12.1. Terraform#
12.1.1. Static Code Analyzer with TFLint#
As your Terraform codebase grows, it’s more prone to errors.
And they can become nasty.
To analyze your files, use TFLint.
TFLint is a linting tool to check for common smells and issues before you even run your code.
You can even define custom rules to tailor it to your team’s standards.
tflint
Error: "type_abc" is an invalid value as instance_type (aws_instance_invalid_type)
on main.tf line 15:
15: instance_type = "invalid_type"
When you run TFLint again, you’ll receive an error message indicating that the
instance_type value is invalid. TFLint identifies this issue without applying the Terraform configuration,
helping you catch errors early in your development workflow.
12.1.2. Check for Security Risks with Tfsec#
To check your Terraform files for common security issues, use Tfsec.
TFsec is a static code analyzer to detect security risks, with hundreds of built-in rules.
It’s easy to set-up and run. Perfect for CI pipelines too.
brew install tfsec
tfsec .
Result #1 CRITICAL Storage account uses an insecure TLS version.
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
deployment/modules/storage_account/main.tf:1-8
via deployment/main.tf:23-28 (module.storage_account)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 resource "azurerm_storage_account" "storage_account" {
2 name = var.account_name
3 resource_group_name = var.resource_group_name
4 location = var.location
5 account_kind = "Storage"
6 account_tier = "Standard"
7 account_replication_type = "LRS"
8 }
12.1.3. Generate Least Privileges with Pike#
When managing your infrastructure, follow the Principle of Least Privilege (PoLP).
PoLP says that a user should only have the minimum level of access required for a particular resource to function correctly.
For your infrastructure managed by Terraform, you can use 𝐏𝐢𝐤𝐞.
𝐏𝐢𝐤𝐞 is a tool that determines the minimum permissions required to run your Terraform code with one command.
It supports the big cloud providers (Azure, AWS, GCP).
Check it out: github(dot)com/JamesWoolfenden/pike
!brew tap jameswoolfenden/homebrew-tap
!brew install jameswoolfenden/tap/pike
pike scan -d .\terraform\
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": [
"ec2:MonitorInstances",
"ec2:UnmonitorInstances",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeVolumes",
"ec2:DescribeInstanceTypes",
"ec2:RunInstances",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:ModifyInstanceAttribute",
"ec2:TerminateInstances",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:DescribeAccountAttributes",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": "*"
}
}
12.1.4. Static Code Analysis Tool for IaC with checkov#
Catch security problems in your Terraform code before they reach production.
This is easy to do with 𝗰𝗵𝗲𝗰𝗸𝗼𝘃.
𝗰𝗵𝗲𝗰𝗸𝗼𝘃 is a static code analysis tool for IaC with over 1000 policies.
As a CLI tool it is perfect for CI/CD pipelines.
!pip install checkov
!checkov --directory /user/path/to/iac/code
# check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
# FAILED for resource: aws_s3_bucket.customer
# File: /tf/tf.json:0-0
# Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning