12.1. Terraform#

12.1.1. Static Code Analyzer with TFLint#

As your Terraform codebase grows, it’s more prone to errors.

And they can become nasty.

To analyze your files, use TFLint.

TFLint is a linting tool to check for common smells and issues before you even run your code.

You can even define custom rules to tailor it to your team’s standards.

tflint

Error: "type_abc" is an invalid value as instance_type (aws_instance_invalid_type)

  on main.tf line 15:
   15: instance_type = "invalid_type"
When you run TFLint again, you’ll receive an error message indicating that the
instance_type value is invalid. TFLint identifies this issue without applying the Terraform configuration,
helping you catch errors early in your development workflow.

12.1.2. Check for Security Risks with Tfsec#

To check your Terraform files for common security issues, use Tfsec.

TFsec is a static code analyzer to detect security risks, with hundreds of built-in rules.

It’s easy to set-up and run. Perfect for CI pipelines too.

brew install tfsec
tfsec .

Result #1 CRITICAL Storage account uses an insecure TLS version.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
  deployment/modules/storage_account/main.tf:1-8
   via deployment/main.tf:23-28 (module.storage_account)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
    1    resource "azurerm_storage_account" "storage_account" {
    2      name                     = var.account_name
    3      resource_group_name      = var.resource_group_name
    4      location                 = var.location
    5      account_kind             = "Storage"
    6      account_tier             = "Standard"
    7      account_replication_type = "LRS"
    8    }

12.1.3. Generate Least Privileges with Pike#

When managing your infrastructure, follow the Principle of Least Privilege (PoLP).

PoLP says that a user should only have the minimum level of access required for a particular resource to function correctly.

For your infrastructure managed by Terraform, you can use 𝐏𝐢𝐤𝐞.

𝐏𝐢𝐤𝐞 is a tool that determines the minimum permissions required to run your Terraform code with one command.

It supports the big cloud providers (Azure, AWS, GCP).

Check it out: github(dot)com/JamesWoolfenden/pike

!brew tap jameswoolfenden/homebrew-tap
!brew install jameswoolfenden/tap/pike

pike scan -d .\terraform\
{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": [
            "ec2:MonitorInstances",
            "ec2:UnmonitorInstances",
            "ec2:DescribeInstances",
            "ec2:DescribeTags",
            "ec2:DescribeInstanceAttribute",
            "ec2:DescribeVolumes",
            "ec2:DescribeInstanceTypes",
            "ec2:RunInstances",
            "ec2:DescribeInstanceCreditSpecifications",
            "ec2:StopInstances",
            "ec2:StartInstances",
            "ec2:ModifyInstanceAttribute",
            "ec2:TerminateInstances",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:AuthorizeSecurityGroupEgress",
            "ec2:CreateSecurityGroup",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeNetworkInterfaces",
            "ec2:DeleteSecurityGroup",
            "ec2:RevokeSecurityGroupEgress"
        ],
        "Resource": "*"
    }
}