Terrascan is a standalone application that can perform tests on Terraform templates and ensure that best practices are being applied. Terrascan has modules to detect the most common types of misconfiguration.

Problem Statement:

Access keys & initial passwords in the terraform state files, public exposure of a resource and misconfigured security groups are the most common security loopholes that go unnoticed while using terraform. While there are cloud native services like AWS SCP’s, Azure Policies and HashiCorp Sentinel which are used as reactive controls while applying infrastructure as a code. But they lack detective control capability. Let’s say you have 1000’s of templates, modules and you have to scan the entire code repository to identify potential security misconfigurations.

In this article, I will explain Terrascan, which is an open-source application that can do static code scan on all your code repositories to find defined security issues in your entire code base.

First, lets discuss about Terraform validate: Validate is one of the options which can be used as part of the Terraform command line interface (CLI). This is used to validate the syntax of Terraform files and can be used to identify a range of issues, such as invalid module names or missing requirements. It is important to note that this command does not check the format of Terraform files, such as the use of tabs, spaces and newlines. So, terraform validate can help you to properly syntax .tf files and can be used in the code cleaning process, which is very important activity to consider if you are taking up terraform code scanning activity.

Install Terrascan:

$ curl --location https://github.com/accurics/terrascan/releases/download/v1.3.3/terrascan_1.3.3_Darwin_x86_64.tar.gz --output terrascan.tar.gz

$ tar -xvf terrascan.tar.gz
 x CHANGELOG.md
 x LICENSE
 x README.md
 x terrascan

$ install terrascan /usr/local/bin

$ terrascan

How Terrascan works?

Let’s analyze a Terraform configuration file that has been deliberately misconfigured. The misconfigurations will show either non-optimal settings or settings that could introduce potential security flaws.

provider "aws" { 

}

data "aws_s3_bucket" "log_bucket" {
 bucket = "log-bucket"
}

resource "aws_s3_bucket" "bucket" {
 bucket = "my_insecure_bucket"
 acl = "public-read"
}
data "aws_vpc" "vpc" {
 tags = {
 Name = "my_vpc"
 }
}
resource "aws_security_group" "a" {
 name = "a"
 vpc_id = "${data.aws_vpc.vpc.id}"
}
resource "aws_security_group_rule" "public-80" {
 description = "Public"
 type  = "ingress"
 from_port = 80
 to_port = 80
 protocol = "tcp"
 security_group_id = "${aws_security_group.a.id}"
 cidr_blocks = ["0.0.0.0/0"]
}

The list of Terraform resources which must be contained in this configuration:

· aws_s3_bucket.bucket

· aws_security_group.a

· aws_security_group_rule.public-80

· data.aws_vpc.vpc

· data.aws_s3_bucket.log_bucket

When you check this terraform file with terrascan, it will perform two actions:

1. Identify potential security issues and syntax errors

2. Confirm the configuration still launches the correct resources and relationships that are listed above

If you make changes to the S3 bucket add logging and change the ACL to private and restrict the CIDR block on the security group – the terrascan will pass.

Terrascan Architecture:

Terrascan’s architecture is built to be modular to facilitate adding IaC languages and policies. At a high level Terrascan is composed of the following architectural components: a command line interface, API server, runtime, pluggable IaC providers, pluggable policy engine, notifier, and writer.

· Command Line Interface = Provides CLI input to Terrascan.

· API Server = Provides input to Terrascan through an API.

· Runtime = Performs input validation and process inputs

· IaC Providers = Converts IaC language into normalized JSON

· Policy Engine = Applies policies against normalized JSON

· Notifier = Provides webhooks for results of Terrascan scans.

· Writer = Writes results into various formats like JSON, YAML, or XML.

Terrascan Policies:

Terrascan policies are written using the Rego policy language. With each rego policy a JSON "rule" file is included which defines metadata for the policy. Policies included within Terrascan are stored in the pkg/policies/opa/rego directory.

Integrating Terrascan into CI/CD

Terrascan can be integrated into CI/CD pipelines to enforce security best practices as codified in the OPA rego policies included as part of Terrascan or any custom policies.

It currently supports GitHub Actions and GitLab CI.

In Summary, Cloud Security Misconfigurations and Cloud Posture drift are two big concerns for cloud security teams. Terrascan is an Open-Source option for static code scanning and finding security risks in your infrastructure as code templates and modules. It can be installed and run in a number of different ways, and is most often used in automated pipelines to identify policy violations before insecure infrastructure is provisioned. With Server mode, you can centralize the entire code scanning activity in your environment.