HackTricks Cloud
HackTricks Cloud
Ask or search…
⌃K
Links
Comment on page

Terraform Enterprise Security

Support HackTricks and get benefits!

Basic Information

​Terraform Enterprise is hashicorp self-hosted distribution of Terraform Cloud. It offers enterprises a private instance of the Terraform Cloud application, with no resource limits and with additional enterprise-grade architectural features like audit logging and SAML single sign-on.
"By default, Terraform Enterprise does not prevent Terraform operations from accessing the instance metadata service, which may contain IAM credentials or other sensitive data" (source)
While the focus of this article is on targeting the metadata service, it is worth noting that gaining code execution inside a Terraform run may provide other avenues for attack. For example, environment variables could be leaked which may contain sensitive credentials.

Remote Terraform Execution

Terraform Cloud runs Terraform on disposable virtual machines in its own cloud infrastructure by default. You can leverage Terraform Cloud Agents to run Terraform on your own isolated, private, or on-premises infrastructure. Remote Terraform execution is sometimes referred to as "remote operations."
Therefore, with an API key to contact Terraform Enterprise it's possible to execute arbitrary code in a container in the cloud.
​Terraform API Tokens can be identified by the .atlasv1. substring. They are usually located in ~/.terraform.d/ but attacking CI/CD platforms and clouds you might find them in secrets or env variables.
You can use this token to find the Organization:
curl -H "Authorization: Bearer $TERRAFORM_ENTERPRISE_TOKEN" https://<terra_enterprise_inst>/api/v2/organizations | jq
and with this info find the Workspace:
curl -H "Authorization: Bearer $TERRAFORM_ENTERPRISE_TOKEN" https://<terra_enterprise_inst>/api/v2/organizations/<org-id>/workspaces | jq
Now you need to create a config to communicate with the terraform Enterprise backend. Just get this example and add a hostname with the hostname of the Terraform Enterprise instance:
backend_config.tf
terraform {
backend "remote" {
hostname = "{{TFE_HOSTNAME}}"
organization = "{{ORGANIZATION_NAME}}"
​
workspaces {
name = "{{WORKSPACE_NAME}}"
}
}
}
Initialise your terraform to use the Terraform Enterprise token
terraform init --backend-config="token=$TERRAFORM_ENTERPRISE_TOKEN"
​
# Check if it was correctly initialized
terraform state list
Now that you have Terraform configured to contact the Enterprise backend you can just follow the section RCE in Terraform from:

Pivoting

As it was previously mentined, Terrafomr Enterprise Infra may run in any machine/cloud provides using agents. Therefore, if you can execute code in this machine, you could gather cloud credentials from the metadata endpoint (IAM, user data...). Moreover, check the filesystem and environment variables for other potential secrets and API keys. Also, don't forget to check the network where the machine is located.

Protections

Disabling Remote Operations

Many of Terraform Cloud's features rely on remote execution and are not available when using local operations. This includes features like Sentinel policy enforcement, cost estimation, and notifications.
You can disable remote operations for any workspace by changing its Execution Mode to Local. This causes the workspace to act only as a remote backend for Terraform state, with all execution occurring on your own workstations or continuous integration workers.
Restrict Terraform Build Worker Metadata Access
By default, Terraform Enterprise does not prevent Terraform operations from accessing the instance metadata service, which may contain IAM credentials or other sensitive data. Refer to AWS, Azure, or Google Cloud documentation for more information on this service.

References

Support HackTricks and get benefits!