Skip to content

Latest commit

 

History

History
202 lines (137 loc) · 3.43 KB

14.IaC_Code_Analysis__Terraform.md

File metadata and controls

202 lines (137 loc) · 3.43 KB

IaC Code Analysis - Terraform

Terraform Common Security Pitfalls

Excessively Permissive Network Rules

resource "google_compute_firewall" "bad_fw" {
  name    = "open-ssh"
  network = "default"

  allow {
    protocol = "tcp"
    ports    = ["22"]
  }

  source_ranges = ["0.0.0.0/0"] # Unrestricted SSH access
}

Lack of Encryption for Data at Rest and in Transit

resource "azurerm_storage_account" "bad_storage" {
  name                     = "unsecurestorage"
  resource_group_name      = "example-resources"
  location                 = "eastus"
  account_tier             = "Standard"
  account_replication_type = "LRS"
  enable_https_traffic_only = false # Allows HTTP traffic
}

Overly Permissive IAM Roles and Policies

resource "google_project_iam_policy" "bad_iam" {
  project = "my-gcp-project"
  policy_data = <<EOT
{
  "bindings": [
    {
      "role": "roles/editor",
      "members": ["allUsers"]
    }
  ]
}
EOT
}

Publicly Accessible Cloud Resources

resource "azurerm_postgresql_server" "bad_db" {
  name                = "bad-postgresql"
  location            = "eastus"
  resource_group_name = "example-resources"
  administrator_login = "adminuser"
  administrator_login_password = "SuperSecret123"
  public_network_access_enabled = true # Should be false
}

Lack of Logging and Monitoring

resource "google_logging_project_sink" "bad_logging" {
  name        = "unmonitored-logs"
  destination = "storage.googleapis.com/my-unsecure-bucket"
  filter      = "logName:\"projects/my-project/logs/compute.googleapis.com%2Factivity_log\""
  unique_writer_identity = false # Logs could be accessible
}

Hardcoded Secrets in Terraform Configurations

variable "db_password" {
  default = "SuperSecret123" # Hardcoded password (bad practice)
}

Terraform Security with Checkov

pip install checkov==3.2.382

Terraform File Scanning

cd $HOME/RestQR/deploy/terraform
checkov -d .
# or
# checkov -d . -o json
checkov -d . --download-external-modules true
cat <<EOF > /tmp/main.tf
terraform {
  required_providers {
    digitalocean = {
      source  = "digitalocean/digitalocean"
      version = "~> 2.0"
    }
  }
}

provider "digitalocean" {
  token = "hardcoded-insecure-token" # Hardcoded secret (Bad Practice)
}

// truncated
EOF
checkov -f /tmp/main.tf
Check: CKV_SECRET_6: "Base64 High Entropy String"
	FAILED for resource: 2f131e33893e2a52154029dbc0ab0343d2df7e7f
	File: /../../../tmp/main.tf:11-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/secrets-policies/secrets-policy-index/git-secrets-6

		11 |   token = "hardco**********" # Hardcoded secret (Bad Practice)

Terraform Plan Scanning

cd $HOME/RestQR/deploy/terraform
terraform init
terraform plan --out=tfplan.binary
terraform show -json tfplan.binary | \
    jq > tfplan.json
checkov -f tfplan.json
# or
# checkov -f tfplan.json -o json

Enhancing Terraform Plan Scanning with Additional Features

cd $HOME/RestQR/deploy/terraform

# More accurate scan with enriched data
checkov -f tfplan.json \
  --repo-root-for-plan-enrichment .
cd $HOME/RestQR/deploy/terraform

# Deep analysis with enriched data
checkov -f tfplan.json \
  --repo-root-for-plan-enrichment . \
  --deep-analysis

IaC Code Analysis Alternatives