Terraform / HCL infrastructure-as-code analyzer plugin for AttackMap (AWS, Azure, GCP resources; IAM wildcards; open security groups; secret resources).
Project description
attackmap-analyzer-terraform
Terraform / HCL infrastructure-as-code analyzer for AttackMap.
This analyzer is shaped differently from language analyzers — Terraform doesn't have routes in the application sense. Instead, it extracts:
- Public ingress — security groups and firewall rules with
0.0.0.0/0, Lambda Function URLs with no auth, API Gateway methods withauthorization = "NONE", S3 buckets with public ACLs or disabled public-access blocks →entrypoint_hints - Asset inventory — S3 buckets, Azure storage accounts, GCS buckets, KMS keys, Cognito user pools →
service_hints - Databases —
aws_db_instanceandaws_rds_cluster(engine-aware: postgres / mysql / oracle / sqlserver / mariadb),aws_dynamodb_table,aws_elasticache_*,aws_documentdb_*, Azure PostgreSQL/MySQL/CosmosDB, GCP Cloud SQL →database_hints - Secrets —
aws_secretsmanager_secret,aws_ssm_parameter(SecureString),azurerm_key_vault, plusvariableblocks markedsensitive = trueor with secret-shaped names (*secret*,*token*,*password*,*key*) →secret_hints - IAM blast radius —
aws_iam_*_policyresources with wildcardAction = "*"orResource = "*"→auth_hintswith confidence 0.7 - Cognito —
aws_cognito_user_pool→auth_hints - Modules —
module "x" { source = ... }→service_hintskeyedmodule:x - API Gateway v2 routes —
aws_apigatewayv2_routewithroute_key = "POST /charges"→ actualRouteentries
All emissions populate AttackMap's Signal v2 fields (line numbers + evidence snippets) so downstream insights can cite infra/main.tf:NN.
Install
pip install git+https://github.com/mlaify/attackmap-analyzer-terraform.git
The analyzer is auto-discovered by AttackMap via the attackmap.analyzers entry-point group.
Usage with AttackMap
# Auto-discovered when installed:
attackmap analyze /path/to/terraform/repo
# Or invoke explicitly:
attackmap analyze /path/to/terraform/repo --module terraform
Detection
detect() returns true when any .tf, .tf.json, or .tfvars file is present in the tree, ignoring .terraform/, .git/, node_modules/, and vendor/.
HCL block parsing
The analyzer parses HCL block bodies via brace-depth counting (with string-literal awareness so "{" inside strings" doesn't throw off the counter). Nested blocks like multiple ingress { } blocks inside a security group are handled correctly. Variable interpolation (${var.foo}, aws_iam_role.app.id) is not resolved — string literals and direct attribute values are what get extracted.
Coverage notes
- AWS is the most thoroughly covered provider. Azure and GCP have basic coverage (NSG/firewall open ingress, Storage Account / GCS bucket as service hints, PostgreSQL/MySQL/CosmosDB/CloudSQL as databases) — extend per resource type as needed.
- IAM wildcard detection matches both JSON-shaped (
"Action": "*") and HCL-shaped (Action = "*") policy bodies. It does not currently look across separateaws_iam_policy_documentdata sources — that's roadmap. - API Gateway v1 routing is partial — only individual
aws_api_gateway_methodresources emit entrypoint hints. Path joining acrossaws_api_gateway_resourcechains is not yet implemented (use API Gateway v2 /aws_apigatewayv2_routefor full path+method extraction). - Lambda Function URLs with
authorization_type = "NONE"are flagged as open entrypoints. IAM-authorized URLs are emitted with the regularlambda_url:prefix. - Database
publicly_accessible = trueonaws_db_instanceproduces a separaterds_publicly_accessible:entrypoint hint in addition to the standard database hint.
License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file attackmap_analyzer_terraform-0.1.0.tar.gz.
File metadata
- Download URL: attackmap_analyzer_terraform-0.1.0.tar.gz
- Upload date:
- Size: 14.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
759c572ac226b8148da96817295146981f9f9bcc8e93d6b8b2efdd2b7fb512c2
|
|
| MD5 |
759120c2e9111e907b1e0ea90a6a7bca
|
|
| BLAKE2b-256 |
9e82b4dd334dc99a64fea99ec29e42cb20f559f7783bcb36f2a6843c6d7f7265
|
Provenance
The following attestation bundles were made for attackmap_analyzer_terraform-0.1.0.tar.gz:
Publisher:
release.yml on mlaify/attackmap-analyzer-terraform
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_terraform-0.1.0.tar.gz -
Subject digest:
759c572ac226b8148da96817295146981f9f9bcc8e93d6b8b2efdd2b7fb512c2 - Sigstore transparency entry: 1955062324
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-terraform@7877f179888b2d26f70ee257584f3661ecd9f233 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@7877f179888b2d26f70ee257584f3661ecd9f233 -
Trigger Event:
push
-
Statement type:
File details
Details for the file attackmap_analyzer_terraform-0.1.0-py3-none-any.whl.
File metadata
- Download URL: attackmap_analyzer_terraform-0.1.0-py3-none-any.whl
- Upload date:
- Size: 11.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1228049ed740fdc918abdab37bfef04f353dcf6157787c460b0bdec3bf635722
|
|
| MD5 |
1c161603561f3dbe319131ef8c0cab1f
|
|
| BLAKE2b-256 |
b75b7a7177ae3ad6d5170f4c439f775eb2aa56dab882757601ef2a1372943d23
|
Provenance
The following attestation bundles were made for attackmap_analyzer_terraform-0.1.0-py3-none-any.whl:
Publisher:
release.yml on mlaify/attackmap-analyzer-terraform
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
attackmap_analyzer_terraform-0.1.0-py3-none-any.whl -
Subject digest:
1228049ed740fdc918abdab37bfef04f353dcf6157787c460b0bdec3bf635722 - Sigstore transparency entry: 1955062523
- Sigstore integration time:
-
Permalink:
mlaify/attackmap-analyzer-terraform@7877f179888b2d26f70ee257584f3661ecd9f233 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/mlaify
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@7877f179888b2d26f70ee257584f3661ecd9f233 -
Trigger Event:
push
-
Statement type: