feat: tidied up terraform parsing, updated docs too #16

threatcl · Nov 8, 2021 · 4b38a9a · 4b38a9a
1 parent 9391267
commit 4b38a9a
Show file tree

Hide file tree

Showing 7 changed files with 66 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -249,3 +249,44 @@ Successfully created 'testout/tm2-modellymodel.png'
 ```
 
 If your `threatmodel` doesn't include a `diagram_link`, but does include a `data_flow_diagram`, then this will also be rendered when running `hcltm dashboard`.
+
+## Terraform
+
+The `hcltm terraform` command is able to extract data resources from the `terraform show -json` [docs here](https://www.terraform.io/docs/cli/commands/show.html) output of plan files, or active state files, and convert these into drafted `information_asset` blocks for inclusion in `hcltm` files.
+
+If you're in a folder with existing state, you can execute the following:
+
+```bash
+terraform show -json | hcltm terraform -stdin
+```
+
+This will output something similar to this:
+
+```bash
+information_asset "aws_rds_cluster default" {
+  description                = "cluster_identifier: aurora-cluster-demo, database_name: mydb"
+  information_classification = ""
+  source                     = "terraform state"
+}
+information_asset "aws_s3_bucket example" {
+  description                = "bucket: terraform-20211107232017071500000001"
+  information_classification = ""
+  source                     = "terraform state"
+}
+```
+
+You can also see similar output from a plan file that hasn't yet been applied with Terraform by running:
+
+```bash
+terraform show -json <plan-file> | hcltm terraform -stdin
+```
+
+If you want to update an existing `hcltm` threat model file ("threatmodel.hcl") you can with:
+
+```bash
+terraform show -json <plan> | hcltm terraform -stdin -add-to-existing=threatmodel.hcl > new-threatmodel.hcl
+```
+
+With the `-add-to-existing` flag, you can also specify `-tm-name=<string>` if you need to specify a particular threat model from the source file, if there are multiple. And you can also apply a default classification, with the `-default-classification=Confidential` flag.
+
+These commands can also take a file as input too, in which case, omit the `-stdin` flag.
diff --git a/cmd/hcltm/terraform.go b/cmd/hcltm/terraform.go
@@ -223,8 +223,6 @@ func (c *TerraformCommand) Run(args []string) int {
 		}
 
 	case StateMode:
-		fmt.Printf("State Mode\n")
-		fmt.Printf("%d\n", len(s.Values.RootModule.Resources))
 		for _, r := range s.Values.RootModule.Resources {
 			provName := strings.Split(r.Type, "_")
 			if len(provName) > 1 {
@@ -249,21 +247,27 @@ func (c *TerraformCommand) Run(args []string) int {
 							}
 						}
 
-						err = c.out(&tmAsset, os.Stdout)
-						if err != nil {
-							fmt.Printf("Error writing out: %s\n", err)
-							return 1
-						}
+						if c.flagAddToExisting != "" {
+							tm.InformationAssets = append(tm.InformationAssets, &tmAsset)
 
+						} else {
+							err = c.out(&tmAsset, os.Stdout)
+							if err != nil {
+								fmt.Printf("Error writing out: %s\n", err)
+								return 1
+							}
+						}
 					}
 				}
 			}
 		}
 
 	case UnknownMode:
 		fmt.Printf("Unknown mode\n")
+		return 1
 	default:
 		fmt.Printf("Unknown mode\n")
+		return 1
 	}
 
 	if c.flagAddToExisting != "" {

diff --git a/cmd/hcltm/util.go b/cmd/hcltm/util.go
@@ -70,6 +70,10 @@ threatmodel "threatmodel name" {
 
     // information_classification must be one of '{{.InfoClassificationOptions}}'
     information_classification = "{{.DefaultInfoClassification}}"
+
+    // source is optional, and can be used to specify if this asset was sourced
+    // from an external resource, such as terraform
+    source = "terraform"
   }
 
   information_asset "special sauce" {

diff --git a/examples/threatmodel-template-html.tpl b/examples/threatmodel-template-html.tpl
@@ -55,6 +55,8 @@ Diagram: <a href="{{ .DiagramLink }}">{{ .DiagramLink }}</a><br />
 <h3>{{ .Name }} [{{ .InformationClassification }}]</h3>
 
 {{ .Description }}
+{{ if .Source }}
+Source: {{ .Source }}{{- end }}
 {{ end }}
 {{- end }}
 {{- with .Threats }}

diff --git a/examples/threatmodel-template.tpl b/examples/threatmodel-template.tpl
@@ -48,6 +48,8 @@ Diagram: {{ .DiagramLink }}
 ### {{ .Name }} [{{ .InformationClassification }}]
 
 {{ .Description }}
+{{ if .Source }}
+> Source: {{ .Source }}{{- end }}
 {{ end }}
 {{- end }}
 {{- with .Threats }}

diff --git a/pkg/spec/dashboard-templates.go b/pkg/spec/dashboard-templates.go
@@ -51,6 +51,8 @@ Diagram: {{ .DiagramLink }}
 ### {{ .Name }} [{{ .InformationClassification }}]
 
 {{ .Description }}
+{{ if .Source }}
+> Source: {{ .Source }}{{- end }}
 {{ end }}
 {{- end }}
 {{- with .Threats }}

diff --git a/spec.hcl b/spec.hcl
@@ -53,6 +53,10 @@ threatmodel "threatmodel name" {
 
     // information_classification must be one of 'Restricted, Confidential, Public'
     information_classification = "Confidential"
+
+    // source is optional, and can be used to specify if this asset was sourced
+    // from an external resource, such as terraform
+    source = "terraform"
   }
 
   information_asset "special sauce" {