Styra DAS Terraform State Compliance
The Styra DAS Terraform system type allows you to continually monitor resources deployed and managed by Terraform and enumerate all those resources which violate your defined policy guardrails. Monitoring of deployed infrastructure resources is often necessary to prove organization infrastructure compliance requirements are being met, especially for organizations in regulated industries, such as finance, healthcare, or government.
Styra DAS provides Compliance monitoring functionality built into the Styra DAS Terraform system type, which automatically evaluates Compliance results every hour using the last Terraform state version in a Terraform system and the currently published policies in that Terraform system. Additionally, users can run an on-demand Compliance check at any time (e.g., after implementing new high severity rules or connecting a new Terraform state file) using the "Scan for violations" button in a Terraform system's Compliance tab.
The Compliance tab in Styra DAS Terraform systems reports the violations found from the most recent Compliance check for all Terraform state files connected to that system.
Connect a Terraform State Data Source
Terraform state serves as the data store used by Terraform for the configuration of resources deployed to cloud services. The state is where resources declared in Terraform code are mapped to "real world" resources in cloud providers (e.g., the aws_s3_bucket
configuration mapped to an S3 bucket in an AWS account). This state is updated automatically from configured cloud providers with each terraform plan
and terraform apply
and can be manually updated using the terraform plan -refresh-only
and terraform apply -refresh-only
commands.
Depending on the configured Terraform backend for your Terraform workspace or environment, your Terraform state may be stored as a file in cloud storage or in a service used to manage your Terraform deployments, such as Terraform Cloud or Terraform Enterprise. Terraform state can be connected to a Styra DAS Terraform system using a Styra DAS system-level data source, which supports fetching Terraform state from:
- an Amazon S3 bucket,
- a Google Cloud Storage (GCS) bucket,
- a git repository,
- a Terraform Cloud workspace,
- a Terraform Enterprise (internet-accessible) workspace, and
- any HTTP-accessible state datastore.
Styra DAS provides built-in data transforms for Terraform state data source contents when:
- connecting Terraform state using a state file (by default named
terraform.tfstate
) stored in S3, GCS, or git, or - connecting Terraform state from a Terraform Cloud or Terraform Enterprise workspace (using the HTTPS data source)
These data transforms will transform the state data source contents to the standard Terraform plan JSON representation input compatible with rules in the Styra DAS Terraform Policy Library, with resources in the Terraform state populated into the resource_changes
plan object (other Terraform plan parameters are not generated).
Terraform may store sensitive data (e.g., database passwords, access tokens, secret keys) in state depending on the Terraform resources in your configuration. When using a state data source with a built-in data transform, sensitive attributes for resources in the state are not included in the transformed plan representation of the state which is used as the input to all rules in your Styra DAS Terraform system policies, however the full state with sensitive data may still be received by Styra DAS. In such cases where this is a concern, Styra recommends creating a state file version where the sensitive attributes are stripped for use in Compliance checks.
For state files generated using the terraform show
command or non-standard state fetched from an HTTP-accessible state datastore, you may author custom data transforms for use with Styra DAS data sources to transform the contents to the standard Terraform plan representation.
S3, GCS, and Git State File Configuration
Styra DAS data sources support native connections to pull a file from an Amazon S3 bucket, a GCS bucket, and a git repository.
To use these data source types for a Terraform state file, first review the general data source configuration steps based on where your state file is stored:
- Amazon S3 for data import Data Source
- GCS for data import Data Source
- Git for data import Data Source
When configuring these data sources, the following steps need to be taken before saving the data source configuration:
-
The data source "Path" must be set to
state
. -
The data source must refer to and fetch a single
.tfstate
file (typically namedterraform.tfstate
) for the data transform to correctly transform the data source contents. -
Set the refresh interval to a recommended value of "4m" (4 minutes). The lowest recommended value is "1m" (1 minute).
-
Expand the "Advanced" section and select "State Transform" from the "Data Transform" dropdown.
Setting the refresh interval for a data source to 5 minutes or more may result in data source sync error messages in the system.
Terraform Cloud and Enterprise State Configuration
The state from a Terraform Cloud or Terraform Enterprise workspace can be connected using the Styra DAS HTTPS data source type, for which the general configuration steps can be found in the HTTPS Data Source docs.
When configuring the HTTPS data source for Terraform Cloud or Terraform Enterprise workspace state, the following steps need to be taken before saving the data source configuration:
-
The data source "Path" must be set to
state
. -
The URL should be in the format
https://app.terraform.io/api/v2/workspaces/<workspace-id>/current-state-version
for Terraform Cloud workspaces, where<workspace-id>
is the unique identifier for the workspace in the formatws-hW4ZulIEKi9WpsZq
found in the Terraform Cloud console. For internet-accessible Terraform Enterprise workspaces, replaceapp.terraform.io
with the Terraform Enterprise base URL. -
Leave the "Method" as "GET" and "Body" as "JSON".
-
Set the refresh interval to a recommended value of "4m" (4 minutes). The lowest recommended value is "1m" (1 minute).
-
Add a header with the name
Authorization
and value ofBearer <token>
, where<token>
is a Terraform Cloud or Terraform Enterprise User or Team API token with access to the workspace. Enable the "Secret" toggle on the Header value. -
Expand the "Advanced" section and select "TFC State Transform" from the "Data Transform" dropdown.
Setting the refresh interval for a data source to 5 minutes or more may result in data source sync error messages in the system.
Evaluate State Compliance
After connecting at least one Terraform state data source to your Styra DAS Terraform system, navigate to that system's "Compliance" tab. After adding a new Terraform state data source to a system, you may wait for the next hourly automated Compliance check or click the "Scan for violations" button to run an on-demand Compliance check.
Violations in Terraform state are reported in the Compliance tab where they can be reviewed. Each violation includes the rule violation message, rule metadata (such as title, id, and severity), resource context (such as resource type and address), and state file context. The list of Compliance violations can be filtered using plain text or Regex.
The number of Compliance violations for the system is tracked over time and displayed as a graph in the system's Monitoring tab. This can be used by teams as a violation burndown to show progress addressing violations with deployed cloud resources.
Cloud Provider Resource Compliance
To evaluate compliance against all resources in a cloud provider account, including those which may not be managed by your Terraform configuration, use the Terraformer CLI tool created by Google's Waze SRE team to generate an appropriate output file. The CLI tool connects to many common cloud providers (including AWS, Google Cloud, and Azure) to generate a Terraform configuration based on cloud resources in a target account and region. Refer to the Terraformer GitHub repository README for instructions for specific cloud providers.
Terraformer provides "state" and "plan" output file types, which are non-standard Terraform state and plan files. Styra DAS supports the Terraformer "plan" output file type as a data source in Terraform systems when using the S3, GCS, Git, or HTTPS data source types. To convert the Terraformer plan output to the standard Terraform plan JSON representation, select the "Terraformer Plan Transform" data transform when configuring the data source in a Styra DAS Terraform system.