Analyze your IaC for security issues, highlighting only those that are a true risk to your cloud environment with Cloudrail. But first, the Cloudrail CLI container is meant to be used in conjunction with the Cloudrail Web UI. If you have not yet registered through the Web UI, please do so first.
Installing Cloudrail Command Line Tool
To install the cloudrail command line tool, please make sure you have python3 running on your machine. Then install to your user space using the following command:
python3 -m pip install cloudrail --user
Running Cloudrail Assessments
Cloudrail can be run as a Static Analysis tool or as a Static + Dynamic Analysis tool.
Static + Dynamic Analysis requires Cloudrail to onboard your cloud account. In the event that this is not available, you can start with the Static Analysis method:
Running A Static Analysis
To run a static analysis on .tf files, first navigate to the directory with the .tf files and run the following command.
During this step, Cloudrail will provide an interaction to ask you a couple things, and give you results on your static terraform files.
Running A Static + Dynamic Analysis
A static + dynamic analysis combines a terraform plan file and a cloud account to give you a more detailed understanding of your infrastructure, and problems in a greater context. In order to run this, you must be in an environment where you can generate a terraform plan file, or have an existing terraform plan to use.
To run this with the cloudrail command line, use the following command:
cloudrail run -p plan.out --cloud-account-id [account-id]
If your Terraform plan files are only available through your CI/CD pipeline (e.g. a Jenkins server or a hosted CircleCI instance), then you will want to read our instructions for evaluating IaC from your pipeline. We recommend running an evaluation this way.
Command Line Additional Arguments
- To specify the parent directory of all your Terraform files, use ‘-d’ as a flag for ‘cloudrail run’ like so:
cloudrail run -p plan.out -d .
- To auto-approve the filtered plan that Cloudrail generated from your Terraform plan, use the ‘–auto-approve’ argument
cloudrail run -p plan.out --auto-approve --api-key <API_KEY_FROM_WEB_UI>
- If you would like to first generate the filtered plan, then review it (with a script, for example), and then upload it, start with the
generate-filtered-plancommand, and the pass it to
cloudrail generate-filtered-plan --output-file filteredplan.json cloudrail run --filtered-plan filteredplan.json --api-key <API_KEY_FROM_WEB_UI>
- You can set an environment variable called
CLOUDRAIL_API_KEYor pass a
--api-keyparameter, instead of using
Testing Cloudrail’s Terraform Sanitization
Cloudrail filters your Terraform from sensitive information like keys and secrets.
The following command allows you to validate the filtering capability before uploading the filtered Terraform for analysis:
cloudrail generate-filtered-plan --tf-plan plan.out
As part of Cloudrail’s analysis operations, Cloudrail’s CLI makes use of some data from Terraform files. We filter the file from sensitive information (e.g. IP addresses, credentials, etc) and upload it to the Cloudrail Service for analysis. After analysis, the file is removed from the Service (that is, it is not kept beyond the time of analysis).