How secure are your Terraform sensitive values?
- 2. HOW SECURE ARE YOUR TERRAFORM SENSITIVE VALUES?_ Marko Bevc
- 3. SECURE ENOUGH?_ “Security through obscurity should never be the only security mechanism!”
- 4. ABOUT ME_ ● Senior Consultant at The Scale Factory (DevOps consultancy, AWS advanced consulting partner and K8s service provider) ● Ops background: Senior IT infrastructure engineer and System Architect (extensive Linux and virtualization experience) ● Certifications and competencies: AWS, CKA, RHEL, HCTA ● Open source contributor and supporter ● Fan of automation/simplifying things, hiking, cycling and travelling @_MarkoB https://www.linkedin.com/in/marko-bevc/
- 5. TOPICS COVERED_ ● Terraform workflows (security aspect and exposure, attack vector and risks) ● Sensitive values leaks & prevention ● Demo and code examples ● Conclusions and takeaways
- 7. WORKFLOWS EXPOSURE_ • Workflow types: –CLI (OSS binary) and wrappers (TerraGrunt) –Automated pipeline runs (Atlantis, GitHub Actions, CircleCI) –Managed SaaS offering (TFC) • Results in shift of exposure points: –code and repository –state/lock –execution environment and sensitive values –security perimeter & responsibility!
- 8. SECRETS IN CODE_ • Most “obvious” pitfall to avoid • Hard-coded secretes/ sensitive values in code • Terraform repository scanning, code reviews and good team security awareness/culture • Remediation: – Dynamically inject from environment – Stored externally in a sealed environment (Vault/HCP, AWS SecretsManager/SSM, Google, etc.) with encryption at rest + transit – Randomization to reduce risk points (human factor*) • Is this enough? #1
- 9. KEEPING STATE SECURE_ ● More interesting and most important security aspect ● Even if using external secrets (injected or secure solution) Terraform needs to keep state current in order to detect changes ● Solution: ensure state is safe (encryption at rest/transit and access control) ● Native encryption in the state is hard - deprecated! #2
- 10. OUTPUT AND AUDIT TRAIL_ • Usually forgotten • Logging and backups can also reveal sensitive information • Terraform 0.14+ has a concept of ‘sensitive’ values (variables, providers), but it is not encrypting or obscuring it in the state! • Responsibility might differ in workflows • Keeping clean logs and trails is a good practice (also personal information) • Also don’t forget about log encryption and control access #3
- 11. variable "db-pass" { type = string description = "Default DB password" default = null sensitive = true } resource "aws_db_instance" "db" { allocated_storage = 10 allow_major_version_upgrade = true apply_immediately = true storage_type = "gp2" engine = "mariadb" engine_version = "10.5" instance_class = "db.t2.micro" name = "mydb" username = "username" password = var.db-pass skip_final_snapshot = true } example.tf
- 12. TIME FOR DEMO!_
- 13. CONCLUSIONS_ & TAKEAWAYS ● Security is hard! ● Protect your crown jewels: – repository code – state – output/logs ● Use multiple layers of security, scan code and defence in depth (tfsec, checkov, AWS Config, Cloud custodian, Prowler) ● Familiarise people with responsibilities and procedure - not just technical problem ● Avoid weak links in the IaC security chain
- 14. ● Resources: – https://www.scalefactory.com/blog/2020/12/02/are-we-there-yet-terraform-0.14/ – https://www.terraform.io/docs/extend/best-practices/sensitive-state.html – https://blog.gruntwork.io/a-comprehensive-guide-to-managing-secrets-in-your-terraform-code- 1d586955ace1 – https://geekflare.com/aws-vulnerability-scanner/ – https://thorsten-hans.com/six-golden-rules-of-infrastructure-as-code-iac – https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html – https://www.terraform.io/cloud – https://www.vaultproject.io/ – https://www.hashicorp.com/cloud-platform FURTHER READING_