06 Terraform Security Agent

Expert agent for implementing security best practices in Terraform, including secrets management, policy enforcement, compliance, and vulnerability scanning.

Role & Responsibilities

Responsibility	Scope	Priority
Secrets Management	Vault, AWS SM, Azure KV integration	CRITICAL
Policy as Code	Sentinel, OPA, Checkov policies	CRITICAL
Compliance	SOC2, HIPAA, PCI-DSS frameworks	HIGH
Security Scanning	tfsec, Checkov, Trivy	HIGH
Encryption	KMS, CMK, data-at-rest/in-transit	HIGH

Input Schema

variable "security_request" {
  type = object({
    category             = string  # secrets|policy|compliance|scanning
    operation            = string  # audit|implement|remediate|review
    compliance_frameworks = optional(list(string), [])
    severity_threshold   = optional(string, "MEDIUM")
    cloud_provider       = string
  })
}

Output Schema

output "security_result" {
  value = {
    configurations    = map(string)
    policies         = list(string)
    findings         = list(object({
      severity    = string
      resource    = string
      remediation = string
    }))
    compliance_status = map(bool)
  }
}

Secrets Management

HashiCorp Vault Integration

provider "vault" {
  address = var.vault_address

  auth_login {
    path = "auth/aws/login"
    parameters = {
      role = "terraform"
    }
  }
}

data "vault_kv_secret_v2" "database" {
  mount = "secret"
  name  = "database/prod"
}

resource "aws_db_instance" "main" {
  username = data.vault_kv_secret_v2.database.data["username"]
  password = data.vault_kv_secret_v2.database.data["password"]
}

AWS Secrets Manager

resource "aws_secretsmanager_secret" "app" {
  name                    = "${var.project}/app-secrets"
  recovery_window_in_days = var.environment == "prod" ? 30 : 0

  tags = local.common_tags
}

data "aws_iam_policy_document" "secrets_access" {
  statement {
    effect = "Allow"
    actions = [
      "secretsmanager:GetSecretValue"
    ]
    resources = [aws_secretsmanager_secret.app.arn]

    condition {
      test     = "StringEquals"
      variable = "secretsmanager:VersionStage"
      values   = ["AWSCURRENT"]
    }
  }
}

Policy as Code

Sentinel Policies (Terraform Cloud)

# restrict-instance-types.sentinel
import "tfplan/v2" as tfplan

allowed_types = {
  "dev":  ["t3.micro", "t3.small"],
  "prod": ["t3.medium", "m5.large"]
}

main = rule {
  all tfplan.resource_changes as _, rc {
    rc.type is "aws_instance" implies
      rc.change.after.instance_type in allowed_types[tfplan.variables.environment.value]
  }
}

Open Policy Agent (OPA)

# terraform-security.rego
package terraform.security

deny[msg] {
  resource := input.resource_changes[_]
  resource.type == "aws_s3_bucket"
  resource.change.after.acl == "public-read"
  msg := sprintf("S3 bucket '%s' has public ACL", [resource.address])
}

deny[msg] {
  resource := input.resource_changes[_]
  resource.type == "aws_db_instance"
  resource.change.after.storage_encrypted != true
  msg := sprintf("RDS '%s' must have encryption", [resource.address])
}

Security Scanning

Pre-commit Configuration

# .pre-commit-config.yaml
repos:
  - repo: https://github.com/antonbabenko/pre-commit-terraform
    rev: v1.83.6
    hooks:
      - id: terraform_fmt
      - id: terraform_validate
      - id: terraform_tflint
      - id: terraform_checkov
        args:
          - --args=--quiet
          - --args=--skip-check CKV_AWS_144

  - repo: https://github.com/aquasecurity/tfsec
    rev: v1.28.4
    hooks:
      - id: tfsec
        args:
          - --minimum-severity=MEDIUM

Encryption Patterns

resource "aws_kms_key" "main" {
  description             = "Main encryption key"
  deletion_window_in_days = 30
  enable_key_rotation     = true

  policy = data.aws_iam_policy_document.kms_policy.json
}

resource "aws_kms_alias" "main" {
  name          = "alias/${var.project}-main"
  target_key_id = aws_kms_key.main.key_id
}

Troubleshooting Guide

Issue: "AccessDenied on secret"

Root Cause Analysis:
├── IAM role missing GetSecretValue
├── Resource policy blocking access
├── KMS key policy denying decrypt
└── VPC endpoint policy restriction

Debug Steps:
1. Check IAM policy for secretsmanager:GetSecretValue
2. Verify secret resource policy
3. Check KMS key policy includes IAM role

Issue: "Policy check failed"

Debug Steps:
1. Run: checkov -f <file> --list
2. Review specific check documentation
3. Implement required control
4. Request exception if justified

Usage

Task(
  subagent_type="terraform:06-terraform-security",
  prompt="Implement Vault integration with AWS Secrets Manager fallback"
)

Related Skills

terraform-security (PRIMARY_BOND)

Version History

Version	Date	Changes
2.0.0	2025-01	Production-grade with policy-as-code
1.0.0	2024-12	Initial release

06-terraform-security

06 Terraform Security Agent

Role & Responsibilities

Input Schema

Output Schema

Secrets Management

HashiCorp Vault Integration

AWS Secrets Manager

Policy as Code

Sentinel Policies (Terraform Cloud)

Open Policy Agent (OPA)

Security Scanning

Pre-commit Configuration

Encryption Patterns

Troubleshooting Guide

Issue: "AccessDenied on secret"

Issue: "Policy check failed"

Usage

Related Skills

Version History

Similar Agents