Audit Logs for Security and Compliance or, How to set up Terraform Cloud and Splunk Integration

Infrastructure is the territory of DevOps. While the DevOps team does not build the application, they are responsible for the environments that host them. And they should have an interest in audit logging as a means of tracking changes to those environments. If you are already leveraging or considering getting Terraform Cloud for Business, in this post you will see the value of audit logs and how you can make them readable through Splunk Dashboard.

Prerequisites

First, you will need Terraform Cloud for a Business subscription (TFCB) and Splunk Cloud application. After signing up with Splunk Cloud, you are going to be given 14 days to access and work with the instance. If you do not have a TFCB instance and your organization is considering one, you can reach the HashiCorp sales team and request access.

Setting up Splunk + Terraform Audit Logging Integration

• After setting up Splunk Account, request a free trial by selecting “Start Trial”.
• After requesting a free trial, you will receive an email with the subject “Welcome to Splunk Cloud Platform!” with your login information for your instance of Splunk within Splunk Cloud.

• IMPORTANT — if you did not previously have a splunk.com account before, you can deploy the Terraform Cloud for Splunk app within your instance of the Splunk Cloud, you first need to log out of splunk.com and then log back in. This will cause Splunk to send you a verification email with the subject “Welcome to Splunk — Verify Your Email Address”. Click on the “Verify Your Email” button to finish the verification process. If you don’t do this, you will have problems when you try to authenticate with your Splunk.com username and password while deploying the Terraform Cloud for the Splunk app.
• Login with newly given credentials from the email with the subject “Welcome to Splunk Cloud Platform!” and select “+Find More Apps”.

• Search for “terraform” and Install Terraform Cloud for Splunk

• When prompted for your username and password, give your splunk.com username and password that you originally signed up with Splunk and not the ones that you received in “Welcome to Splunk Cloud Platform!”
• Open the App

• Continue to the app setup page

• You will be redirected to your TFCB app

• For the “Organization Token” create the token in your TFCB environment (showed below) and insert the token in the window as shown above. Use your TFCB username for the Input Name field.

• On your Splunk App select Dashboard and choose a Theme of your choice

• As the result of the integration, you will see data from Terraform being populated:

• You can also access “Search” and retrieve more detailed information by using a filter as shown below:

source=”terraform_cloud”

How to Use Terraform Audit Logs

Many organizations leverage audit logging to achieve and ensure regulatory compliance. Terraform offers rich audit logging for organizations that need to oversee retrospective activities on their infrastructure over time. Audit logs emit information whenever any resource managed by Terraform Cloud for Business or Terraform Enterprise is changed, so teams can understand who made changes and what changes were made. Here is just a sample of use cases from HashiCorp Terraform customers that use Terraform audit logging:

• Basic availability metrics such as number of current runs etc. — will allow you to measure whether an organization is meeting its SLA and SLOs.
• Total Policy Check Override — If a soft mandatory policy fails, users with permission to override policies will be presented with an “Override & Continue” button in the run. Here is an example of Policies that can be applied to your infrastructure. By having the access to those metrics, organizations can see who overrode a policy to proceed with an execution, and when.
• Sentinel metrics will help to see how new policies or policy changes are affecting people. If an organization notices a lot of policy failures or overrides, the organization might consider educating developers or update the policy evaluation itself.
• Keeping track of destroyed infrastructure—If the workspace was not marked as not destroyable, one can queue the destroy and delete the workspace with all dependencies. Through the Splunk dashboard, one can filter by action DESTROY and see which user/team was responsible for that and then apply adequate measurements to prevent that in the future.

Audit logs help capture events that can show “who” did “what” activity and “how” the system behaved. Having audit logs, an administrator, developer, or SRE will give a complete picture of normal and abnormal events on the organizational level. If you want to know more details on how to keep your infrastructure secure and well-guarded, check out the post: Embrace the change or why to consider self-service infrastructure.