Blog

Securing Your Infrastructure with Terraform: Making Security an Enabler, Not a Blocker (PART 1)

11 Apr, 2023
Xebia Background Header Wave

Securing your infrastructure is a fundamental part of any successful business. But doing it manually can be time-consuming and costly. That’s why many organizations are turning to Terraform for help. Terraform is a powerful, open-source infrastructure-as-code software that allows you to easily and securely provision, manage, and version your cloud, container, and on-premise infrastructure. With Terraform, you can make security an enabler rather than a blocker. It can help you quickly define, deploy, and manage your cloud resources in a secure, automated, and compliant way. Plus, Terraform’s built-in security features enable you to easily enforce security standards and best practices. This makes it easier to create and manage secure, trustworthy environments.

Benefits of using Terraform for infrastructure security

  • Using Terraform for infrastructure security can provide organizations with multiple benefits.
  • It allows organizations to quickly and easily define, deploy, and manage their cloud resources in a secure, automated, and compliant way.
  • This eliminates the need for manual security processes, which can be time-consuming and expensive.
  • Terraform’s built-in security features enable organizations to easily enforce security standards and best practices.
  • This helps organizations create and maintain secure, trustworthy environments.
  • Terraform can be used to quickly audit and validate infrastructure configurations and ensure compliance with security policies.

Overview of Terraform’s built-in security features

Terraform offers several built-in security features that enable organizations to easily enforce security standards and best practices. These features include:

  • Infrastructure-as-code: Terraform enables organizations to define and deploy their infrastructure using code, which makes it easier to audit and validate configurations.
  • Access Control: Terraform supports role-based access control (RBAC) to ensure that only authorized users are able to access and manage cloud resources.
  • Encryption: Terraform provides support for encryption at-rest and in-transit, which helps organizations protect sensitive data.
  • Compliance: Terraform enables organizations to easily audit and validate infrastructure configurations to ensure compliance with security policies.
  • Monitoring: Terraform provides real-time monitoring of cloud resources, which helps organizations quickly detect and respond to security issues.

Best practices for using Terraform to secure your infrastructure

When using Terraform for infrastructure security, it is crucial to follow best practices to ensure that your environment is secure and compliant. One such practice is to use version control, which helps keep track of changes to Terraform code and configurations and limits changes to authorized users only. Additionally, automating security checks through Terraform can quickly detect and respond to security issues, such as vulnerability scans and penetration tests.

Using a secure pipeline is also imperative for managing the process of testing, deploying, and managing your infrastructure. Terraform provides a secure pipeline that enables you to efficiently deploy and manage cloud resources. Monitoring your infrastructure is also essential to ensure the environment is secure and compliant, and Terraform provides real-time monitoring of cloud resources to quickly detect and respond to security issues.

Another best practice is to audit your infrastructure to ensure compliance and security. Terraform simplifies this process by providing the ability to easily audit and validate infrastructure configurations. By adhering to these best practices, you can use Terraform to secure your infrastructure effectively.

How to use Terraform to enforce security standards

Using Terraform, organizations can easily enforce security standards and best practices. Here are some of the ways that organizations can use Terraform to enforce security standards:

  • Automate security checks: Automating security checks can help organizations quickly detect and respond to security issues. Using Terraform, organizations can easily automate security checks such as vulnerability scans and penetration tests.

Azure example:

resource "azurermnetworksecuritygroup" "example" {
  name = "examplesecuritygroup"
  resourcegroupname = "exampleresource_group"

securityrule {
    name                        = "example-rule"
    priority                    = 100
    direction                   = "Inbound"
    access                      = "Allow"
    protocol                    = ""
    sourceportrange           = ""
    destinationportrange      = ""
    sourceaddressprefix       = "1.2.3.4/32"
    destinationaddress_prefix  = ""
  }
}

GCP example:

resource "googlecomputefirewall" "example" {
  name    = "examplesecuritygroup"
  network = googlecomputenetwork.examplenetwork.selflink

allow {
    protocol = ""
    ports    = [""]
    source_ranges = ["1.2.3.4/32"]
  }
}

AWS example:

resource "awssecuritygroup" "example" {
  name        = "examplesecuritygroup"
  description = "Allows access from 1.2.3.4/32"
  vpcid      = awsvpc.example_vpc.id

ingress {
    fromport   = 0
    toport     = 0
    protocol    = "-1"
    cidr_blocks = ["1.2.3.4/32"]
  }
}
  • Use role-based access control: Terraform supports role-based access control (RBAC), which enables organizations to restrict access to cloud resources to only authorized users.

Azure example:

resource "azurerm_role_assignment" "example" {
  scope                = "/subscriptions/00000000-0000-0000-0000-000000000000"
  role_definition_name = "Contributor"
  principal_id         = "00000000-0000-0000-0000-000000000000"
}

GCP example:

resource "google_project_iam_member" "example" {
  project = google_project.example.id
  role    = "roles/owner"
  member  = "user:00000000-0000-0000-0000-000000000000"
}

AWS

resource "awsiamrolepolicyattachment" "example" {
  role       = awsiamrole.example.name
  policy_arn = "arn:aws:iam::00000000-0000-0000-0000-000000000000:policy/AdministratorAccess"
}
  • Use encryption: Encrypting data at-rest and in-transit is an important security best practice. Terraform provides support for encryption, which helps organizations protect their sensitive data.

azure example:

resource "azurermkeyvault" "example" {
  name                  = "my-key-vault"
  location              = "westeurope"
  resourcegroupname   = "my-resource-group"
  enabledfordisk_encryption = true

accesspolicy {
    tenantid            = "00000000-0000-0000-0000-000000000000"
    objectid            = "00000000-0000-0000-0000-000000000000"
    secretpermissions   = ["backup", "restore"]
    key_permissions      = ["get", "encrypt", "decrypt", "wrap", "unwrap"]
  }
}

GCP example:

resource "googlekmscryptokey" "example" {
  name                  = "my-key-vault"
  location              = "westeurope"
  project               = "my-project"
  rotationperiod       = "10080h"
  nextrotationtime    = "2020-10-05T13:00:00Z"
  versiontemplate {
    algorithm   = "GOOGLESYMMETRICENCRYPTION"
    protectionlevel = "SOFTWARE"
  }

access_policy {
    role       = "roles/cloudkms.cryptoKeyEncrypterDecrypter"
    members    = ["group:example@example.com"]
  }
}

AWS

resource "awskmskey" "example" {
  description = "My key vault"
  deletionwindowindays = 7
  enablekey_rotation = true

policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": ""
      },
      "Action": "kms:",
      "Resource": "*"
    }
  ]
}
  • Monitor cloud resources: Monitoring cloud resources is essential for ensuring that an organization’s environment is secure and compliant. Terraform provides real-time monitoring of cloud resources, which can help organizations quickly detect and respond to security issues.

azure example:

resource "azurermloganalyticsworkspace" "example" {
  name                = "my-log-analytics-workspace"
  location            = "westeurope"
  resourcegroup_name = "my-resource-group"

sku {
    name     = "PerGB2018"
    capacity = 10
  }

solution {
    name    = "Security"
    enabled = true
  }
}

GCP example:

resource "googlemonitoringgroup" "example" {
  displayname   = "my-log-analytics-workspace"
  parent         = "projects/[PROJECTID]"
  filter         = "resource.type=logginglog"
  isclosed      = false
}

resource "googlemonitoringmetricdescriptor" "example" {
  name        = "my-log-analytics-workspace"
  type        = "logging.googleapis.com/user/securitylogs"
  description = "Security logs"
  labels {
    metric_type = "security"
  }

AWS

resource "awscloudwatchloggroup" "example" {
  name                = "my-log-analytics-workspace"
  retentionindays   = 14
  kmskeyid          = awskmskey.example.arn
  forcedestroy       = true
  tags = {
    Name = "my-log-analytics-workspace"
  }
}

resource "awskmskey" "example" {
  description         = "My key vault"
  deletionwindowindays = 7
  enablekey_rotation = true

policy = <<POLICY
{
  "Version": "2012-10-17",
  "Id": "key-consolepolicy-3",
  "Statement": [
    {
      "Sid": "Enable IAM User Permissions",
      "Effect": "Allow",
      "Principal": {
        "AWS": ""
      },
      "Action": "kms:",
      "Resource": "*"
    }
  ]
}
POLICY
  • Audit infrastructure configurations: Auditing infrastructure configurations is another important security best practice. Terraform provides the ability to easily audit and validate infrastructure configurations.

azure example:

resource "azurermpolicyassignment" "example" {
  name                 = "policy-assignment-example"
  scope                = "/subscriptions/00000000-0000-0000-0000-000000000000"
  policydefinitionid = "00000000-0000-0000-0000-000000000000"

parameters = {
    auditResourceIds = ["/subscriptions/00000000-0000-0000-0000-000000000000"]
  }
}

GCP example:

resource "googleprojectiamauditconfig" "example" {
  project = "my-project"
  auditconfig {
    service = "allServices"
    auditlogconfig {
      logtype = "DATA_READ"
    }
  }
}

resource "googleprojectiam_binding" "example" {
  project  = "my-project"
  role     = "roles/editor"
  members  = ["user:example@gmail.com"]
}

resource "googleprojectiampolicy" "example" {
  project = "my-project"
  policydata = <<EOF
{
  "bindings": [
    {
      "role": "roles/editor",
      "members": [
        "user:example@gmail.com"
      ]
    }
  ]
}
EOF

AWS

resource "aws_iam_role" "example" {
  name = "my-project-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": ["user:example@gmail.com"]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF

}

resource "aws_iam_policy" "example" {
  name = "my-project-policy"
  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": "*",
      "Effect": "Allow",
      "Resource": "*",
      "Sid": "AllowEditorForExample",
      "Principal": {
        "AWS": ["user:example@gmail.com"]
      },
      "Condition": {
        "StringEquals": {
          "aws:PrincipalTag/role": "editor"
        }
      }
    }
  ]
}
EOF

}

resource "aws_iam_audit_configuration" "example" {
  project_name = "my-project"

  audit_action_groups = ["DATA_READ"]
}

How to integrate third-party security tools with Terraform

Organizations can integrate third-party security tools with Terraform to further secure their infrastructure. Here are some tips and tricks for integrating third-party security tools with Terraform:

  • Use identity and access management (IAM) tools: IAM tools can help organizations manage user access to cloud resources. Organizations can integrate IAM tools with Terraform to easily enforce role-based access control (RBAC).
  • Use vulnerability scanners: Vulnerability scanners can help organizations identify potential security flaws in their infrastructure. Organizations can integrate vulnerability scanners with Terraform to quickly detect and respond to security issues.
  • Use intrusion detection systems (IDS): IDS can help organizations detect and respond to malicious activity. Organizations can integrate IDS with Terraform to monitor their infrastructure for malicious activity.
  • Use security information and event management (SIEM) tools: SIEM tools can help organizations monitor and analyze security-related events. Organizations can integrate SIEM tools with Terraform to quickly detect and respond to security issues.
Maikel van Amen
I am the Walter White of Cloud Security Engineering, breaking bad security measures and ensuring your infrastructure is secure from all kinds of intruders. I focus on Microsoft Azure and love to play with vulnerability management, secret management, and identity and access management - it's like cooking up the perfect recipe! When I'm not cooking up a storm in the Cloud Security lab, you can find me on the football pitch, coaching young players and scoring some goals of my own.
Questions?

Get in touch with us to learn more about the subject and related solutions

Explore related posts