Execute Terraform Configuration

Overview

The Execute Terraform Configuration action allows users to run Terraform commands directly in their bot workflows. This feature supports executing snippets of Terraform configurations, enabling efficient infrastructure management and automation. It facilitates the implementation of targeted changes related to security operations, such as adding security configurations or modifying resource settings, allowing for quick adjustments without the need for comprehensive deployment management.

Prerequisites

Linux Agent

  1. Agent Configuration:
    Ensure the Linux Agent is configured. Refer to the Agent Installation Guide.
  2. Ensure that the Terraform CLI is installed on the agent.
  3. Refer to the Terraform CLI installation guide for installation instructions.
  4. The cloud provider's configuration profile must be set in the agent configuration file, ensuring the necessary permissions to perform operations.

How to Use This Action?

To use the Execute Terraform Configuration action, follow these steps:

  • In your bot workflow, navigate to the Linux Actions and select Library.
    Navigate to Linux Action

  • Search for or locate the Execute Terraform Configuration action and drag it into your workflow.

  • Select the Linux integration that is connected to your Terraform-configured agent.

  • Under the Parameters section, specify the required parameter values according to your requirements. For more details, refer to the Parameter Details section.

  • In the terraform_code field, you have two options:

    1. Manually Provide Code: Enter the Terraform code you want to execute. Ensure the code is in HCL (HashiCorp Configuration Language) and defines the provider, backend, and required resources. Manually Provide Terraform Code

    2. Use AI to Generate Code: Click the option to use AI assistance to automatically generate the Terraform code based on your specifications.

      AI Generated Terraform Code

  • Specify the terraform_commands you want to run, such as init, plan, or apply. Be sure to include non-interactive flags like -auto-approve where applicable.

  • Save or update the bot, then click on the Run button to execute the bot or the Run button inside the action node. Wait for the execution to complete. After execution, view the results in the execution details.

Parameter Details

ParameterRequiredDescription
terraform_codeYesThe Terraform configuration code to execute. It must define the provider and required resources. You can either provide this code manually or use AI assistance to generate it.
terraform_code_directoryYesThe directory path where the Terraform configuration will be saved. All directories are managed under ~/autobotAI-linux-agent/actions/terraform.
terraform_code_filenameYesThe filename for the Terraform configuration file (defaults to main.tf).
terraform_commandsYesA list of Terraform commands to execute, such as init, plan, or apply. Provide non-interactive flags like -auto-approve where applicable.
run_as_userYesSpecifies the user under which the command runs (default value is "ubuntu"). If not provided, it will use root. Ensure Terraform is configured for this user.
config_profileYesThe name of the configuration profile for the cloud provider, e.g., aws/staging-account. Ensure that the necessary environment variables required by Terraform for the respective provider are set. For AWS, these include AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_DEFAULT_REGION.
execution_timeoutYesThe maximum time (in seconds) allowed for command execution, (defaults to 900 ) seconds.

Example Use Case

Scenario: Blocking a Malicious IP Address in a NACL

In response to an incident where GuardDuty identifies an instance as a target of an SSH brute-force attack from a malicious IP address, you can utilize this action to create a Network Access Control List (NACL) rule to block the IP across all ports. This proactive measure helps prevent unauthorized access, thereby enhancing your overall security posture.

Terraform Code to Create a NACL Rule: Example Terraform configuration to define and apply a new NACL rule:

provider "aws" { region = "us-east-1" } resource "aws_network_acl" "example" { vpc_id = "vpc-12345678" ingress { rule_no = 100 protocol = "tcp" from_port = 0 to_port = 65535 cidr_block = "malicious.ip.address/32" rule_action = "deny" } egress { rule_no = 100 protocol = "-1" # All traffic from_port = 0 to_port = 0 cidr_block = "0.0.0.0/0" rule_action = "allow" } }