Terraform Remediation

What is Terraform?

Terraform is an Open Source Infrastructure-As-Code software tool. Users can define infrastructure requirements using a declarative configuration language, such as JSON.

What are Terraform Remediations?

Here at Horangi, we created Terraform Remediations for users who are currently using Terraform for their Cloud Infrastructure. For supported rules, Horangi will display an example Terraform code snippet. Based on the example, users can make the same changes into their own Terraform templates to help comply with Horangi rules. This allows users to fix these vulnerabilities at build time.

The example Terraform code snippet is an example only and does not reflect the complete state of the user’s cloud resource. As you will see, Horangi will highlight which part of your Terraform code needs to be changed in order to remediate your environment configurations.

Finding the remediation steps

  1. Log into your Horangi Storyfier account.

  2. At the top navigation bar, click on RULES.

    Navigation Bar-1
  3. Look for the rule where you would like to perform Terraform remediations on. For this document, we will be using the SNS Topic Server-Side Encryption Not Enabled Rule as an example.

    SNS
  4. Click on the rule to expand it and select the appropriate account. Next, select the appropriate resource.

    Resources-1
  5. On the right window, click on the Remediation tab, followed by Terraform.

    Terraform-1
  6. You will find the required Terraform code to change, highlighted in either green or red.

Terraform Remediation Types

There are two types of Terraform remediations.

  • Addition to Terraform Resource
  • Modification to Terraform Resource

Addition to Terraform Resource

This involves adding arguments to existing Terraform resources.

Addition

In the example above, the template shows the arguments to add (highlighted in green) in your own Terraform template.

Modification to Terraform Resource

This involves modifying or removing arguments from existing Terraform resources.

Modification

In the example above, the template shows which arguments to remove or modify (highlighted in red) in your own Terraform template.

Terraform Remediation Requirements

  • You must have used Terraform to create your Cloud resources
  • Resources created using the CLI or Console will not be able to use Terraform remediations

Rule Support

The following rules currently support Terraform Remediations:

  • AWS
    • ElastiCache At-Rest Encryption Not Enabled
    • ElastiCache In-Transit Encryption Not Enabled
    • ElasticSearch Node-To-Node Encryption Not Enabled
    • Kinesis At-Rest Encryption Not Enabled
    • RDS Deletion Protection Not Enabled
    • RDS Instance Encryption Not Enabled
    • S3 Default Encryption Not Enabled
    • S3 Bucket Public Full Control Permissions should be removed
    • SNS Server-Side Encryption Not Enabled
    • SQS Server-Side Encryption Not Enabled