’d suggest it is probably pretty unlikely. The last release of Terraform 0.11 was about 4 years ago, so can be considered totally obsolete and ancient.
I’d strongly suggest that you prioritise moving your code to a much more recent version of Terraform (ideally the latest version, as once you upgrade past version 1 keeping up to date is generally very easy).
Sticking with something so old will increasing expose you to all sorts of issues - not only potential security issues, but totally missing cloud features and even the possibility of things totally stopping working (as happened relatively recently with Microsoft Azure remote state)
Current versions of the AWS provider don’t use go-getter. I also can’t remember any reason why any earlier version of the AWS provider would’ve used go-getter, since Terraform uses that library for module installation and the AWS provider has no need to install Terraform modules. (Terraform CLI is responsible for module installation.)
I do see that major version 2 of the provider there was an indirect reference to go-getter, but that only means that one of the other libraries that the provider depended on was using go-getter and not the AWS provider itself.
As @stuart-c noted, Terraform v0.11 is now very obsolete and so most providers are no longer making new releases that are compatible with it. It does seem like the AWS provider team is still making occasional releases that happen to be compatible but I suspect that is more by luck than by intention; they happen to be building with old enough dependencies that the legacy protocol support is still available.
If you are concerned about security then your first priority should be to use a modern version of Terraform and the modern provider releases that are compatible with it.