Working With Terrascan
Terrascan is another open-source, static analysis tool for Terraform configurations. Terrascan is focused more on security best practices and only supports AWS resources. Cloud environments often have security auditing tools to check the security of active environments. Some examples are AWS Config and Microsoft Azure's Security Center. There are also third-party auditing tools that can perform a variety of security checks on your active environments such as Scout2 for AWS and G-Scout for Google Cloud. Terrascan is different in that it aims to secure your environment even before it is created. Both kinds of tools are useful and both are an essential part of a defense-in-depth security strategy.
You will install and use Terrascan to check the security of the sample Terraform IaC environment in this Lab Step.
1. Enter the following commands to install Terrascan in a Python virtual environment:
pip install -Iv terrascan==0.1.0
You can ignore the red error message since it does not impact your ability to use Terrascan. You will see (scan) at the beginning of your shell prompt to indicate you are using the scan virtual environment. The virtual environment avoids any dependency conflicts with pre-installed Python packages, and uses Python version 3 instead of the system default of Python version 2.
2. List the options for Terrascan:
Copy codeterrascan -h
The options are simply the location of the configuration files to scan and the tests to perform. The supported test groups are encryption, logging_and_monitoring, public_exposure, and security_group. You can also specify all to run all of the test groups. You can appreciate the security focus of Terrascan based on the test groups.
3. Run the Terrascan security group tests:
Copy codeterrascan --location . --tests security_group
The test group Ran 5 tests and one FAILED. The test_aws_security_group_inline_rule_open failed because the ingress cidr_blocks array for the load balancer includes all IPv4 addresses (0.0.0.0/0). This means incoming traffic can originate from anywhere. There are risks to that, but, for the website being deployed, that is an acceptable risk. Neither Terraform nor TFLint presented this warning. You will not correct any potential issues raised by Terrascan in this Lab. Terrascan will return a non-zero exit code if any tests fail, making it suitable for automation.
4. Deactivate the virtual environment:
In this Lab Step, you used an open-source, security-focused, static analysis tool for Terraform named Terrascan. You learned about the types of checks that Terrascan can perform, and how it can be used in automation.