Terrascan | Mar 18, 2021

Terraform Security: Improving IaC Scans with Terraform Plan Output

Terraform Security: Improving IaC Scans with Terraform Plan Output

Terraform security is not really about securing Terraform.  Terraform is an Infrastructure as Code (IaC) tool, and Terraform security refers to securing the infrastructure that is built using Terraform.  By leveraging tools that understand Terraform files and workflows, teams can effectively implement security controls earlier in the development process.  Specifically, they can leverage Policy as Code tools like Terrascan which enforce security best practices in Terraform projects.

As you might guess from its name, Terrascan was initially created for scanning Terraform files to detect vulnerabilities and violations in user’s IaC and improve their overall security posture. Like any static code analysis tool, it scans a static representation – in this case, the .tf and .tf.json files – and tries to determine how it will behave when deployed.  It is very valuable to be able to identify problems so early, but source files do not always include all the information necessary to perform a complete analysis.

Like a programming language, Terraform has concepts of variables and expressions which allow users to leverage dynamically computed values within a configuration. Those expressions might have references to values, function calls, conditionals expressions, dynamic blocks and much more. They might also refer to conditions which will not be known until there is a connection to the environment within which the infrastructure will be created.  While doing static analysis, resolving these expressions is computationally intensive, but more importantly it is not always possible to resolve all of the expressions until the necessary information is available.

In the Terraform workflow, Terraform doesn’t connect to the runtime environment until the terraform plan phase.  Before that step, expressions that depend on runtime conditions will not be known and cannot be analyzed.  After terraform plan, that information is known and can be used to improve the analysis.  That information is typically held in memory when Terraform is run, but can be saved to a file for use by analysis tools and later phases such as terraform apply.

Improve Terraform Security with a Terraform Plan JSON File

The terraform plan command describes what will change in the cloud infrastructure. The Terraform plan can be saved into a binary planfile using the -out option which can then later be used with terraform apply. This binary file is not useful from an analysis perspective because it uses a proprietary format. However, the command terraform show -json <planfile> will convert it into a JSON format which is useful for analysis.

$ terraform init
$ terraform plan -out tfplan.out
$ terraform show -json tfplan.out > tfplan.json 

In this article, we will refer to these Terraform plan JSON files as tfplan.json.

Scanning Terraform Plan Files Using Terrascan

With the release of Terrascan 1.4.0, Terrascan has the ability to scan these Terraform plan JSON files to improve its findings. 

A new IaC type tfplan has been added to support scanning of tfplan.json files. It is expected that the tfplan.json has been already created and Terrascan itself will not create it.

Terraform Security: Improving IaC Scans with Terraform Plan Output – sample Terrascan output
Terraform Security: Improving IaC Scans with Terraform Plan Output – sample Terrascan output

It is worth noting that the tfplan.json file encapsulates the entire infrastructure to be created, so it is not necessary to scan both the .tf files and the tfplan.json; simply scanning the tfplan.json is sufficient.

Unfortunately, while the tfplan.json file encapsulates the entire infrastructure it does not contain the file and line information of every resource.  As a result, when Terrascan analyzes a tfplan.json file it will report problems without file and line information. We recognize the importance of this information when fixing problems, so we are exploring ways to include the line and file information during tfplan.json scans. In the meantime, scanning the regular Terraform source files with -i terraform will provide file and line number information.

Use with Terragrunt and other tools

The tfplan.json file is common to other tools built on Terraform, such as Terragrunt.  Simply use the tool as usual through the plan phase, then you can use the same Terraform commands to create the tfplan.json output from the plan file. This tfplan.json can then be used with terrascan scan -t tfplan command.

Getting Started

To learn how to start improving your Terraform infrastructure, check out our Quickstart guide.  Hit us up in GitHub or our forums if you have any questions or suggestions.  Welcome to the Terrascan community!

Terrascan GitHub Action: Easy Policy as Code for IaC Pipelines

Introducing Terrascan 1.3.1: Improving Usability, Flexibility

Cloud Native Security in 2021: Terrascan Policy Update #2

We use cookies to ensure you get the best experience on our website. By continuing to browse this site, you acknowledge the use of cookies.