Scan Terraform plans and changes with tfquery via SQL-powered framework- 3 mins
New Release: tfquery now supports SQL queries for Terraform Plan Scanning
In case you’re an Infrastructure security engineer and have not tried tfquery yet, this will be a great blog post for you.
Tfquery is a framework that allows running SQL queries on Terraform code. It’s made to analyze your Terraform infrastructure, locate resources, run security compliance checks, spot misconfigured resources, develop CI benchmarks, and much more.
I developed it to solve an existing problem I’m facing: understanding large infrastructure quickly.
Last year, I spoke at DEFCON about the risks of running Insecure Terraform environments, and how attackers can make use of current Terraform Enterprise environments to compromise the entire infrastructure with normal employee access to Github.
There was no patch or workaround released by HashiCorp to limit external providers or prevent local-exec data sources.
Tfquery support was specific to tfstate. It was able to run SQL queries on the current Terraform workspace state - and also supports multi-workspaces when importing state files.
My plan is to add support for tfplan within tfquery to be able to scan Terraform plans and changes. This allows engineers to write Terraform misconfiguration checks as SQL queries.
semgrep HCL support vs. tfquery
Semgrep announced in October 2021 the support for scanning HCL files. The challenge with semantic scanning of HCL code (a similar approach to what tfsec, checkov, and similar tools are doing) is that it’s limited to non-dynamic HCL code. Terraform is much more complex and without having the final state of rendered infrastructure code, checks would not be as accurate as needed.
Also, you may need to write a logic to make sure that findings are not alerted for a codebase already existing in your Terraform workspace, otherwise, you would be blocking the CI pipeline where a member did not introduce any vulnerable code.
tfquery approach for Terraform Plan scanning
Whenever a PR is created for a Terraform change, you should be able to scan changes through tfquery.
You can now write SQL queries that are much more elegant to:
- Check for providers if not matching an allowed list.
- Check for wildcard AWS Policies.
- Check for new IAM users.
- Check for an S3 bucket with versioning not being enabled.
Try tfquery at: github.com/mazen160/tfquery
Find my DEFCON talk: mazinahmed.net/blog/attacking-terraform-environments
Thanks for reading!
- Speaking at BlakcHat MEA 2022
- DoS Attacks are Dead: Demystifying Practical DoS Attacks
- Shennina Framework - Automating Host Exploitation with AI
- Twitch Internal Security Tools: In-depth Analysis of the Leaked Twitch Security Tools
- Attacking Modern Environments Series: Attack Vectors on Terraform Environments