Censor Terraform Providers.
# Only google provider and azurerm provider are allowed
$ cat .tfprovidercheck.yaml
providers:
- name: registry.terraform.io/hashicorp/google
version: ">= 4.0.0"
- name: registry.terraform.io/hashicorp/azurerm
# tfprovidercheck fails because aws provider is disallowed
$ terraform version -json | tfprovidercheck
FATA[0000] tfprovidercheck failed error="this Terraform Provider is disallowed" program=tfprovidercheck provider_name=registry.terraform.io/hashicorp/aws tfprovidercheck_version=0.1.0
tfprovidercheck is a command line tool to execute Terraform security. It prevents malicious Terraform Providers from being executed. You can define the allow list of Terraform Providers and their versions, and check if disallowed providers aren't used.
tfprovidercheck is a single binary written in Go. So you only need to install an execurable file into $PATH
.
brew install suzuki-shunsuke/tfprovidercheck/tfprovidercheck
scoop bucket add suzuki-shunsuke https://github.com/suzuki-shunsuke/scoop-bucket
scoop install tfprovidercheck
aqua g -i suzuki-shunsuke/tfprovidercheck
- Download a prebuilt binary from GitHub Releases and install it into
$PATH
Verify downloaded assets from GitHub Releases
You can verify downloaded assets using some tools.
--
- GitHub CLI
tfprovidercheck >= v1.0.1
You can install GitHub CLI by aqua.
aqua g -i cli/cli
gh release download -R suzuki-shunsuke/tfprovidercheck v1.0.1 -p tfprovidercheck_darwin_arm64.tar.gz
gh attestation verify tfprovidercheck_darwin_arm64.tar.gz \
-R suzuki-shunsuke/tfprovidercheck \
--signer-workflow suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml
Output:
Loaded digest sha256:4e444f43865f52c1d969a9af9691f062f60e0bc64c713ee2e90c2163c8ce0d67 for file://tfprovidercheck_darwin_arm64.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!
sha256:4e444f43865f52c1d969a9af9691f062f60e0bc64c713ee2e90c2163c8ce0d67 was attested by:
REPO PREDICATE_TYPE WORKFLOW
suzuki-shunsuke/go-release-workflow https://slsa.dev/provenance/v1 .github/workflows/release.yaml@7f97a226912ee2978126019b1e95311d7d15c97a
- slsa-verifier
You can install slsa-verifier by aqua.
aqua g -i slsa-framework/slsa-verifier
gh release download -R suzuki-shunsuke/tfprovidercheck v1.0.1 -p tfprovidercheck_darwin_arm64.tar.gz -p multiple.intoto.jsonl
slsa-verifier verify-artifact tfprovidercheck_darwin_arm64.tar.gz \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/suzuki-shunsuke/tfprovidercheck \
--source-tag v1.0.1
Output:
Verified signature against tlog entry index 137013754 at URL: https://rekor.sigstore.dev/api/v1/log/entries/108e9186e8c5677a1d8396570e05ff2dccf0d5060dbf587764f72ac809690392674ad9b57aa6bcf7
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v2.0.0" at commit 877e39ddd975a45a467fc4a5bacdf55d374df198
Verifying artifact tfprovidercheck_darwin_arm64.tar.gz: PASSED
PASSED: SLSA verification passed
- Cosign
You can install Cosign by aqua.
aqua g -i sigstore/cosign
gh release download -R suzuki-shunsuke/tfprovidercheck v1.0.1
cosign verify-blob \
--signature tfprovidercheck_1.0.1_checksums.txt.sig \
--certificate tfprovidercheck_1.0.1_checksums.txt.pem \
--certificate-identity-regexp 'https://github\.com/suzuki-shunsuke/go-release-workflow/\.github/workflows/release\.yaml@.*' \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
tfprovidercheck_1.0.1_checksums.txt
Output:
Verified OK
After verifying the checksum, verify the artifact.
cat tfprovidercheck_1.0.1_checksums.txt | sha256sum -c --ignore-missing
- go install
go install github.com/suzuki-shunsuke/tfprovidercheck/cmd/tfprovidercheck@latest
Please run terraform init
in advance to update the list of Terraform Providers.
terraform version -json | tfprovidercheck [-c <configuration file path>]
To prevent malicious codes from being executed, you should run tfprovidercheck before running other Terraform commands such as terraform validate
, terraform plan
, and terraform apply
.
$ tfprovidercheck --help
tfprovidercheck - Censor Terraform Providers
https://github.com/suzuki-shunsuke/tfprovidercheck
Usage:
tfprovidercheck [<options>]
Options:
-help, -h Show help
-version, -v Show version
-config, -c Configuration file path
There are several ways to configure tfprovidercheck. In order of priority, they are as follows.
- The command line option
-config [-c]
, which is the configuration file path - The environment variable
TFPROVIDERCHECK_CONFIG_BODY
, which is the configuration itself (YAML) - The environment variable
TFPROVIDERCHECK_CONFIG
, which is the configuration file path - The configuration file
.tfprovidercheck.yaml
on the current directory
The field providers
lists allowed providers and their versions.
e.g.
providers:
- name: registry.terraform.io/hashicorp/aws
version: ">= 3.0.0" # Quotes are necessary because '>' is a special character for YAML
- name: registry.terraform.io/hashicorp/google
# version is optional
name
(Required, string):name
must be equal to the provider name. Regular expression and glob aren't supportedversion
(Optional, string): The version constraint of Terraform Provider.version
is evaluated as hashicorp/go-version' Version Constraints. Ifversion
is empty, any version is allowed
It's important to prevent configuration from being tamperd.
If you run tfprovidercheck on GitHub Actions, pull_request_target
event is useful to prevent workflows from being tampered.
Secure GitHub Actions by pull_request_target
tfprovidercheck supports configuring with the environment variable TFPROVIDERCHECK_CONFIG_BODY
, so you can define the configuraiton in a workflow file.
e.g.
- run: terraform version -json | tfprovidercheck
env:
TFPROVIDERCHECK_CONFIG_BODY: |
providers:
- name: registry.terraform.io/hashicorp/aws
version: ">= 3.0.0"
Then you can prevent configuration from being tampered by pull_request_target
event.
About .terraform.lock.hcl, .terraform.lock.hcl doesn't work as the allow list of providers because terraform init
adds missing providers automatically.
This means malicious providers not included in .terraform.lock.hcl can be executed in CI.
About required_providers block, there are several reasons tfprovidercheck is useful compared with required_providers block.
First, it's difficult to validate required_providers in child Terraform Modules.
Second, required_providers block can be tampered in pull requests CI without code review.
On the other hand, you can prevent tfprovidercheck configuration from being tampered by several ways such as GitHub Actions' pull_request_target
.
Third, tfprovidercheck enables you to manange the allow list of providers with a single YAML outside of Terraform working directory. So administrators (SRE, Platform Engineer, DevOps Engineer, etc) can keep the security and governance easily while delegating the management of Terraform configuration to product teams.
If you validate providers with required_providers block, admins need to have the ownership of required_providers block and review changes of them. In case of Monorepo, the number of required_providers block is proportion to the number of working directories. GitHub CODEOWNERS manages the ownership per file, so admins may be supposed to review pull requests even for unrelated changes. For example, if you update Terraform Providers by Renovate, admins need to review pull requests every time providers are updated. In proportion to the number of working directories in Monorepo, the burden of admins gets higher. And this also makes provider auto update difficult.
On the other hand, if you validate providers with tfprovidercheck, admins don't care about required_blocks providers unless tfprovidercheck fails, so the burden of admins gets lower.
Fourth, the purpose and intention of tfprovidercheck is so simple and clear that it's easy to handle the error of tfprovidercheck and to maintain tfprovidercheck configuraiton. tfprovidercheck is a dedicated security tool to manage the allow list of Terraform Providers and prevent disallowed providers from being used.