Lab Steps

lock
Logging in to the Amazon Web Services Console
lock
Opening the AWS Cloud9 IDE
lock
Understanding the Infrastructure as Code Project
lock
Using Terraform's Built-In Analysis Capabilities
lock
Working with TFLint
lock
Working With Terrascan
lock
Configuring the Jenkins Automation Server
lock
Triggering Jenkins Builds
lock
Creating and Subscribing to an SNS Topic
lock
Receiving Build Alerts
Need help? Contact our support team

Here you can find the instructions for this specific Lab Step.

If you are ready for a real environment experience please start the Lab. Keep in mind that you'll need to start from the first step.

Introduction

Terrascan is another open-source, static analysis tool for Terraform configurations. Terrascan is focused more on security best practices and only supports AWS resources. Cloud environments often have security auditing tools to check the security of active environments. Some examples are AWS Config and Microsoft Azure's Security Center. There are also third-party auditing tools that can perform a variety of security checks on your active environments such as Scout2 for AWS and G-Scout for Google Cloud. Terrascan is different in that it aims to secure your environment even before it is created. Both kinds of tools are useful and both are an essential part of a defense-in-depth security strategy.

You will install and use Terrascan to check the security of the sample Terraform IaC environment in this Lab Step.

 

Instructions

1. Enter the following commands to install Terrascan in a Python virtual environment:

Copy code
cd
virtualenv scan
source scan/bin/activate
pip install -Iv terrascan==0.1.0
cd environment/tf

alt

You can ignore the red error message since it does not impact your ability to use Terrascan. You will see (scan) at the beginning of your shell prompt to indicate you are using the scan virtual environment. The virtual environment avoids any dependency conflicts with pre-installed Python packages, and uses Python version 3 instead of the system default of Python version 2.

 

2. List the options for Terrascan:

Copy code
terrascan -h

alt

The options are simply the location of the configuration files to scan and the tests to perform. The supported test groups are encryptionlogging_and_monitoringpublic_exposure, and security_group. You can also specify all to run all of the test groups. You can appreciate the security focus of Terrascan based on the test groups.

 

3. Run the Terrascan security group tests:

Copy code
terrascan --location . --tests security_group

alt

The test group Ran 5 tests and one FAILED. The test_aws_security_group_inline_rule_open failed because the ingress cidr_blocks array for the load balancer includes all IPv4 addresses (0.0.0.0/0). This means incoming traffic can originate from anywhere. There are risks to that, but, for the website being deployed, that is an acceptable risk. Neither Terraform nor TFLint presented this warning. You will not correct any potential issues raised by Terrascan in this Lab. Terrascan will return a non-zero exit code if any tests fail, making it suitable for automation.

 

4. Deactivate the virtual environment:

Copy code
deactivate

 

Summary

In this Lab Step, you used an open-source, security-focused, static analysis tool for Terraform named Terrascan. You learned about the types of checks that Terrascan can perform, and how it can be used in automation.