๐ Audit Terraform Provider Inventory for Supply Chain Risks
To follow this guide you need a SafeDep Cloud API Key and Tenant Identifier. See Cloud Quickstart on how to onboard to SafeDep Cloud and get an API key.
In this guide, we will look at discovering Terraform providers used in a Terraform project. We will synchronize the inventory (BOM) with SafeDep Cloud and execute queries to discover unofficial providers that may pose a risk to the security of developer, cloud and CI/CD infrastructure.
Scan and Discover Terraform Providersโ
vet must be installed to run this scan. See quickstart for vet installation options.
Run vet on your Terraform code base to scan for Terraform providers. The terraform project must be initialized i.e. .terraform.lock.hcl must be available in the project directory.
vet scan -D /path/to/terraform-code \
--report-sync \
--report-sync-project gh/test/infra1 \
--report-sync-project-version main
Query by Terraform Provider Insightsโ
We will use SafeDel Cloud SQL queries to filter results. See SafeDep Cloud Quickstart for more details
Query for unofficial Terraform providers
vet cloud query execute --sql "
select projects.name, projects.version, packages.name, packages.version
from projects
where terraform_providers.tier != 'official'
"
Example response generated from our test repository
โ��โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโ
โ PACKAGES.NAME โ PACKAGES.VERSION โ PROJECTS.NAME โ PROJECTS.VERSION โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโค
โ registry.terraform.io/hetznercloud/hcloud โ 1.48.0 โ gh/test/infra1 โ main โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโค
โ registry.terraform.io/hetznercloud/hcloud โ 1.48.0 โ gh/test/infra1 โ main โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ�โโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโค
โ registry.terraform.io/hetznercloud/hcloud โ 1.48.0 โ gh/test/infra1 โ main โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโ%
List the query schema to see all queryable and filterable columns for Terraform providers
vet cloud query schema