Hashicorp terraform allows users to define their infrastructure as code (IAC). This is done through the definition of terraform modules, .tf (source) files.
These modules need to be "complied" in order to generate a terraform plan file, which can then be applied to your cloud infrastructure (for example AWS), to create, update or destroy.
In order to build a threat model from these IAC definitions, you can use the tf files/modules. But in many organisations there are many .tf files distributed throughout many folders, making it difficult to utilise a single api call to bring all of those files into a single diagram.
The terraform plan file, provides a single point of reference for the infrastructure that has been derived from these source files.
There are 4 stages to generate a threat model
Create the tfplan
terraform init
terraform plan -out tfplan
Generate a human readable format of the tfplan
terraform show -json tfplan > tfplan.json
Generate a visual representation of the tfplan
terraform graph -type plan -plan tfplan > tfplan-graph.gv
Generate your threat model use the IriusRisk api
curl -L -X POST https://your-instance.iriusrisk.com/api/v1/products/tfplan \
-H "Content-Type: multipart/form-data" \
-H "Accept: application/json" \
-H "api-token: your api token" \
-F "tfplan-file=@tfplan.json;type=application/json" \
-F "tfgraph-file=@tfplan-graph.gv" \
-F "product-id=project reference" \
-F "name=project name"
which will yield your architectural diagram, and threat model
Reference https://github.com/aws-samples/aws-ingesting-click-logs-using-terraform
Sometimes it is needed to add external mappings. In this case, the curl is the same but adding a new parameter including the mapping file:
curl -L -X POST https://your-instance.iriusrisk.com/api/v1/products/tfplan \
-H "Content-Type: multipart/form-data" \
-H "Accept: application/json" \
-H "api-token: your api token" \
-F "tfplan-file=@tfplan.json;type=application/json" \
-F "tfgraph-file=@tfplan-graph.gv" \
-F "product-id=project reference" \
-F "name=project name" \
-F "mapping-file=@custom-mappings.yaml;type=text/yaml"
For creating mapping files for parsing Terraform Plan files:
https://iriusrisk.github.io/startleft/startleft-processors/iac/tfplan/Terraform-Plan-how-to-create-a-mapping-file/
Comments
0 comments
Article is closed for comments.