Skip to main content

Prevent cloud misconfigurations in HashiCorp Terraform with Snyk IaC

Written by:
wordpress-sync/Blog-iac-header

May 13, 2021

0 mins read

We’re delighted to share new features of Snyk Infrastructure as Code (Snyk IaC) designed to support how Terraform users write, plan, and apply their configurations. With Snyk IaC, you can get immediate guidance on security configurations as you write, and scan your Terraform plans in your deployment pipelines to ensure your changes and complete configuration are safe. Plus, we’ve added major performance improvements to handle configurations with thousands of files, and security improvements to ensure your private environment details stay private.

Eliminating Terraform misconfigurations throughout the lifecycle

With these new Snyk IaC capabilities, you have the power to treat Terraform like any other form of code and shift left, making configuration security an integral part of the full Terraform lifecycle. Snyk IaC tests for misconfigurations from the time the code is written, to provide immediate feedback and guidance to your engineers based on cloud and industry best practices and your organization’s policies. As Terraform modules are committed and automated tests begin, Snyk IaC tests your Terraform plans, providing a comprehensive view of the changes being made to ensure your environments will be safe when they are deployed, preventing post-deployments surprises and regression.

The importance of scanning Terraform Plans for cloud misconfigurations

The Snyk CLI already allows users to scan Terraform and Kubernetes files locally and in CI/CD, providing instant feedback as you write and in your code repositories. That works well for individual changes, but if you want to get a collective look at all the changes you’re about to apply, including the effects of your included modules and variables, scanning the Terraform plan file is the way to go.

With this release, the Snyk CLI workflow now supports scanning a Terraform plan (tf-plan) file, to detect if the proposed changes will introduce any new security vulnerabilities to your current cloud infrastructure. To demonstrate how Snyk IaC can now be used throughout your Terraform workflow, I’ll run through an example using the code from Hashicorp’s Use Application Load Balancers for Blue-Green and Canary Deployments tutorial so you can see a simple local “write, test, plan, test, apply” workflow with Snyk IaC.

Read more about Blue Green deployment strategy explained.

Testing for cloud misconfigurations in Terraform source code

Before starting with Snyk, I’ve already applied the Terraform as supplied by Hashicorp, so my environment is up and running, and my Terraform code is in git. But now that I have Snyk IaC, I’d like to see if there are any concerning issues, so I’ve integrated Snyk with my GitHub repository and we can see the results in the Snyk console:

wordpress-sync/blog-iac-terraform-misconfigurations

There are no high severity issues, but clicking into the main.tf I notice that the load balancer is set to use HTTP instead of HTTPS. A medium risk issue by default, but one that my security team frowns upon. The Snyk UI shows me where the issue exists in my code, the impact, and how to resolve it:

wordpress-sync/blog-iac-terraform-remediation

Terraform security scanning as you code

I made the change noted by Snyk IaC to my Terraform file to get the load balancer to use HTTPS, which also requires the creation and use of a certificate, so I added that to my configuration too. Now, before I push my changes I want to run a quick check to make sure that fixing the HTTPS issue didn’t introduce any new problems. And while I’m at it, since this is an internet-facing application, my team and I don’t need to see that “Load balancer is internet facing” alert from Snyk IaC anymore, so I’ve requested the security admins turn it off for me, which is easy to do in Snyk IaC. My only changes were in main.tf so that’s what I’ll test locally before I commit my changes:

1$ snyk iac test main.tf
2
3Testing main.tf...
4
5Infrastructure as code issues:
6
7Organization:      purple-dobie
8Type:              Terraform
9Target file:       main.tf
10Project name:      learn-terraform-advanced-deployments
11Open source:       no
12Project path:      main.tf
13
14Tested main.tf for known issues, found 0 issues

Perfect! I fixed the HTTPS issue and my security team disabled the “internet facing” check so I’m down to zero issues, at least in main.tf. I’m happy with that. Time to deploy my changes!

Scanning for Terraform misconfigurations in your pipelines

Before actually applying my changes, I need to run a Terraform plan so I know what’s going to change. Since the Terraform plan incorporates changes across all modules — and includes all of our variables as well — we get a better picture of the impact of our changes. This presents another opportunity to integrate Snyk IaC into our Terraform lifecycle, ensuring that my changes don’t impact other modules in my configuration. In the example below, I’m running everything locally for simplicity, but it’s easy enough to use the Snyk CLI in any CI tools you might use to automate planning and testing:

1# generate a Terraform plan in JSON format:
2$ terraform plan -out=tfplan.bin
3$ terraform show --json tfplan.bin > tfplan.json
4
5# And use Snyk to test the plan to see I caused any issues:
6$ snyk iac test tfplan.json 
7
8Testing tfplan.json...
9
10Infrastructure as code issues:
11
12Organization:      purple-dobie
13Type:              Terraform
14Target file:       tfplan.json
15Project name:      learn-terraform-advanced-deployments
16Open source:       no
17Project path:      tfplan.json
18
19Tested tfplan.json for known issues, found 0 issues

Looks like my changes are good — no security issues! Except there’s one nagging thought that’s bothering me. All I tested above was the resource changes (the default for Snyk IaC), and I know I only edited a single file (main.tf), so this clean result isn’t surprising. However, my Terraform configuration was already applied and running before I started using Snyk IaC, so I’d really like to check all the planned values so I can see not only my new changes, but also the known configuration details for the already running deployment.

Enriching cloud misconfiguration checks by incorporating Terraform state

The new Snyk IaC tf-plan feature has the ability to check the planned values for me! I just need to specify that I want to scan the planned values using the --scan=planned-values option. Again, I recommend doing this in CI, but I’m using the CLI for simplicity:

1$ snyk iac test --scan=planned-values tfplan.json
2
3Testing tfplan.json...
4
5Infrastructure as code issues:
6  ✗ Security Group allows open ingress [High Severity] [SNYK-CC-TF-1] in VPC
7    introduced by resource > aws_security_group[this_name_prefix] > ingress[0]
8.
9.
10.
11  ✗ Non-Encrypted root block device [Medium Severity] [SNYK-CC-TF-53] in EC2
12    introduced by aws_instance[blue] > root_block_device > encrypted
13.
14.
15.
16
17Organization:      purple-dobie
18Type:              Terraform
19Target file:       tfplan.json
20Project name:      learn-terraform-advanced-deployments
21Open source:       no
22Project path:      tfplan.json
23
24Tested tfplan.json for known issues, found 20 issues

Oops! We have 20 issues this time, with some `High Severity` issues mixed in (I’ve cut out all but one high and one medium issue for brevity in the output above).

Terraform scanning including modules and variables

This new result tells me there’s more work I might need to do, but there’s something else interesting that comes as the result of scanning the tf-plan, beyond just scanning the files: Those high severity issues didn’t come up in my initial git repo scan at the beginning of this example, nor did they appear when I scanned the main.tf file by itself after I edited it.

The reason for this is that our configuration is using several AWS provider modules and variables, and in the repo and single file scans, we’re statically checking the file, which means we only have details on the resources that are explicitly specified in the file but we cannot tell what resources will be created by the modules simply by looking at the file on its own. The Terraform plan takes care of incorporating all the logic from the included modules and variables for us, so we can get a more complete picture of our configuration.

Another benefit of being able to scan the Terraform plan is that tools in the Terraform ecosystem should easily work with Snyk IaC, too. We have customers using tools like Terraform Cloud, Terragrunt and Atlantis, and since these tools all output a standard Terraform plan, we can scan them with Snyk IaC. We’ll cover examples of some of these ecosystem tools in future posts.

Keeping your private infrastructure data confidential and boosting performance

As shown in even our simple example above, scanning a Terraform plan covers many additional misconfiguration risks that come up in the normal lifecycle of IaC. But scanning at this stage also involves handling sensitive data that we know you do not want to leave your network. So in this release, the Snyk CLI runs IaC tests locally, with nothing but your Snyk authentication and CLI metadata sent back to us. There is no special step or setup you need to undergo for this to work: it's built-in to Snyk IaC and is the default way the Snyk CLI for IaC will work from here.

There’s another bonus to scanning locally: a huge boost to speed! This is particularly impactful for our customers who have hundreds and in some cases thousands of files in a single Terraform repo. Our own testing shows a 20x improvement when scanning these large directories.

Get started with the Snyk IaC for free

These new features are available to everyone to try, including users on a free plan. Getting started is simple:

  1. If you don’t already have a Snyk account, sign up for free.

  2. Install the Snyk CLI. If you already have the Snyk CLI installed, verify you have CLI 1.594.0or newer to get these features.

  3. Scan your Terraform and Kubernetes files.

    • The main command for scanning IaC with the new features is:snyk iac test <path-to-file-or-folder>

      You can learn more about the various scanning options we support through our docs or via the CLI docs by running: snyk iac --help

    • To scan Terraform plans, you’ll need to generate a JSON formatted output which you can get via terraform show, as shown in the examples above and documented by Terraform.

We’d love to hear your feedback! If you’re already a Snyk customer your customer success team is a great route for product feedback, but we welcome comments in our Snyk Community forum from all.

Posted in:
wordpress-sync/Blog-iac-header

Snyk Top 10: Vulnerabilites you should know

Find out which types of vulnerabilities are most likely to appear in your projects based on Snyk scan results and security research.