Securely Deploying Terraform

Chris Ayers

Senior Customer Engineer
Microsoft

Twitter: @Chris_L_Ayers
Mastodon: @Chrisayers@hachyderm.io
LinkedIn: - chris-l-ayers
Blog: https://chris-ayers.com/
GitHub: Codebytes

Agenda



  • What is IaC?

  • Security Tooling

    • Rules & Customization

    • Workflow

  • Integration

    • Precommit hook

    • VSCode Integration

    • GitHub Actions

What is IaC?

Infrastructure as code (IaC) is a way to manage and provision infrastructure resources using configuration files and automation tools.
The goal of IaC is to make it easier to deploy and manage infrastructure in a repeatable, reliable way, and to reduce the risk of errors caused by manual configuration.

Security Tooling

Running static analysis security testing (SAST) tools against infrastructure as code (IaC) is a way to ensure that the infrastructure being provisioned is secure and compliant with best practices.

Why run Security Tooling?

To catch security issues early

To ensure compliance

To improve the security of your infrastructure

To save time and effort by shifting Left

Security and Compliance

There have been multiple breaches and attacks due to misconfiguration.
Vulnerabilities can be a simple omitted property.

OWASP Top 10

Shift Left on Security

Save time and money

We can't just do security in production after everything is built, we need to go into solutions with security baked in.

Security Tooling - Terraform

Each of these tools does similar things and are SAST (Static Analysis Security Tooling).
With Terraform you can analyze in a few ways.

  1. HCL files
  2. Terraform Plan

Security Tooling - OSS


There are many open-source tools as well as commercial solutions. We can integrate these tools in our local environments as well as our pipelines to secure things earlier.
Feature tfsec terrascan checkov
CI/CD Yes Yes Yes
Rules 100+ 100+ 100+
Custom Rules Yes Yes Yes
Whitelist Rules Yes Yes Yes
Ignore Rules Yes Yes Yes

Rule customization

  • Ignoring rules
  • Overriding rules
  • Add custom rules

tfsec

tfsec is a static analysis security scanner for your Terraform code supported by Aquasecurity.

Designed to run locally and in your CI pipelines, developer-friendly output and fully documented checks.

  • OPA/Rego Policies
  • VS Code Extension
  • GitHub Actions

Terrascan

Terrascan has support for Terraform, Azure, GCP, AWS, Kubernetes (manifests, Helm, Kustomize), Docker and even GitHub. Supported by Tenable and now integrated into nessus.

Terrascan has a large number of built in policies as well as support for custom OPA/Rego Policies.

Checkov

Checkov is another tool that lets us do scanning and compliance.

Checkov is by BridgeCrew and python based. Checkov, like terrascan, supports Terraform, Azure, GCP, AWS, Kubernetes (manifests, Helm, Kustomize) and Docker.

Bonus Tool - Terraform Compliance

https://terraform-compliance.com/

BDD and Cucumber testing

You Can Use Multiple Tools

Defense in Depth

Because these tools are independent and all scan the raw HCL or interpreted HCL, you can get different rules and potentially better compliance.

You can also hit a Signal to Noise problem.

Workflow Options

  • Pre-Commit Hooks
  • IDE Integration
  • CI/CD Integration

Pre-Commit Hooks

Pre-commit Hooks run before code gets committed to a git repo.
You do it yourself or use the Pre-Commit Framework.


center

IDE Integration

Pipeline integration

DEMOS

Backend providers

Overriding backend provider configuration

  • Check docs
  • Use environment vars

Open ID Connect (OIDC) Auth

No more passwords
Auth is claims based on repo, environment, branch..

Demos

Questions

Contact

Twitter: @Chris_L_Ayers
Mastodon: @Chrisayers@hachyderm.io
LinkedIn: - chris-l-ayers
Blog: https://chris-ayers.com/
GitHub: Codebytes

custom rules: tfsec --rego-policy-dir ./tfsec_rego_policies/ ./custom_checks_examples/keyvault/