Support Terraform Manifest and Code Scanning to Identify 3rd Party Providers

[abhisek]

Problem

Terraform is an important piece of software in DevOps & infra management due to the privileged access in cloud infrastructure. Terraform has the concept of providers to extend supported platforms that can be managed by Terraform. For example, Terraform officially supports AWS but there are a large number of community supported providers

Terraform Plugins & Provider

From plugin docs

Terraform Plugins: Plugins are executable binaries written in Go that communicate with Terraform Core over an RPC interface. Terraform currently supports one type of plugin called providers.

Locking providers (plugins) to specific versions

When terraform init is run, Terraform reads configuration files in the working directory to determine which plugins are necessary, searches for installed plugins in several locations, sometimes downloads additional plugins, decides which plugin versions to use, and writes a lock file to ensure Terraform will use the same plugin versions in this directory until terraform init runs again.

Terraform generates a .terraform.lock.hcl after plugin discover. This file contains:

1. Provider identifier e.g. registry.terraform.io/hashicorp/random
2. Locked version of the provider e.g. 3.6.3

This information can be leveraged to create a Package model in vet to represent a discovered 3rd party component that may or may not have a risk.

Supply Chain Risk

Terraform plugins (providers) are 3rd party code. Even if you trust terraform, you cannot trust all providers. This introduces the possibility of malicious Terraform providers getting access to privileged environments and secrets.

Solution

We will tackle this problem in two parts in vet

1. Parse .terraform.lock.hcl and create the PackageManifest and Package models internally
2. Enrich the discovered plugins with security metadata for policies to determine risk

[1] should be straightforward. We need to build a .terraform.lock.hcl parser and read in the plugin definitions. parsers and npm graph parser are relevant references to take this forward.

[insaaniManav]

Hi, can you add some description here and I can pick this up ?

[abhisek]

@insaaniManav Thanks for your interest. I have added more details about this issue. Let me know if you have any question or suggestion.

[insaaniManav]

#260 @abhisek here is the draft PR - this should ideally accomplish [1] I am now setting out for figure out to how to do [2]

[abhisek]

@insaaniManav I think we should get [1] merged first before working on [2] which may require some research and enhancement in our backend Insights Service which is responsible for providing vet security metadata of a package.

[insaaniManav]

Oh perfect , can you add some comments to this then ? @abhisek

[abhisek]

Oh perfect , can you add some comments to this then ? @abhisek

@insaaniManav Already added review comments to #260 Is that what you meant?

[insaaniManav]

@abhisek can we close this ?

[abhisek]

Thanks for your contribution @insaaniManav