Scan Terraform plans and changes with tfquery via SQL-powered framework

Thursday. October 27, 2022 - 3 mins

New Release: tfquery now supports SQL queries for Terraform Plan Scanning

In case you’re an Infrastructure security engineer and have not tried tfquery yet, this will be a great blog post for you.

Tfquery is a framework that allows running SQL queries on Terraform code. It’s made to analyze your Terraform infrastructure, locate resources, run security compliance checks, spot misconfigured resources, develop CI benchmarks, and much more.

I developed it to solve an existing problem I’m facing: understanding large infrastructure quickly.

Last year, I spoke at DEFCON about the risks of running Insecure Terraform environments and how attackers can make use of current Terraform Enterprise environments to compromise the entire infrastructure with normal employee access to Github.

There was no patch or workaround released by HashiCorp to limit external providers or prevent local-exec data sources.

Tfquery support was specific to tfstate. It was able to run SQL queries on the current Terraform workspace state - and also supports multi-workspaces when importing state files.

My plan is to add support for tfplan within tfquery to be able to scan Terraform plans and changes. This allows engineers to write Terraform misconfiguration checks as SQL queries.

semgrep HCL support vs. tfquery

Semgrep announced in October 2021 the support for scanning HCL files. The challenge with semantic scanning of HCL code (a similar approach to what tfsec, checkov, and similar tools are doing) is that it’s limited to non-dynamic HCL code. Terraform is much more complex, and without having the final state of rendered infrastructure code, checks would not be as accurate as needed.

Also, you may need to write a logic to make sure that findings are not alerted for a codebase already existing in your Terraform workspace. Otherwise, you would be blocking the CI pipeline where a member did not introduce any vulnerable code.