In this blog post, I describe howtfprovidercheck prevents malicious Terraform Providers from being executed.

To run Terraform securely, we should prevent malicious Terraform Providers from being executed.
tfprovidercheck is a simple command line tool for this.
Using tfprovidercheck, you can define the allow list of Terraform Providers and their versions, and check if disallowed providers aren't used.

#Only google provider and azurerm provider are allowed$cat .tfprovidercheck.yamlproviders:  - name: registry.terraform.io/hashicorp/google    version: ">= 4.0.0"  - name: registry.terraform.io/hashicorp/azurerm#tfprovidercheck fails because aws provider is disallowed$terraform version-json | tfprovidercheckFATA[0000] tfprovidercheck failed                        error="this Terraform Provider is disallowed" program=tfprovidercheck provider_name=registry.terraform.io/hashicorp/aws tfprovidercheck_version=0.1.0

Using tfprovidercheck in Terraform CI, you can improve the security of Terraform CI.

Install

tfprovidercheck is a single binary written inGo. So you only need to install an execurable file into$PATH.

Please seeInstall.

How to use

1. Prepare tfprovider'sconfiguration
2. Runterraform init to update the list of Terraform Providers
3. Runterraform version -json | tfprovidercheck

To prevent malicious codes from being executed, you should run tfprovidercheck before running other Terraform commands such asterraform validate,terraform plan, andterraform apply.

Configuration

There are several ways to configure tfprovidercheck.
In order of priority, they are as follows.

1. The command line option-config [-c], which is the configuration file path
2. The environment variableTFPROVIDERCHECK_CONFIG_BODY, which is the configuration itself (YAML)
3. The environment variableTFPROVIDERCHECK_CONFIG, which is the configuration file path
4. The configuration file.tfprovidercheck.yaml on the current directory

The fieldproviders lists allowed providers and their versions.

e.g.

providers:-name:registry.terraform.io/hashicorp/awsversion:">=3.0.0"# Quotes are necessary because '>' is a special character for YAML-name:registry.terraform.io/hashicorp/google# version is optional

• name (Required, string):name must be equal to the provider name. Regular expression and glob aren't supported
• version (Optional, string): The version constraint of Terraform Provider.version is evaluated ashashicorp/go-version' Version Constraints. Ifversion is empty, any version is allowed

💡 Prevent configuration from being tampered

It's important to prevent configuration from being tamperd.
If you run tfprovidercheck on GitHub Actions,pull_request_target event is useful to prevent workflows from being tampered.

Secure GitHub Actions by pull_request_target

tfprovidercheck supports configuring with the environment variableTFPROVIDERCHECK_CONFIG_BODY, so you can define the configuraiton in a workflow file.

e.g.

-run:terraform version -json | tfprovidercheckenv:TFPROVIDERCHECK_CONFIG_BODY:|providers:- name: registry.terraform.io/hashicorp/awsversion: ">= 3.0.0"

Then you can prevent configuration from being tampered bypull_request_target event.

Conclusion

In this blog post, I described howtfprovidercheck prevents malicious Terraform Providers from being executed.

Please trytfprovidercheck and give me your feedback!