Prevent malicious Terraform Providers

In this blog post, I describe how tfprovidercheck prevents malicious Terraform Providers from being executed.

To run Terraform securely, we should prevent malicious Terraform Providers from being executed.
tfprovidercheck is a simple command line tool for this.
Using tfprovidercheck, you can define the allow list of Terraform Providers and their versions, and check if disallowed providers aren't used.

# Only google provider and azurerm provider are allowed
$ cat .tfprovidercheck.yaml
providers:
  - name: registry.terraform.io/hashicorp/google
    version: ">= 4.0.0"
  - name: registry.terraform.io/hashicorp/azurerm

# tfprovidercheck fails because aws provider is disallowed
$ terraform version -json | tfprovidercheck
FATA[0000] tfprovidercheck failed                        error="this Terraform Provider is disallowed" program=tfprovidercheck provider_name=registry.terraform.io/hashicorp/aws tfprovidercheck_version=0.1.0

Using tfprovidercheck in Terraform CI, you can improve the security of Terraform CI.

Install

tfprovidercheck is a single binary written in Go. So you only need to install an execurable file into $PATH.

Please see Install.

How to use

1. Prepare tfprovider's configuration
2. Run terraform init to update the list of Terraform Providers
3. Run terraform version -json | tfprovidercheck

To prevent malicious codes from being executed, you should run tfprovidercheck before running other Terraform commands such as terraform validate, terraform plan, and terraform apply.

Configuration

There are several ways to configure tfprovidercheck.
In order of priority, they are as follows.

1. The command line option -config [-c], which is the configuration file path
2. The environment variable TFPROVIDERCHECK_CONFIG_BODY, which is the configuration itself (YAML)
3. The environment variable TFPROVIDERCHECK_CONFIG, which is the configuration file path
4. The configuration file .tfprovidercheck.yaml on the current directory

The field providers lists allowed providers and their versions.

e.g.

providers:
  - name: registry.terraform.io/hashicorp/aws
    version: ">= 3.0.0" # Quotes are necessary because '>' is a special character for YAML
  - name: registry.terraform.io/hashicorp/google
    # version is optional

• name (Required, string): name must be equal to the provider name. Regular expression and glob aren't supported
• version (Optional, string): The version constraint of Terraform Provider. version is evaluated as hashicorp/go-version' Version Constraints. If version is empty, any version is allowed

💡 Prevent configuration from being tampered

It's important to prevent configuration from being tamperd.
If you run tfprovidercheck on GitHub Actions, pull_request_target event is useful to prevent workflows from being tampered.

Secure GitHub Actions by pull_request_target

tfprovidercheck supports configuring with the environment variable TFPROVIDERCHECK_CONFIG_BODY, so you can define the configuraiton in a workflow file.

e.g.

- run: terraform version -json | tfprovidercheck
  env:
    TFPROVIDERCHECK_CONFIG_BODY: |
      providers:
        - name: registry.terraform.io/hashicorp/aws
          version: ">= 3.0.0"

Then you can prevent configuration from being tampered by pull_request_target event.

Conclusion

In this blog post, I described how tfprovidercheck prevents malicious Terraform Providers from being executed.

Please try tfprovidercheck and give me your feedback!