Use Steampipe to scan Terraform code, plans, and state files

Query all aspects of your Terraform environment to answer ad-hoc questions and scan for security best practices.

Steampipe Team

5 min. read - Oct 04, 2023

Query all aspects of your Terraform environment to answer ad-hoc questions and scan for security best practices.

When the Terraform plugin arrived in December 2021, it was an immediate game-changer. Now you could not only query live AWS, Azure, and GCP infrastructure, you could also write SQL to answer questions about the Terraform configurations that deploy that infrastructure. Then in January 2022 the other shoe dropped. New compliance mods enabled you to also check Terraform-configured AWS, Azure, and GCP infrastructure. We've since added hundreds of controls to the suite of Terraform Compliance mods. And you can now query your plan and state files, as well as your .tf files.

Query your `.tf` files

Let's first review the basics. You've always been able to run queries against static .tf files. Here's a query to answer the question: "How are public access blocks configured for S3 buckets?"

select
  attributes_std ->> 'block_public_acls' as block_public_acls, path 
from 
  terraform_resource
where 
  type = 'aws_s3_bucket_public_access_block'

+-------------------+-----------------------------------------------------------------------------------+
| block_public_acls | path                                                                              |
+-------------------+-----------------------------------------------------------------------------------+
| false             | /home/jon/terraform-examples/launchweek/bucket.tf                                 |
+-------------------+-----------------------------------------------------------------------------------+

And this query answers the question: "How many resources of each type are configured?"

select
  type,
  count(*)
from
  terraform_resource
group by 
  type 
order by
  count desc

+---------------------------------------------+-------+
| type                                        | count |
+---------------------------------------------+-------+
| aws_route53_record                          | 13    |
| google_bigquery_table                       | 11    |
| aws_iam_role_policy_attachment              | 7     |
| google_storage_bucket_object                | 7     |
| aws_security_group                          | 7     |
...

Check `.tf` files for S3 bucket public access

The Terraform AWS Compliance mod uses this query capability to define controls. For example, as shown in the first query, the block_public_acls setting was false for one resource. Here's the offending code.

resource "aws_s3_bucket_public_access_block" "public_access_bucket_1" {
  bucket = aws_s3_bucket.my_bucket_1.id

  block_public_acls   = false # should be true
  block_public_policy = true
  ignore_public_acls = true
  restrict_public_buckets = true
}

There's a control to check for that misconfiguration.

steampipe check control.s3_bucket_public_access_blocked

After setting block_public_acls to true in the .tf file, we're all green.

Check the plan

Static analysis of .tf files isn't the only tool you'd like to have in your Steampipe Terraform kit. Plan and state files are also rich sources of information. And now the Terraform plugin can interrogate those too. Why? Let's look at a few examples.

In this scenario, the settings are defined by variables.

variable "block_public_acls" {
  type        = bool
  default     = true
}

resource "aws_s3_bucket_public_access_block" "public_access_bucket_1" {
  bucket = aws_s3_bucket.my_bucket_1.id

  block_public_acls   = var.block_public_acls
  ...
}

Now somebody runs terraform plan in a way that injects a misconfiguration.

terraform plan -var 'block_public_acls=false' -out=plan.tfplan

If you run the control again, it'll still be green because nothing has changed in the .tf file. Now let's make the plan queryable as well.

terraform show -json plan.tfplan > plan.json

Now the control reports trouble. The .tf passes, but the plan reveals the problem.

Check the state file too!

But we're feeling reckless, and we deploy anyway. Now we're in worse trouble!

terraform public access plan and state alarm

Let's redo the plan without the -var to get the good default, and recheck.

terraform public access plan ok state alarm

Finally let's deploy the fix and check one more time.

terraform public access tf and plan and state ok

All green again!

See it in action

Tailor-made for GitOps shops

This unified ability to query and scan Terraform files (as well as deployed infrastructure) is available everywhere Steampipe can run. That includes CI/CD pipelines where, for GitHub in particular, we have just announced two new actions that make it easier than ever to run Steampipe queries and checks in GitHub workflows, and now also embed annotations in pull requests to flag compliance issues.

There are a million ways to use these new features and controls. Give them a try and let us know how it goes!