Try JFrog
Guides
Contact SupportTry JFrog
  1. advanced-security
  2. How-Tos

How to Scan Terraform State Files for IaC Misconfigurations

Use case: A DevSecOps engineer wants to ensure that deployed cloud infrastructure remains securely configured. By setting up Terraform repositories in Artifactory and enabling Xray indexing, JFrog Advanced Security automatically scans Terraform State files for IaC misconfigurations after every deployment.

Before You Begin

You need the following:

  • JFrog Artifactory with Terraform repository support.
  • JFrog Xray with Advanced Security enabled.
  • Terraform CLI installed and configured on your workstation or CI environment.
  • Permissions to create repositories in Artifactory and configure Xray indexing.

Step 1: Set Up Local Terraform Repositories

Create two local Terraform repositories in Artifactory — one for providers and one for modules.

  1. Navigate to Administration > Repositories > Local.
  2. Click New Local Repository and select Terraform as the package type.
  3. Create the first repository for providers (for example, terraform-providers-local).
  4. Repeat to create a second repository for modules (for example, terraform-modules-local).

Step 2: Set Up a Remote Terraform Repository

Create a remote Terraform repository to proxy packages from public registries.

  1. Navigate to Administration > Repositories > Remote.
  2. Click New Remote Repository and select Terraform as the package type.
  3. Configure the remote repository URL to point to the public Terraform registry.
  4. Save the repository (for example, terraform-remote).

Step 3: Set Up a Virtual Terraform Repository

Create a virtual Terraform repository that aggregates your local and remote repositories.

  1. Navigate to Administration > Repositories > Virtual.
  2. Click New Virtual Repository and select Terraform as the package type.
  3. Add the local provider repository, local modules repository, and remote repository to the virtual repository's resolution order.
  4. Save the repository (for example, terraform-virtual).

Step 4: Set Up a Local Terraform Backend Repository and Enable Xray Indexing

Create a local Terraform backend repository where Terraform stores state files after deployment, and enable Xray indexing on it.

  1. Navigate to Administration > Repositories > Local.
  2. Click New Local Repository and select Terraform Backend as the package type.
  3. Save the repository (for example, terraform-backend-local).
  4. Navigate to Administration > Xray Settings > Indexed Resources.
  5. Click Add a Repository and select the Terraform backend repository you created.
  6. Save to enable indexing.

Once indexing is enabled, Xray and Advanced Security scan every state file deployed to this repository.

Step 5: Configure Terraform Client to Use Artifactory

Configure your Terraform CLI to resolve providers and modules through Artifactory.

  1. In the Artifactory UI, navigate to the virtual Terraform repository you created.
  2. Click Set Me Up.
  3. Follow the configuration instructions to point your Terraform client at Artifactory for provider and module resolution.

Step 6: Configure Terraform Backend with Artifactory

Configure Terraform to store state files in the Artifactory backend repository.

  1. In the Artifactory UI, navigate to the Terraform backend repository you created.
  2. Click Set Me Up.
  3. Follow the configuration instructions to configure the Terraform backend block in your Terraform configuration files.

Results

After completing the setup:

  1. When you run terraform init, providers and modules are resolved through Artifactory.
  2. When you run terraform apply, the resulting state file is deployed to the backend Terraform repository in Artifactory.
  3. Xray automatically indexes the state file and Advanced Security scans it for IaC misconfigurations.
  4. Scan results are available in the JFrog Platform under Xray > Scan Results, showing any cloud misconfigurations detected in your deployed infrastructure.

For more information on the types of misconfigurations detected, see Misconfigurations Scans.