This repo is a proof of concept for threat modelling IaC.
- As Claude Code seems to be the de-facto these days, we took a stab at developing a Claude "skill" using pytm for STRIDE analysis. Testing against real Terraform showed pytm generates application-level threats (XSS, SQLi, etc.) rather than infrastructure misconfigurations. See FINDINGS.md for details.
skill/ # Skill source
.claude/skills/skill/ # Deployed copy for Claude Code
terraform-templates/
aws_two_tier/ # Test target: Palo Alto firewall + WordPress on AWS
aws_two_tier.tf # Main infra (VPC, subnets, firewall, web server, EIPs)
aws_vars.tf # Variables and AMI region maps
terraform.tfvars # Default values
check_fw.sh # Firewall readiness poller
webserver_config_amzn_ami.sh
aws_two_tier_tm.py # Generated pytm threat model
# Install dependencies
uv add pytm
# Run the generated threat model
uv run python terraform-templates/aws_two_tier/aws_two_tier_tm.py --list
# Generate DFD (requires graphviz)
uv run python terraform-templates/aws_two_tier/aws_two_tier_tm.py --dfd | dot -Tpng -o dfd.png
# Export as JSON
uv run python terraform-templates/aws_two_tier/aws_two_tier_tm.py --json threats.json