Terraform is the most popular tool for provisioning and managing Infrastructure-as-Code (IaC) over varied cloud environments. While there is an ongoing debate about open-source and proprietary IaC frameworks, the fact remains that Terraform still has a significant lead in market share over its competitors.
Since IaC is now a fundamental DevOps practice, it follows that Terraform is a crucial part of DevOps tech stacks at many organizations. So while Terraform by itself doesn’t have a direct impact on app security, its role in app development and production infrastructure is crucial. Devs and sys admins would therefore do well to be aware of and incorporate best practices to manage Terraform security across their IaC implementation.
Here are a few ways to do that.
Always Execute Programmatically
Ease of automation and ease of executing CI/CD pipelines are the reasons Terraform gained popularity. Running commands manually always introduces a possibility of human error. So make sure you execute Terraform commands and parameters programmatically, with a tool such as Jenkins or GitLab CI/CD.
Security-wise, this gives you multiple benefits:
- Limited access to the infrastructure by authorized users only
- Unambiguous process for deploying infrastructure changes, where departures from the norm can be tracked
- Enforcement of version control
- Consistency in code review and approvals, minimizing the risk of vulnerabilities
Follow Cloud Security Best Practices
While Terraform isn’t designed exclusively for the cloud, it is extensively and almost exclusively used in hybrid and multi-cloud environments. Therefore, sticking to well-known cloud security best practices and benchmarks (such as those from CIS) will keep your applications and infrastructure secure at all times.
Terraform lets you enforce centralized security, monitoring and governance by making sure all infrastructure deployments adhere to the same policies. You can implement least privilege access control consistently across all your environments.
In order to have a secure foundation for app development, your infrastructure settings need to be optimized to minimize vulnerabilities – a process known as “configuration hardening.” You can do this via Terraform. For example, if your provider recommends disabling unused services on VMs, you can configure Terraform to automatically disable unused services on the VM image, as soon as it is provisioned.
Finally, make sure you use only modules verified in the official Terraform Registry. HashiCorp classifies modules and providers listed in the registry with various badges and levels, giving them the badge of trustworthiness. Avoiding third-party components and using only community-vetted assets will give your IaC the double assurance of security and reliability.
Implement Compliance as Code
“Compliance as code” involves turning your security and compliance policies into code that can be tested, deployed, and enforced automatically across your infrastructure. If you want to make sure your application security policies comply with standard benchmarks, you need two things: tools and processes.
Open Policy Agent and Sentinel from HashiCorp (the company that developed and manages Terraform) are policy-as-code frameworks that allow you to define and execute security policies written as code in Terraform. Specifically, you can
- Evaluate and enforce rules that Terraform configurations and deployments must adhere to.
- Enforce application and infrastructure security policies across cloud environments.
- Isolate security misconfigurations during the development process.
- Prevent insecure infrastructure from being deployed, preventing applications from being exposed to vulnerabilities.
- Integrate apps and modules with CI/CD pipelines for automatic and consistent enforcement of security policies.
Taken as a whole, the above practices serve to build security-by-design into your application development process.
Implement Foolproof Secure State Management
The directory, configuration, and management information for your infrastructure and its component resources is stored in Terraform state files. It’s imperative to ensure that these state files are versioned, encrypted, and protected from potential conflicts and unauthorized access.
Since state files can contain sensitive data such as passwords, tokens and API keys in plain text form, your best bet is to avoid storing them where they might be found by malicious actors – simply fetch secrets at runtime and pass them to resources directly.
If you must use the state file, remember to use built-in encryption functions like pgp or kms. Better yet, put a proper secrets management solution in place. HashiCorp Vault, AWS Secrets Manager and Azure Key Vault, all are great tools you can use.
It is essential to secure your Terraform state files while in storage. The go-to options for storing them remotely in a secure backend are Terraform Cloud or AWS S3. For example, configuring Terraform to use an S3 backend with server-side encryption ensures that the state files are encrypted at rest. Also restrict access to the S3 storage bucket using groups or IP whitelisting to ensure least privilege access. Finally, make sure you have adequate backup and recovery measures in place.
Secure Your Infrastructure to Build Secure Apps
Tech leads, DevOps professionals, and even CTOs often ignore the importance of meticulous infrastructure management in building secure applications. Misconfiguration in infrastructure code often leads to weak access control that ultimately ends up compromising application and data security. By helping you get IaC right, Terraform does play its part in defining and executing foolproof app security policies.
