The Security Of DevSecOps - Terraform Authentication

In the first blog post of our DevSecOps series, we talked about looking at security considerations for the Terraform code and the data within it. For this shorter post, let's talk about how Terraform authenticates to providers.

Terraform providers are cloud service providers that Terraform can interact with such as AWS, Azure, VMWare, DigitalOcean, etc. In order to do that though, Terraform needs to have the ability to authenticate to the specific providers you are deploying resources within. Therefore, that means the means to authenticate is usually built into the code (bad practice), accessible in a file not committed to the source code repository, or within an environmental variable on the system deploying the infrastructure. Let's look at what Terraform recommends.

Terraform Files

As stated in the image above, if a file called "terraform.tfvars" is within the same directory that Terraform is running from, it will automatically "read" that file and populate variables based off of its contents. You could contain the secrets needed by your specific provider within the terraform.tfvars file and Terraform would automatically use them when needed to authenticate.

As also mentioned, you could provide a different file containing the variables you define by specifying the "-var-file" parameter when calling Terraform.

Environmental Variables

The Terraform documentation also states that you can use environmental variables to contain variables that are accessible within your Terraform code. Obviously, the referenced variables would need to be defined on each system running your Terraform code.

What does this mean for security and authentication?

We now have a couple options when it comes to storing secrets used for authenticating to Terraform providers. The worst case option would be to hard-code your credentials within your Terraform. A better start could be to use the terraform.tfvars file; ensure the file is protected and not committed into a source code repository.

From an attacker's perspective, you would likely want to search for any files called "terraform.tfvars" to find the code that's loaded each time Terraform runs. Additionally, dumping environmental variables would also be useful to identify any system stored Terraform variables.

I hope that this helps explain different places that authentication information can be stored for Terraform. If you have any additional questions at all, don't hesitate to contact us!