HashiCorp Cloud Platform
scan tfe-variables
Beta feature
This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.
Note
You must have version 0.17.0 or higher of the Vault Radar CLI installed.
To check the current version of your CLI, use the version command.
The scan tfe-variables
command is used for scanning non-sensitive variables in
an HCP Terraform (previously known as Terraform Cloud) or Terraform Enterprise
organization and identifying variable values that contain sensitive secrets. All
non-sensitive variables defined in Variable sets and Workspaces are scanned.
Both Terraform and Environment variables are scanned.
Authentication
The scan tfe-variables
command needs some authentication credentials in order
to be able to make requests to HCP Terraform or Terraform Enterprise.
Terraform Enterprise (TFE)
In order to provide the information to vault-radar
, specify the following
environment variables:
HCP Terraform
For HCP Terraform, use https://app.terraform.io
as TFE_ADDRESS
Usage
Usage: vault-radar scan tfe-variables [options]
The following examples all assume you have already set the appropriate environment variable or that you intend to include them as part of the command you run.
Scanning variables in all workspaces
Scan all workspaces in an HCP Terraform or Terraform Enterprise organization and write the results to a file in CSV format, this is the default format for output.
$ vault-radar scan tfe-variables --org <TFE ORGANIZATION> \
-o <PATH TO OUTPUT>.csv
Scanning variables in all workspaces and output in JSON
Scan all workspaces in an HCP Terraform or Terraform Enterprise organization and write the results to a file in JSON Lines format.
$ vault-radar scan tfe-variables --org <TFE ORGANIZATION> \
-o <PATH TO OUTPUT>.jsonl \
-f json
HCP connection scanning behavior
The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.
To allow for scanning to continue working without the need for HCP cloud
connection you can use the new --offline
flag as such.
$ vault-radar scan tfe-variables --offline \
--org <TFE ORGANIZATION> \
-o <PATH TO OUTPUT>.csv
Scanning using a Vault index file
Perform a scan using a generated vault index and write the results to an outfile. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.
$ vault-radar scan tfe-variables --org <TFE ORGANIZATION> \
-o <PATH TO OUTPUT>.csv \
--index-file <PATH TO VAULT INDEX>.jsonl
Scan and restrict the number of secrets found
Scan all workspaces in an HCP Terraform or Terraform Enterprise organization and write the results to an outfile and stop scanning when the defined number of secrets are found.
$ vault-radar scan tfe-variables --org <TFE ORGANIZATION> \
-o <PATH TO OUTPUT>.csv \
-l <NUM OF SECRETS>