HashiConf 2024 Now streaming live from Boston! Attend for free
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

scan tfe-variables

Beta feature

This feature is currently available as beta. The beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Note

You must have version 0.5.0 or higher of the Vault Radar CLI installed.

To check the current version of your CLI, use the version command.

The scan tfe-variables command is used for scanning non-sensitive variables in an HCP Terraform (previously known as Terraform Cloud) or Terraform Enterprise organization and identifying variable values that contain sensitive secrets. All non-sensitive variables defined in Variable sets and Workspaces are scanned. Both Terraform and Environment variables are scanned.

Authentication

The scan tfe-variables command needs some authentication credentials in order to be able to make requests to HCP Terraform or Terraform Enterprise.

Terraform Enterprise (TFE)

In order to provide the information to vault-radar, specify the following environment variables:

  1. TFE_ADDRESS
  2. TFE_TOKEN

HCP Terraform

For HCP Terraform, use https://app.terraform.io as TFE_ADDRESS

Usage

Usage: vault-radar scan tfe-variables [options]

The following examples all assume you have already set the appropriate environment variable or that you intend to include them as part of the command you run.

Scanning variables in all workspaces

Scan all workspaces in an HCP Terraform or Terraform Enterprise organization and write the results to a file in CSV format, this is the default format for output. 

$ vault-radar scan tfe-variables --org <TFE ORGANIZATION> \
    -o <PATH TO OUTPUT>.csv

Scanning variables in all workspaces and output in JSON

Scan all workspaces in an HCP Terraform or Terraform Enterprise organization and write the results to a file in JSON Lines format. 

$ vault-radar scan tfe-variables --org <TFE ORGANIZATION> \
    -o <PATH TO OUTPUT>.jsonl \
    -f json

HCP connection scanning behavior

The default behavior of scan commands is to require an HCP cloud connection to scan. This is to ensure that hashes are generated using a shared salt from the cloud keeping consistency across scans. In order to populate the HCP connection information needed, refer to the HCP upload page.

To allow for scanning to continue working without the need for HCP cloud connection you can use the new --offline flag as such.

$ vault-radar scan tfe-variables --offline \
    --org <TFE ORGANIZATION> \
    -o <PATH TO OUTPUT>.csv

Scanning using a Vault index file

Perform a scan using a generated vault index and write the results to an outfile. In this mode, if a risk was previously found in Vault, the scan results will report the location in Vault as well.

$ vault-radar scan tfe-variables --org <TFE ORGANIZATION> \
    -o <PATH TO OUTPUT>.csv \
    --index-file <PATH TO VAULT INDEX>.jsonl

How to generate a Vault Index

Scan and restrict the number of secrets found

Scan all workspaces in an HCP Terraform or Terraform Enterprise organization and write the results to an outfile and stop scanning when the defined number of secrets are found.

$ vault-radar scan tfe-variables --org <TFE ORGANIZATION> \
    -o <PATH TO OUTPUT>.csv \
    -l <NUM OF SECRETS>