After declaring a variable, you can supply its value in four different ways:
- Interactively while running
terraform apply
- As a command line argument:
terraform apply -var="password=Sekret1"
- In environment variables:
TF_VAR_password="Sekret1" terraform apply
- In a separate file:
terraform apply -var-file="secrets.tfvars"
. These files should be kept secured and should never be checked into source control.
While declaring variables can be impactful, it also introduces added complexity. If a variable contains a misconfiguration, all modules that reference that variable will also be misconfigured. So, it’s important that you have the proper tooling to scan variables. We’ll get into that more in the next section.
Infuse automated scanning into development processes
Another benefit of using Terraform to define infrastructure is the ability to audit code for misconfigurations before any infrastructure is created. In this way, you can incorporate security into development processes earlier and prevent infrastructure issues (like opening an S3 bucket to the world) from being deployed to your running cloud environment.
Using open-source, static code analysis tools like Checkov, you can scan your Terraform templates and directories for misconfigurations without the added friction of integrating your own code. A tool like Checkov has hundreds of built-in policies that cover encryption, network, backup, and identity and access management (IAM) compliance and security configurations for AWS, GCP, and Azure cloud providers.
For consistency, automate IaC scanning in your continuous integration/continuous delivery (CI/CD) pipeline. This allows you to provide automated feedback as a part of a CI run and potentially block misconfigured code.
You can also be notified about infrastructure as code (IaC) misconfigurations and policy violations at the earliest possible moment within the DevOps lifecycle: when you are coding on your local workstation. You can get feedback directly in your integrated development environment (IDE) using Bridgecrew’s Visual Studio Code (VS Code) extension.
Review the plan for security issues, too
With local or CI/CD scanning of your Terraform code, you get instant feedback on your modules and templates. But because of Terraform’s dependency-driven nature, you might not be getting the full picture. In order to get a holistic view into what is actually being provisioned or changed, including variables being called, you may need to scan the Terraform plan output. But you can also analyze a misconfiguration even if it was sourced in a parameter that was defined on a different code block. This ensures that no risk goes unidentified.
SaaS platforms such as Bridgecrew, make this easy with native integrations. One such integration is with Terraform Cloud. With Bridgecrew’s continuous policy enforcement and security feedback for both IaC and cloud accounts, you can prevent misconfigured modules from being provisioned and identify errors introduced manually. Bridgecrew also takes policy-as-code a step further, transforming runtime errors into Terraform fixes.
Terraform is a powerful tool for managing your infrastructure. As your infrastructure grows and Terraform configurations multiply, it’s important to secure that infrastructure from development to production. Learning these and other best practices will help you get the most out of Terraform.
Ready to get even more out of your Terraform environment and help with your security and compliance policies? Try out our Terraform workshop, where you’ll:
- Get an overview of DevSecOps and Terraform infrastructure as code (IaC)
- Scan IaC files for misconfigurations locally
- Set up CI/CD pipelines to automate security scanning and policy enforcement
- Fix IaC security errors and AWS resource misconfigurations with Bridgecrew
Or maybe you’re ready to try it for yourself. If so, schedule a demo of Bridgecrew or get started for free today.