Running Cloudrail CLI

Analyze your IaC for security issues, highlighting only those that are a true risk to your cloud environment with Cloudrail. But first, the Cloudrail CLI container is meant to be used in conjunction with the Cloudrail Web UI. If you have not yet registered through the Web UI, please do so first.

As part of Cloudrail’s analysis operations, Cloudrail’s CLI makes use of some of the data from Terraform plan file. We filter the file from sensitive information (e.g. IP addresses, credentials, etc) and upload it to the Cloudrail Service for analysis. After analysis, the file is removed from the Service (that is, it is not kept beyond the time of analysis).

The following instructions assume that you are running Cloudrail in an environment that can run terraform plan.

If your Terraform plan files are only available through your CI/CD pipeline (e.g. a Jenkins server or a hosted CircleCI instance), then you will want to read our instructions for evaluating IaC from your pipeline. We recommend running an evaluation this way.

During this step, Cloudrail will provide an interaction to ask you a couple things. In the future, you can provide flags to automatically answer them:

Requirements for successfully analyzing IaC security issues

  • Docker execution environment (such as Docker Desktop)
  1. Fetch the API key for your Cloudrail account in Cloudrail Web UI:
  2. Change your working directory to where your Terraform code is located. Generate a plan and save it, like so:
    terraform plan -out=plan.out
  3. When running Cloudrail on your own workstation, we recommend saving the API key to the container’s cloudrail volume, like so:
     docker run --rm -it -v $PWD:/data -v cloudrail:/indeni indeni/cloudrail-cli config set api_key=<API_KEY_FROM_WEB_UI>
    

Testing Cloudrail’s Terraform Sanitization

Cloudrail filters your Terraform from sensitive information like keys and secrets.

Use our sample Terraform file maintained in our github repo to test the sanitization capability.

The following command allows you to validate the filtering capability before uploading the filtered Terraform for analysis:

 docker run --rm -it -v $PWD:/data -v cloudrail:/indeni indeni/cloudrail-cli generate-filtered-plan --tf-plan plan.out

Running Cloudrail Assessment

Cloudrail can be run as a Static Analysis tool or as a Static + Dynamic Analysis tool.

Static + Dynamic Analysis requires Cloudrail to onboard your cloud account. In the event that this is not available, you can start with the Static Analysis method:

  1. Static Analysis Method
     docker run --rm -it -v $PWD:/data -v cloudrail:/indeni indeni/cloudrail-cli run --no-cloud-account -p plan.out
  2. Static + Dynamic Analysis Method
     docker run --rm -it -v $PWD:/data -v cloudrail:/indeni indeni/cloudrail-cli run -p plan.out --cloud-account-id [account-id]

During this step, Cloudrail will provide an interaction to ask you a couple things. In the future, you can provide flags to automatically answer them:

  • To specify the parent directory of all your Terraform files, use ‘-d’ as a flag for ‘cloudrail run’ like so:
     docker run --rm -it -v $PWD:/data indeni/cloudrail-cli run -p plan.out -d .
  • To auto-approve the filtered plan that Cloudrail generated from your Terraform plan, use ‘–auto-approve’:
     docker run --rm -it -v $PWD:/data indeni/cloudrail-cli run -p plan.out --auto-approve --api-key <API_KEY_FROM_WEB_UI>
  • If you would like to first generate the filtered plan, then review it (with a script, for example), and then upload it, start with the generate-filtered-plan command, and the pass it to run:
     docker run --rm -it -v $PWD:/data indeni/cloudrail-cli generate-filtered-plan --output-file filteredplan.json
    docker run --rm -it -v $PWD:/data indeni/cloudrail-cli run --filtered-plan filteredplan.json --api-key <API_KEY_FROM_WEB_UI>
  • The -v $PWD:/data parameter is required, as it gives the container access to your Terraform files for analysis.

Additional notes:

  • You can set an environment variable called CLOUDRAIL_API_KEY or pass a --api-key parameter, instead of using config save.