Threat modeling workflow for Terraform defined architectures using IriusRisk

Threat modeling workflow for Terraform defined architectures using IriusRisk

Prerequisites

You're expected to have followed the previous step by step tutorial (Threat modeling workflow for AWS Cloudformation architectures using IriusRisk) to configure the IriusRisk API and the Postman API client so that they can speak each other in a seamless way.

Terraform defined architecture example

Terraform is an open-source infrastructure as code software tool created by HashiCorp. It lets you define resources and infrastructure using a high-level configuration language known as Hashicorp Configuration Language (HCL), or optionally JSON. Terraform enables you to create, maintain and improve infrastructure reliably and predictably on major infrastructure cloud providers (e.g. AWS, GCP, Azure, OpenStack, CloudStack).

For this tutorial, we'll use the following simple Terraform architecture as a hands-on example:

https://github.com/iriusrisk/startleft/blob/main/examples/terraform/elb.tf

There are plenty of tools available to visualize Terraform architectures. However, to keep it simple, we'll use the native terraform binary to generate a diagram of the architecture. Terraform is able to generate graph files in dot (graph description language) format from your deployment plan. This is how it looks like our simplified IaC architecture after executing the Terraform CLI graph command (terraform graph > graphviz.dot):

‍

Use Postman to automatically create the threat model in IriusRisk

Now we can use Postman to upload this Terraform template to automatically create a new threat model in IriusRisk for this IaC architecture. In order to do this, you can follow the next three steps:

Step 1: Select the Terraform API endpoint

First, we need to click on the Terraform endpoint (POST/api/v1/products/terraform) in the Postman collection navigation tree. This API endpoint is intended to create a new IriusRisk project from a Terraform (TF) template:

‍

A new tab opens. You can set the necessary parameters for this HTTP request in the Body submenu, as can be seen in the following figure:

‍

‍

Step 2: Set the API request parameters

Now, we'll set the HTTP body parameters:

• tf-file: (Required) File that contains the Terraform template.
• product-id: (Required) Id of the new project in IriusRisk.
• name: (Required) Name of the new project in IriusRisk.
• mapping-file: (Optional) File that contains the mapping between Terraform components and IriusRisk components. Providing this file will completely override default values.

As we did for the CloudFormation example, to keep this first IaC importation template simple, we'll use the default mapping between Terraform and IriusRisk components. This way, we won't need to specify the mapping-file and we can deselect this parameter in the Postman checkbox. One example of this mapping file could be found in the StartLeft Github repository. Right now, this default mapping file supports some basic AWS components. However, we’ll continue expanding this default mapping file in the next IriusRisk releases, but if you need to customize this mapping to fit your specific requirements, you can provide your own mapping file to the API using the mapping-file variable.

The next step, is to select the our simple example for a Terraform template (elb.tf) as the value of the tf-file parameter. Then we set the product-id and name parameters that will be used to create a new project in IriusRisk. Finally, we click on the "Save" button to persist this configuration. This is how it looks like the HTTP POST request configuration right now:

‍

Review the generated threat model in IriusRisk

If we log in in the IriusRisk UI, we'll see that a new threat model was automatically created based on our Terraform template architecture:

‍

This is how it looks like the project home page as a visual summary of some of the main security metrics involved for this threat model:

‍

To see the relevant threats and countermeasures for this simple architecture, you can go to the "Threats" section on the left pane:

‍

To take a look at the recommended countermeasures, you should visit the “Countermeasures” section:

Conclusion

In this step-by-step tutorial we've seen how to automatically create a threat model in IriusRisk from a simple IaC architecture designed for Terraform. We've been using common tools that are usually in the arsenal of every cloud developer or DevOps engineer. From the Terraform CLI tool to Postman. This could be used as a first step to create a CI/CD pipeline that automatically creates threat models for cloud architectures in the design phase, before the stack is deployed in the production environment.

References

• IriusRisk Release 4.3: https://www.iriusrisk.com/resources-blog/product-update-release-4-3
• IriusRisk API Swaggerhub documentation: https://app.swaggerhub.com/apis/continuumsecurity/IriusRisk/1.13.0
• IriusRisk StartLeft GitHub project: https://github.com/iriusrisk/startleft
• Terraform Documentation: https://www.terraform.io/docs
• AWS Application and Network Load Balancer (ALB & NLB) Terraform module: https://registry.terraform.io/modules/HDE/alb/aws/latest
• Terraform graph command: https://www.terraform.io/cli/commands/graph

‍