In many cases, cutting something off is necessary to avoid bigger damage. This is the idea behind controlled infrastructure removal, the elimination of some parts of your cloud infrastructure to contain an attack or remove a potential attack surface. It is an important part of infrastructure-as-code (IaC) management and something organizations need to be familiar with as they secure their cloud environments and the apps they develop.
The Terraform function for this controlled removal of a part of infrastructure is the “destroy” command. It is crucial in Terraform-based IaC management, as it removes infrastructure components that have been provisioned through IaC configuration. Once this command runs, Terraform examines the state file to spot and get rid of managed infrastructure from the cloud environment. This command can delete all or some of the infrastructure defined in IaC.
Below is a guide for how to use the destroy command to minimize the adverse impact of a cyber attack on infrastructure. This guide addresses both preventive and mitigative actions.
Destroying Specific Resources
The key to leveraging the Terraform destroy command to minimize cyber attack damage is its ability to remove specific resources. It can remove the infrastructure previously defined using Terraform across your devops environments, but it can also target specific components.
To use Terraform destroy for a specific resource, the process requires the use of the -target flag. It uses the syntax indicated below, where the “resource type” and “resource name” are substituted with the specific type and name of resource being removed:
terraform destroy -target=resource_type.resource_name
Ordinarily, when the destroy command is executed, Terraform will ask, “Do you really want to destroy all resources?” – to which the only response is either yes or no. If the response is in the affirmative, all provisioned infrastructure, including all instances in the state file, would be deleted. By using the -target flag, only a specified resource or set of resources is eliminated, while the rest of the infrastructure remains intact.
Suppose the provisioned infrastructure generates two Elastic Compute Cloud or EC2 instances (example: instance-01 and instance-02). Since EC2 is a service by Amazon Web Services (AWS), the managed resource here has “aws_instance” as its instance type. If the standard destroy command is used, both instance-01 and instance-02 are wiped out. By using the tag, it is possible to remove only one of the two instances. Here’s an example syntax for a Terraform remove command with a -target flag that only removes the second instance:
terraform destroy -target=aws_instance.instance-02
It is also possible to remove specific resources through the configuration. This approach is slightly more complex, but it is applicable in cases when a specific resource needs to be removed permanently from the infrastructure because its continued existence only adds unnecessary clutter.
To do this, the specific resource has to be identified by running the “plan” command and then editing the configuration file to remove the block that defines the resource targeted for deletion. Next, the plan command is run again to verify that only the target resource will be affected once the destroy command is executed. There is no -target flag needed for this approach.
Potential Targets for ‘Terraform Destroy’ to Remove
Nearly all types of resources can be affected by cyber attacks. To be clear, Terraform itself is not what threat actors target. They focus on the resources defined by Terraform. These resources include storage resources, cloud compute instances, database resources, network resources, and identity and access management resources.
Storage resources are known as S3 buckets in AWS, with the type indicated as aws_s3_bucket. In Microsoft’s Azure, the counterpart is known as azure_storage_account. These storage resources can be compromised and lead to data leaks similar to the unsecure S3 bucket of THSuite reported in 2020. They can also be used to facilitate the distribution of malware.
Cloud compute instances are similar to the EC2 instances mentioned above, which can be aws_instance for AWS or azure_vm for Azure virtual machines. These cloud instances can have vulnerabilities hackers can exploit to get unauthorized access and launch other cyber attacks.
Meanwhile, database resources can have vulnerabilities such as misconfigurations and stolen credentials that allow cybercriminals to steal critical data and extort organizations. Examples of database resources are the RDS clusters of AWS (aws_rds_cluster) and Azure’s Cosmos DB accounts (azure_cosmosdb_account).
Network resources are usually the security groups managed in Terraform. Examples of these are Azure’s azure_network_security_group and Amazon’s aws_security_group. If these network resources have security issues like misconfigurations, they may enable unauthorized access to internal resources. These can lead to a host of dangerous consequences and disrupt operations.
Moreover, identity and access management (IAM) resources are used in Terraform to oversee roles and configure permissions for user access to resources. Threat actors can compromise these and render passwords and other secrets useless.
It would be overkill and highly inefficient to perform a nuclear destroy command for all resources if it can be ascertained that only specific resources have been compromised. Also, it makes sense to target specific resources for removal to avoid a temporary shutdown of operations and the need to redo all configurations from the start. Running the Terraform destroy command with the -target flag or by editing the configuration file provides a good way to perform controlled infrastructure removal to discard potentially compromised components or preemptively take out resources that are targeted by threat actors.
Best Practices
The Terraform destroy command should be used cautiously, though. Its effects cannot be reversed, and there’s no rollback option to bring back specific states. As such, it is important to always have backups for the state files and sensitive data that will be affected by the command.
Terraform regularly creates a .backup file before the terraform.tfstate file is updated. This is not enough. Another backup file for the current state should be created in addition to the automatically generated .backup file.
It is also advisable to make it a habit to use workspaces to isolate environments when conducting tests while examining possible compromises on resources. With Terraform’s workspaces, the destroy command can be tested first, before proceeding with final execution on the infrastructure.
It is important to be mindful of the environments used, though. Sometimes, teams are confused with the multiple workspaces they are using, so they might accidentally execute the Terraform destroy command in the actual environment, not the test workspace.
Moreover, organizations need to have a structured approach when using critical commands in Terraform. All actions should be reviewed and finalized, preferably approved first before executing commands outside workspaces.
Controlled and Measured Destruction
The Terraform destroy command is like a weapon. It can destroy infrastructure resources entirely in a matter of seconds. Hence, it cannot be applied arbitrarily or in a willy-nilly manner. It is a must to use it with great control and precision. When collaborating with security teams, IaC and devops specialists need to master this command along with the other commands used in Terraform. Its use is not limited to infrastructure provisioning and management. It also plays a role in infrastructure security and in responding to cyber-attacks.
