HashiCorp Terraform is a tool used to safely and efficiently provision infrastructure. To do this Terraform leverages infrastructure as code, which is frequently lauded for the speed and efficiency benefits it provides over legacy point-and-click provisioning solutions. In addition to providing for more rapid deployments, Terraform has features for securing those deployments and lowering risk. This blog will cover the features you can use to improve the security posture of your infrastructure: Sentinel policy as code, Terraform module registry, and HashiCorp Vault integration.
Sentinel is a policy as code framework that’s integrated into Hashicorp enterprise products. Sentinel allows users to define policies that are enforced against infrastructure between the plan and apply phases of a Terraform run. Compared to many tools that scan existing infrastructure for policy infractions, Sentinel proactively prevents provisioning of out-of-policy infrastructure. Policy as code can be written to achieve a range of goals from limiting oversized cloud deploys to ensuring all infrastructure is properly tagged. The following example policy prevents security groups from having egress set to 0.0.0.0 to prevent malicious attacks like DDoS attempts (see this repository for more example policies).
import "tfplan"
main = rule {
all tfplan.resources.aws_security_group as _, instances {
all instances as _, sg {
all sg.applied.egress as egress {
egress.cidr_blocks not contains "0.0.0.0/0"
}
}
}
}
The Terraform module registry is another feature designed to ensure all infrastructure is meeting best practices. Modules are packaged infrastructure as code units that can be found in both the public Terraform Module Registry and the private registry of organizations using Terraform Enterprise. Modules can be as simple as a single compute instance or as complex as desired by the module creator.
For organizations leveraging the private registry, infrastructure experts can craft standardized best-practices modules for infrastructure components and enable developers to consume them in a self-service fashion. By providing developers who need to deploy their applications onto infrastructure the means to build that infrastructure through customizable modules, operators can enable rapid development without compromising infrastructure quality.
With the infrastructure you provision with Terraform governed by policy as code and built using best-practice-made modules, the sensitive credentials used to build that infrastructure also need to be secured for optimal security posture. Within Terraform, variables can be marked as sensitive, which uses Vault to encrypt the values, makes them write-only, and ensures that no out-of-band party can read the values without proper authorization.
The Vault integration goes further with dynamic secret generation. Using long lived, static cloud credentials for Terraform runs can be dangerous as the longer the life of the credential the greater the likelihood of it being exposed. By leveraging the Terraform Vault provider, you can generate short lived credentials for each Terraform run, which are automatically revoked after the run (see this guide for more).
With unique, short lived credentials generated on-demand to provision module-based infrastructure proactively governed by policy as code organizations can dramatically improved infrastructure security posture. To learn more about Terraform, check out Terraform.io or visit the Terraform learning center.
HCP Vault Radar conducts ongoing reconnaissance of unsecured secrets stored as plain text in code repositories as well as configuration, DevOps, and collaboration tools.
Secrets sync is a new feature in HashiCorp Vault that facilitates centralized management, governance, and control of secrets for multiple external secret managers.
A recap of HashiCorp infrastructure and security news and developments from Google Cloud Next, from scaling infrastructure as code to fighting secrets sprawl and more.