Configure Snyk run task in HCP Terraform

HCP Terraform run tasks let you customize your HCP Terraform workflow by integrating third-party tools such as vulnerability scanners, cost management, code scanning, and more into the infrastructure provisioning process. Run tasks send details about a Terraform run to external tools between the plan and apply stages of a run. The external tools run against the plan contents and return a status response with the results. Based on the response, you can configure your HCP Terraform run task to continue or halt the run.

In this tutorial, you will create an HCP Terraform run task for Snyk, an external policy-as-code service, to detect an overly permissive AWS security group in a run’s planned resources. You will configure a Snyk integration for HCP Terraform and create a corresponding run task in your HCP Terraform organization to learn how run task integrations such as Snyk can help you identify and mitigate security misconfiguration in your infrastructure.

Prerequisites

This tutorial assumes you have completed the HCP Terraform Getting Started Tutorial and you are familiar with the standard Terraform workflow. If you are not familiar with either, complete the Terraform Get Started and HCP Terraform Get Started tutorials first.

You will also need:

• An HCP Terraform account
• A Snyk account
• An AWS account

Get Snyk credentials for Terraform

Sign in to your Snyk account and navigate to the Integrations page. Search for terraform and select the Terraform-Cloud integration.

Snyk will display your account credentials that you will use to configure the integration in HCP Terraform. Keep this page open. In the next section, you will use these credentials to connect your Snyk account to your HCP Terraform organization.

Create a run task

Snyk’s infrastructure-as-code checks have a default set of security policies that check for common vulnerabilities and misconfigurations across cloud providers. In this tutorial, you will trigger Snyk’s checks for overly permissive ingress rules on AWS security groups.

In a new browser window, navigate to your HCP Terraform account. Navigate to the Run tasks section of your organization settings and click Create run task. Name the run task learn-run-tasks-snyk and leave the Enabled option checked. Then, paste in the Endpoint URL and HMAC key from the Snyk browser window you left open in the previous step. Finally, click Create run task.

Create an example workspace

Fork the example repository for this tutorial. This repository contains Terraform configuration for an overly permissive security group that allows global ingress SSH traffic.

Next, create a VCS-driven HCP Terraform workspace connected to your forked learn-terraform-cloud-run-tasks-snyk repository.

Associate run task with workspace

Navigate to your workspace’s run task settings and select the learn-run-tasks-snyk card.

Run tasks have two enforcement levels: advisory and mandatory.

• Advisory run tasks will notify if they fail during a run, but still allow users to apply the execution plan. You could use an advisory enforcement level to confirm acceptable but not ideal changes, such as over-provisioned capacity on a resource in a development environment.
• Mandatory run tasks stop the run if they fail. You could use a mandatory enforcement level to ensure users do not violate non-negotiable organizational policies, such as public-read buckets.

You can set different enforcement levels on a run task in each workspace it is associated with.

Set the Enforcement Level to Advisory and click Create.

Trigger a run task failure

From the Actions menu in your workspace, select Start new run, then Start run. After Terraform determines the execution plan, it will perform the run task.

Though the security group you attempted to provision allows global ingress and fails the Snyk policy, the run task passes because you chose the Advisory enforcement level. You still have the option to apply the configuration.

To get more information about the run task failure, follow the Details link to visit Snyk.

Snyk displays the reason for the failure, the severity, and some options for resolving the issue.

Go back to the HCP Terraform UI and discard the run before moving on.

Change run task enforcement level

While you may wish to allow advisory run tasks in experimental development environments, in production you may want to lock down provisioning to prevent introducing vulnerabilities. To do so, you will change the run task enforcement level to mandatory.

Navigate back to your workspace run task settings. Next to the learn-run-tasks-snyk run task, select ..., then Configure.

Change the enforcement level to Mandatory, then click Save.

Now, trigger another run in the workspace.

This time, since the run task step failed, HCP Terraform does not allow you to apply the run.

Clean up workspace

Since you discarded the first run, your workspace has not provisioned any resources for you to destroy.

Delete your learn-terraform-cloud-run-tasks-snyk HCP Terraform workspace. You must first destroy any associated workspaces before deleting a run task. Deleting a workspace does not delete the run tasks it uses.

If you do not plan to continue using the run task, delete it as well. After deleting your workspace, navigate to your HCP Terraform organization’s settings, then select Run Tasks in the sidebar. Find your learn-run-tasks-snyk run task and click ... then Edit.

At the bottom of the run task details page, click Delete run task, then confirm by clicking Yes, delete task.

Next steps

In this tutorial, you learned how to configure an HCP Terraform run task for Snyk. You also reviewed the differences between the advisory and mandatory enforcement levels for run tasks.

• Review the documentation for creating your own run task.
• Learn how to control your infrastructure costs using HCP Terraform.
• Learn how to use Sentinel for policy enforcement.