Scan Terraform plans and changes with tfquery via SQL-powered framework

- 3 mins

New Release: tfquery now supports SQL queries for Terraform Plan Scanning

In case you’re an Infrastructure security engineer and have not tried tfquery yet, this will be a great blog post for you.

Tfquery is a framework that allows running SQL queries on Terraform code. It’s made to analyze your Terraform infrastructure, locate resources, run security compliance checks, spot misconfigured resources, develop CI benchmarks, and much more.

I developed it to solve an existing problem I’m facing: understanding large infrastructure quickly.

Last year, I spoke at DEFCON about the risks of running Insecure Terraform environments and how attackers can make use of current Terraform Enterprise environments to compromise the entire infrastructure with normal employee access to Github.

There was no patch or workaround released by HashiCorp to limit external providers or prevent local-exec data sources.

Tfquery support was specific to tfstate. It was able to run SQL queries on the current Terraform workspace state - and also supports multi-workspaces when importing state files.

My plan is to add support for tfplan within tfquery to be able to scan Terraform plans and changes. This allows engineers to write Terraform misconfiguration checks as SQL queries.

semgrep HCL support vs. tfquery

Semgrep announced in October 2021 the support for scanning HCL files. The challenge with semantic scanning of HCL code (a similar approach to what tfsec, checkov, and similar tools are doing) is that it’s limited to non-dynamic HCL code. Terraform is much more complex, and without having the final state of rendered infrastructure code, checks would not be as accurate as needed.

Also, you may need to write a logic to make sure that findings are not alerted for a codebase already existing in your Terraform workspace. Otherwise, you would be blocking the CI pipeline where a member did not introduce any vulnerable code.

tfquery approach for Terraform Plan scanning

Whenever a PR is created for a Terraform change, you should be able to scan changes through tfquery.

You can now write SQL queries that are much more elegant to:

Try tfquery at github.com/mazen160/tfquery

Find my DEFCON talk: mazinahmed.net/blog/attacking-terraform-environments

Thanks for reading!

Mazin Ahmed

Mazin Ahmed

Thoughts of a hacker

rss facebook twitter github gitlab youtube mail spotify lastfm instagram linkedin google google-plus pinterest medium vimeo stackoverflow reddit quora quora