DevOps | Aug 26, 2021

Terraform Security: Six Habits for Secure Terraform Workflows

Terraform Security-Six Habits for Secure Terraform Workflows banner image

Terraform security is top of mind for many organizations. If your organization is utilizing Terraform for the management and operation of your cloud environment, you’re in good company with Instacart, Slack, Uber and thousands of other entities. The open-source Infrastructure as Code (IaC) tool from HashiCorp enables developers to develop and change infrastructure as well as effortlessly manage service providers and internal solutions in one place. Terraform also delivers benefits on the security front. DevOps teams can preview infrastructure changes, giving them the ability to see how those changes will impact the environment, then course correct if needed. And, unlike manual processes, Terraform works from declarative code to automate deployment and management, making it less likely that human error will cause problems.

Of course, every tool can be improved with best practices and Terraform is no different. This blog explores six Terraform security considerations along with best practices that will allow you to protect your environment and fully realize the many benefits of Terraform in your infrastructure provisioning workflow.

Terraform Security Habit 1: Protecting Secrets in Terraform

Secrets include sensitive information, such as credentials or API keys, used in your Terraform code. These must be securely managed to ensure they are not exposed to unauthorized users. For example, it’s critical to make sure you never hard code database credentials directly into your Terraform code and check it into version control, which gives anyone with access to the version control system access to that secret. Instead, provide credentials by using variables and setting them as “sensitive” to prevent them from being displayed in outputs or logs.

It’s important to note that these sensitive credentials can still show up in state files as plain text. Terraform stores all your parameters in state files and checks against them to see if the state of the values has changed so it can execute APIs that affect the resources. To avoid exposing secrets through state files, use a Terraform remote state backend which encrypts state files and ensures access is highly restricted.

Terraform Security Habit 2: Facilitating Secure Collaboration

Many hands make lighter work, but they can also get in each other’s way. That’s why when running Terraform it is important to collaborate securely to protect sensitive data from unauthorized users and ensure the infrastructure is not corrupted. Terraform’s state file tracks the state of provisioned infrastructure resources, and that file is stored on the local file system of the system where Terraform is executed. This makes collaboration challenging but since state files may contain sensitive data sharing them is not ideal.

Instead, we suggest leveraging a remote state file, which is not stored locally, to ensure secrets are not persisted to disk. Once operations that update the state file are completed, the updated file is uploaded to the backend. This ensures the state file always represents the latest version of the resources provisioned by Terraform. When using remote state files, make sure infrastructure changes don’t happen simultaneously, since this can corrupt the state file. State locking enables Terraform to verify any locks before executing infrastructure changes, place a lock while changes are executed, then remove the lock after the state file has been updated. 

Terraform Security Habit 3: Managing Dependencies

Terraform utilizes modules and providers so be sure these external dependencies come from trusted, verified sources. Providers are downloaded to the system where Terraform is executed when performing the terraform init command. As of Terraform 0.14, this command uses a dependency lock file to track version constraints and hashes for providers. These hashes are populated the first time a provider is downloaded, and after that Terraform performs a checksum verification. The Terraform registry also provides signed checksums for providers that are automatically trusted by Terraform after verification.

Mirrors offer another level of protection against misuse. Downloading providers from filesystem mirrors, network mirrors or private registries reduces network traffic, enables faster execution, and restricts the providers that can be used in your network. Modules are another dependency and, like providers, are downloaded locally when performing the terraform init command. But, modules aren’t tracked using a dependency lock file so you should verify a module’s integrity before making it available to Terraform. To do this, Accurics recommends creating checksums and a local mirror for public modules used in your environment.

Terraform Security Habit 4: Detecting and Remediating Drift

When manual changes are applied in runtime they can cause drift: a deviation between your runtime environment and what is defined in your Terraform code. It is important to quickly detect and remediate drift because it can introduce security risks and it creates process complexity with IaC, the state file, and the runtime environment potentially getting out of sync. IaC should always remain the source of truth for your environment so that you can confidently deploy from IaC without fear of losing important runtime changes.

Terraform simplifies this process by keeping a record of all the resources provisioned and the state of their configuration in the state file. Any time a Terraform plan is executed, changes are detected between the state at runtime and the desired state so Terraform can generate incremental execution plans to be applied. Because drift can create new resources that Terraform is not aware of, it’s also important to audit for new resources. These can be brought into the Terraform state file by using the import command. When using this command, always be sure to update the Terraform HCL to include the new resource and configuration. 

Tools such as Accurics can help you automatically identify drift and update the HCL, while also determining whether the change is compliant with your established policies. If the drift violates your policies or increases risk, you can redeploy from IaC to revert to the secure original state. If it enhances your security posture, it can update the HCL to reflect the new runtime configuration. 

Terraform Security Habit 5: Facilitating Workflow

Terraform modules are designed to facilitate sharing and best use practices, which reduce opportunity for misconfigurations. These modules codify security or operational requirements that must be met when provisioning resources in your environment, and can also be enforced through provisioning mechanisms so that only approved modules are used.

Security issues in Terraform HCL files should be identified through automated static code analysis using tools such as Terrascan or Accurics. These tools can identify hundreds of risks, misconfigurations, and violations of best practices. Run them as part of your workflow by adding a job to your CI/CD pipeline which scans HCL files; the job will fail if security issues are detected. Pairing this identification with Remediation as Code (RaC) delivers programmatic fixes in the form of pull requests, which allows developers to easily review and merge fixes into the codebase.

Terraform Security Habit 6: Identifying Threats

Threat modeling identifies potential threats to systems and prioritizes the security actions that need to be taken. A critical tenet of threat modeling is identifying an architecture’s resources, their configuration, and the relationships between these resources, to understand trust boundaries and identify potential breach paths. IaC can be examined to identify resource, network and identity relationships between components. Terraform, in turn, leverages this information to construct a dependency graph which is part of its infrastructure provisioning planning process. This same information can be used by security tools such as Accurics to help you secure your environments.

Terraform is the leader in the IaC marketspace and offers a solution that transcends manual processes to help DevOps increase efficiency, manage complex environments at scale, and protect against drift. Accurics extends these benefits by helping Terraform users resolve security issues before and after cloud infrastructure is provisioned, and manage drift, with automated guardrails that detect and fix security risks and propagate runtime configuration changes back to the IaC. Leveraging Accurics allows Terraform users to automatically manage security and drift throughout the software lifecycle, enabling a self-healing infrastructure.

To learn more about safely using Terraform in DevOps environments, you can read our whitepaper.

Coming Soon: Code to Cloud Security Summit

Accurics at KubeCon + CloudNativeCon North America 2021

Accurics at DevOps World 2021 by CloudBees

We use cookies to ensure you get the best experience on our website. By continuing to browse this site, you acknowledge the use of cookies.