IaC Code Analysis - Terraform
Terraform Common Security Pitfalls
After setting up various security tests and checks to ensure the safety of our code, dependencies, configurations, and Docker images, we must also focus on securing our Infrastructure as Code (IaC) templates. Terraform, being one of the most widely used IaC tools, allows organizations to define and manage their cloud infrastructure efficiently. However, improperly configured Terraform files can introduce critical security risks.
Terraform security scanning helps detect misconfigurations and compliance violations before they reach production. By applying static analysis to Terraform code, we can proactively identify risks, enforce security policies, and prevent misconfigurations that could expose cloud environments to attacks.
Below are some examples of common security issues in Terraform configurations with examples. The code snippets are for illustrative purposes and may have been simplified for clarity.
Excessively Permissive Network Rules
Poorly defined security groups and firewall rules can leave critical services exposed. Examples include:
- Allowing unrestricted inbound access (
0.0.0.0/0) on ports such as SSH (22) or RDP (3389).
resource "google_compute_firewall" "bad_fw" {
name = "open-ssh"
network = "default"
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["0.0.0.0/0"] # Unrestricted SSH access
}
- Failing to restrict traffic to trusted IP ranges.
- Misconfigured public-facing load balancers exposing private services.
Lack of Encryption for Data at Rest and in Transit
Sensitive data must be protected to prevent unauthorized access. Common misconfigurations include:
- Unencrypted Blob Storage, EBS volumes, or database instances.
resource "azurerm_storage_account" "bad_storage" {
name = "unsecurestorage"
resource_group_name = "example-resources"
location = "eastus"
account_tier = "Standard"
account_replication_type = "LRS"
enable_https_traffic_only = false # Allows HTTP traffic
}
- Missing TLS enforcement for web applications and APIs.
- Storing secrets in plaintext within Terraform variables or state files.
Overly Permissive IAM Roles and Policies
Misconfigured identity and access management (IAM) settings can lead to privilege escalation and unauthorized access. Examples include:
- Assigning wildcard (
*) permissions instead of following the principle of least privilege.
resource "google_project_iam_policy" "bad_iam" {
project = "my-gcp-project"
policy_data = <<EOT
{
"bindings": [
{
"role":DevSecOps in Practice
A Hands-On Guide to Operationalizing DevSecOps at ScaleEnroll now to unlock current content and receive all future updates for free. Your purchase supports the author and fuels the creation of more exciting content. Act fast, as the price will rise as the course nears completion!