Terraform is increasingly used to automate deployment of mission critical, production systems. Security is a prime concern, because any compromise of a Terraform template, or a system deployed automatically by Terraform, may result in a compromise of multiple other deployments. At the same time, using infrastructure as code (IaC) tools like Terraform can actually improve your security posture, by standardizing security best practices and controls.
In this article I’ll introduce Terraform, explain its security benefits, and provide a few important guidelines for securing Terraform development and deployments.
What Is Terraform?
HashiCorp Terraform is an infrastructure-as-code (IaC) tool that DevOps engineers can use to provision the resources needed to run applications. IaC involves programmatically managing the IT infrastructure of an application, so operations teams don’t have to configure each resource manually.
Terraform utilizes the HashiCorp Configuration Language (HCL), which is similar to JSON and enables the easy provision of infrastructure across multiple local or cloud data centers. It is open source, so developers can add new plugins or tweak existing ones.
Terraform users can use version control and configuration files to define their entire infrastructure. The user gives a command to deploy and run a database, server or load balancer and Terraform sends an API call to the resource provider.
What Is Terraform Cloud?
The Terraform Cloud application helps connect teams using Terraform, providing a consistent environment and providing easy access to shared data and access controls. It is available as a hosted service with free sign-up for small teams of up to five users. Larger teams can use paid tiers.
Large organizations can use the Business tier to scale up, build infrastructure in a private environment, manage access and automate infrastruc provisioning. Terraform Enterprise is an advanced, customer-hosted distribution for organizations with extensive compliance and security requirements.
How Can Terraform Improve Your Security Posture?
Sentinel Policy as Code
The Sentinel framework is a policy-as-code integrated with Hashicorp enterprise products. You can use Sentinel to define and enforce security policies for your infrastructure while running Terraform. Unlike standard tools that look for policy violations by scanning existing infrastructure, Sentinel can proactively ensure that infrastructure is configured according to your policies.
You can write policies as code for a variety of objectives, ranging from restricting the deployment of oversized clouds to preventing improper tagging of infrastructure.
Another feature that helps ensure your infrastructure adheres to best practices is the Terraform module registry. You can find modules (packages of infrastructure as code) in the public Terraform registry or in private registries produced by organizations that use Terraform Enterprise. A simple module might contain a single compute instance while more complex modules might contain as many as the creator desires.
For organizations that utilize private registries, infrastructure specialists can create standardized modules of best practices for infrastructure components and provide self-service to developers. This allows developers to build the infrastructure required to run their applications, using custom modules. Development can be accelerated without affecting the quality of the infrastructure.
Vault Encryption and Dynamic Secrets
The policy as code you build with best-practice modules governs the infrastructure provisioned using Terraform. Therefore, it is critical that any sensitive credentials you use to build your infrastructure are properly secured. You can mark variables as sensitive in Terraform and the Vault encrypts the values. This makes the variables write-only so they cannot be read by an unauthorized actor.
The Vault can also be used to create dynamic credentials. Running Terraform with static cloud credentials that are valid for a long time can be risky as the longer the validity of the credentials, the more likely they are to be exposed. You can use the Terraform Vault provider to generate short-term credentials for each Terraform run. These credentials automatically expire after execution.
Securing Terraform with Security Tools
Terraform security is still in its infancy, but several tools are already available that can help you secure Terraform projects, templates and infrastructure.
Terraform is based on HCL templates, which developers commonly write in their integrated development environment (IDE). Any coding error, bug, or non-secure coding practice used while building templates and related code can result in security vulnerabilities for entire systems deployed from those templates.
In the application development space, Static Application Security (News - Alert) Testing (SAST) tools are commonly used to analyze source code and discover security flaws. Another category of tools is Software Composition Analysis (SCA), which can help discover outdated or vulnerable open source components within software libraries. This concept of open source vulnerability scanning can be extended to infrastructure, and SAST can be effectively used to find flaws and security issues in Terraform templates and related source code.
By integrating SAST and SCA into the IDE, Terraform developers can get immediate feedback about security issues in their code or the libraries they are working with. This makes it possible to “shift security left” and address security issues early in the development process, when a fix might take seconds, rather than hours or days.
tfsec is an open-source security scanner for Terraform templates. It uses static code analysis methods, and is fully integrated with the Terraform HCL parser. tfsec can run on developer workstations and can also be integrated with the CI pipeline, to discover security issues in code during the build process.
The term Extended Detection and Response (XDR) refers to a new type of security platform that integrates multiple security tools into one platform, which can be used to detect and respond to incidents across the entire IT environment. This is in contrast to previous-generation security technologies which were focused on only one “silo”, such as endpoints, networks, or cloud systems.
IaC technologies like Terraform introduce new security challenges for organizations, because they impact multiple layers of the IT environment. Terraform templates can set up networks, compute resources, storage resources, as well as entire applications. Because entire environments can be created and shut down in minutes, it is difficult to test and monitor them with traditional security tools.
XDR on its own cannot solve this problem. A first requirement is that Terraform-created infrastructure should be instrumented with monitoring and security tools. For example, a three-tier application automatically deployed by Terraform should include not only the application server, database, and storage, but also monitoring and endpoint security agents.
Once security tooling is integrated into Terraform templates, they can be integrated with XDR, to enable detection of security incidents across clouds and data centers—both for Terraform-created infrastructure and other systems. XDR can then allow incident responders to gain immediate access to forensic data from Terraform infrastructure, triage and identify incidents, and respond by accessing security controls within the Terraform deployment.
Best Practices for Using Terraform Cloud Securely
Enforce Effective Authentication
Terraform Cloud supports the use of one-time passwords and SMS for two-factor authentication. You can configure the required authentication for each user in the organization settings. Business-level organizations can choose to configure single sign-on (SSO) for their organization.
Minimize the Number of Owners
Users with Owner privileges can access all workspaces in an organization. Even when SSO is enabled, the users in the Owners team can still authenticate using their username and password. This team should only include a small number of managers, with membership reviewed regularly.
Implement the Principle of Least Privilege
You can group users into teams, which are assigned privileges that are extended to their members. Consider applying a least privilege approach when you create teams and assign permissions. This will ensure all users in your organization have only the privileges they need.
Secure API Tokens
Terraform Cloud supports the creation of API tokens for users, teams and organizations. These tokens must be stored safely, with periodic rotation. Vault users can utilize the Terraform Cloud Secret backend to create temporary tokens.
Control Source Code Access
The default setting in Terraform Cloud workspaces is for plan operations to be triggered automatically by pull requests and commits to a connected VCS repository. Terraform Cloud does not provide protection against malware in connected repositories, so it is critical that you only provide access to trusted operators. You can configure your workspace to enable or disable automated scheduling of pull requests to a linked repository. This setting must be disabled if untrusted users are allowed to open pull requests in the connected VCS repository.
Protect Archivist URLs
Terraform Cloud stores a variety of customer data using Archivist, a blob storage service. Various Terraform Cloud APIs, including the state version API, return Archivist URLs (based on https://archivist.terraform.io). As opposed to other Terraform Cloud APIs, the Archivist API does not require users to send a bearer token for request. An Archivist URL contains a signed, short-lived token used for checking authorizations. Therefore, you should treat Archivist URLs as you do secrets and refrain from recording or sharing them.
In this article I explained three aspects of Terraform security:
- Terraform can improve your security posture - by applying security policies as code, maintaining a registry of trusted modules, and encrypting vaults and secrets to keep them secure from attackers.
- Using security tools to secure Terraform - you can use Source Code Analysis (SCA) and eXtended Detection and Response (XDR) to continuously scan and monitor Terraform environments and discover vulnerabilities and threats.
- Ensuring Terraform is secure through best practices - including effective authentication, minimizing the number of users, the principle of least privilege, and secure API keys.
I hope this will be of help as you leverage the power of Terraform while enhancing the security of your IT environment.