Terraform Security: Improving IaC Scans with Terraform Plan Output
Terraform security is not really about securing Terraform. Terraform is an Infrastructure as Code (IaC) tool, and Terraform security refers to securing the infrastructure that is built using Terraform. By leveraging tools that understand Terraform files and workflows, teams can effectively implement security controls earlier in the development process. Specifically, they can leverage Policy as Code tools like Terrascan which enforce security best practices in Terraform projects.
As you might guess from its name, Terrascan was initially created for scanning Terraform files to detect vulnerabilities and violations in user’s IaC and improve their overall security posture. Like any static code analysis tool, it scans a static representation – in this case, the
.tf.json files – and tries to determine how it will behave when deployed. It is very valuable to be able to identify problems so early, but source files do not always include all the information necessary to perform a complete analysis.
Like a programming language, Terraform has concepts of variables and expressions which allow users to leverage dynamically computed values within a configuration. Those expressions might have references to values, function calls, conditionals expressions, dynamic blocks and much more. They might also refer to conditions which will not be known until there is a connection to the environment within which the infrastructure will be created. While doing static analysis, resolving these expressions is computationally intensive, but more importantly it is not always possible to resolve all of the expressions until the necessary information is available.
In the Terraform workflow, Terraform doesn’t connect to the runtime environment until the
terraform plan phase. Before that step, expressions that depend on runtime conditions will not be known and cannot be analyzed. After
terraform plan, that information is known and can be used to improve the analysis. That information is typically held in memory when Terraform is run, but can be saved to a file for use by analysis tools and later phases such as
Improve Terraform Security with a Terraform Plan JSON File
terraform plan command describes what will change in the cloud infrastructure. The Terraform plan can be saved into a binary planfile using the
-out option which can then later be used with
terraform apply. This binary file is not useful from an analysis perspective because it uses a proprietary format. However, the command
terraform show -json <planfile> will convert it into a JSON format which is useful for analysis.
$ terraform init $ terraform plan -out tfplan.out $ terraform show -json tfplan.out > tfplan.json
In this article, we will refer to these Terraform plan JSON files as tfplan.json.
Scanning Terraform Plan Files Using Terrascan
With the release of Terrascan 1.4.0, Terrascan has the ability to scan these Terraform plan JSON files to improve its findings.
A new IaC type
tfplan has been added to support scanning of tfplan.json files. It is expected that the tfplan.json has been already created and Terrascan itself will not create it.
It is worth noting that the tfplan.json file encapsulates the entire infrastructure to be created, so it is not necessary to scan both the .tf files and the tfplan.json; simply scanning the tfplan.json is sufficient.
Unfortunately, while the tfplan.json file encapsulates the entire infrastructure it does not contain the file and line information of every resource. As a result, when Terrascan analyzes a tfplan.json file it will report problems without file and line information. We recognize the importance of this information when fixing problems, so we are exploring ways to include the line and file information during tfplan.json scans. In the meantime, scanning the regular Terraform source files with
-i terraform will provide file and line number information.
Use with Terragrunt and other tools
The tfplan.json file is common to other tools built on Terraform, such as Terragrunt. Simply use the tool as usual through the
plan phase, then you can use the same Terraform commands to create the tfplan.json output from the plan file. This tfplan.json can then be used with
terrascan scan -t tfplan command.