IAC sources usage

Supported IaC sources

At this time, the snyk iac describe command supports reading Terraform states, as follows:
  • Local: --from="tfstate://terraform.tfstate"
  • S3: --from="tfstate+s3://my-bucket/path/to/state.tfstate"
  • GCS: --from="tfstate+gs://my-bucket/path/to/state.tfstate"
  • HTTPS: --from="tfstate+https://my-url/state.tfstate"
  • Terraform Cloud / Terraform Enterprise: --from="tfstate+tfcloud://WORKSPACE_ID"
  • Azure blob storage: --from="tfstate+azurerm://container-name/path/to/state.tfstate"
You can use any unsupported backend by using terraform to pipe your state in a file and then use the file with snyk iac describe:
1
$ terraform state pull > state.tfstate
2
$ snyk iac describe --from="tfstate://state.tfstate"
Copied!

S3 read-only access IAM policy

The snyk iac describe command needs read-only access. The following policy ensures minimal access to your state file.
1
{
2
"Version": "2012-10-17",
3
"Statement": [
4
{
5
"Effect": "Allow",
6
"Action": "s3:ListBucket",
7
"Resource": "arn:aws:s3:::mybucket"
8
},
9
{
10
"Effect": "Allow",
11
"Action": "s3:GetObject",
12
"Resource": "arn:aws:s3:::mybucket/path/to/my/key"
13
}
14
]
15
}
Copied!

HTTP + GitLab

The HTTP backend supports the GitLab managed Terraform state using the GitLab API.
You need a GitLab repository that contains a Terraform state and an access token with the read_api scope.
Use the following command:
1
$ GITLAB_TOKEN=<access_token> \
2
snyk iac describe \
3
--from="tfstate+https://gitlab.com/api/v4/projects/<project_id>/terraform/state/<path_to_state>" \
4
--headers "Authorization=Bearer ${GITLAB_TOKEN}"
Copied!
For more information about the GitLab managed Terraform State see GitLab-managed Terraform state on the GitLab documentation website.

Azure Blob Storage

To access state from Azure Blob Storage, define the following environment variables:
1
$ export AZURE_STORAGE_ACCOUNT=...
2
$ export AZURE_STORAGE_KEY=...
3
$ snyk iac describe --from="tfstate+azurerm://my-container/terraform.tfstate"
Copied!
You can find these values in your Azure console as shown in the following screenshot:
Azure storage access keys