Skip to main content

Terraform / HCL infrastructure-as-code analyzer plugin for AttackMap (AWS, Azure, GCP resources; IAM wildcards; open security groups; secret resources).

Project description

attackmap-analyzer-terraform

Terraform / HCL infrastructure-as-code analyzer for AttackMap.

This analyzer is shaped differently from language analyzers — Terraform doesn't have routes in the application sense. Instead, it extracts:

  • Public ingress — security groups and firewall rules with 0.0.0.0/0, Lambda Function URLs with no auth, API Gateway methods with authorization = "NONE", S3 buckets with public ACLs or disabled public-access blocks → entrypoint_hints
  • Asset inventory — S3 buckets, Azure storage accounts, GCS buckets, KMS keys, Cognito user pools → service_hints
  • Databasesaws_db_instance and aws_rds_cluster (engine-aware: postgres / mysql / oracle / sqlserver / mariadb), aws_dynamodb_table, aws_elasticache_*, aws_documentdb_*, Azure PostgreSQL/MySQL/CosmosDB, GCP Cloud SQL → database_hints
  • Secretsaws_secretsmanager_secret, aws_ssm_parameter (SecureString), azurerm_key_vault, plus variable blocks marked sensitive = true or with secret-shaped names (*secret*, *token*, *password*, *key*) → secret_hints
  • IAM blast radiusaws_iam_*_policy resources with wildcard Action = "*" or Resource = "*"auth_hints with confidence 0.7
  • Cognitoaws_cognito_user_poolauth_hints
  • Modulesmodule "x" { source = ... }service_hints keyed module:x
  • API Gateway v2 routesaws_apigatewayv2_route with route_key = "POST /charges" → actual Route entries

All emissions populate AttackMap's Signal v2 fields (line numbers + evidence snippets) so downstream insights can cite infra/main.tf:NN.

Install

pip install git+https://github.com/mlaify/attackmap-analyzer-terraform.git

The analyzer is auto-discovered by AttackMap via the attackmap.analyzers entry-point group.

Usage with AttackMap

# Auto-discovered when installed:
attackmap analyze /path/to/terraform/repo

# Or invoke explicitly:
attackmap analyze /path/to/terraform/repo --module terraform

Detection

detect() returns true when any .tf, .tf.json, or .tfvars file is present in the tree, ignoring .terraform/, .git/, node_modules/, and vendor/.

HCL block parsing

The analyzer parses HCL block bodies via brace-depth counting (with string-literal awareness so "{" inside strings" doesn't throw off the counter). Nested blocks like multiple ingress { } blocks inside a security group are handled correctly. Variable interpolation (${var.foo}, aws_iam_role.app.id) is not resolved — string literals and direct attribute values are what get extracted.

Coverage notes

  • AWS is the most thoroughly covered provider. Azure and GCP have basic coverage (NSG/firewall open ingress, Storage Account / GCS bucket as service hints, PostgreSQL/MySQL/CosmosDB/CloudSQL as databases) — extend per resource type as needed.
  • IAM wildcard detection matches both JSON-shaped ("Action": "*") and HCL-shaped (Action = "*") policy bodies. It does not currently look across separate aws_iam_policy_document data sources — that's roadmap.
  • API Gateway v1 routing is partial — only individual aws_api_gateway_method resources emit entrypoint hints. Path joining across aws_api_gateway_resource chains is not yet implemented (use API Gateway v2 / aws_apigatewayv2_route for full path+method extraction).
  • Lambda Function URLs with authorization_type = "NONE" are flagged as open entrypoints. IAM-authorized URLs are emitted with the regular lambda_url: prefix.
  • Database publicly_accessible = true on aws_db_instance produces a separate rds_publicly_accessible: entrypoint hint in addition to the standard database hint.

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

attackmap_analyzer_terraform-0.1.0.tar.gz (14.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

attackmap_analyzer_terraform-0.1.0-py3-none-any.whl (11.1 kB view details)

Uploaded Python 3

File details

Details for the file attackmap_analyzer_terraform-0.1.0.tar.gz.

File metadata

File hashes

Hashes for attackmap_analyzer_terraform-0.1.0.tar.gz
Algorithm Hash digest
SHA256 759c572ac226b8148da96817295146981f9f9bcc8e93d6b8b2efdd2b7fb512c2
MD5 759120c2e9111e907b1e0ea90a6a7bca
BLAKE2b-256 9e82b4dd334dc99a64fea99ec29e42cb20f559f7783bcb36f2a6843c6d7f7265

See more details on using hashes here.

Provenance

The following attestation bundles were made for attackmap_analyzer_terraform-0.1.0.tar.gz:

Publisher: release.yml on mlaify/attackmap-analyzer-terraform

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file attackmap_analyzer_terraform-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for attackmap_analyzer_terraform-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1228049ed740fdc918abdab37bfef04f353dcf6157787c460b0bdec3bf635722
MD5 1c161603561f3dbe319131ef8c0cab1f
BLAKE2b-256 b75b7a7177ae3ad6d5170f4c439f775eb2aa56dab882757601ef2a1372943d23

See more details on using hashes here.

Provenance

The following attestation bundles were made for attackmap_analyzer_terraform-0.1.0-py3-none-any.whl:

Publisher: release.yml on mlaify/attackmap-analyzer-terraform

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page