James Eduard

James Eduard

  • DevOps
  • Security Assessment Tool

    • TerraGoat – Vulnerable Terraform Infrastructure

    pir8g33k5 mins0

    TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.

    TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

    Important notes

    Before you proceed please take a not of these warning:TerraGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.

    Requirements

    • Terraform 0.12
    • aws cli
    • azure cli

    To prevent vulnerable infrastructure from arriving to production see: Bridgecrew & checkov, the open source static analysis tool for infrastructure as code.

    Getting started

    AWS Setup

    Installation (AWS)

    You can deploy multiple TerraGoat stacks in a single AWS account using the parameter TF_VAR_environment.

    Create an S3 Bucket backend to keep Terraform state

    export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket"export TF_VAR_company_name=acmeexport TF_VAR_environment=mydevsecopsexport TF_VAR_region="us-west-2"aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \    --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region# Enable versioningaws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled# Enable encryptionaws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{  "Rules": [    {      "ApplyServerSideEncryptionByDefault": {        "SSEAlgorithm": "aws:kms"      }    }  ]}'

    Apply TerraGoat (AWS)

    cd terraform/aws/terraform init \-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \-backend-config="region=$TF_VAR_region"terraform apply

    Remove TerraGoat (AWS)

    terraform destroy

    Creating multiple TerraGoat AWS stacks

    cd terraform/aws/export TERRAGOAT_ENV=$TF_VAR_environmentexport TERRAGOAT_STACKS_NUM=5for i in $(seq 1 $TERRAGOAT_STACKS_NUM)do    export TF_VAR_environment=$TERRAGOAT_ENV$i    terraform init \    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \    -backend-config="region=$TF_VAR_region"    terraform apply -auto-approvedone

    Deleting multiple TerraGoat stacks (AWS)

    cd terraform/aws/export TF_VAR_environment = $TERRAGOAT_ENVfor i in $(seq 1 $TERRAGOAT_STACKS_NUM)do    export TF_VAR_environment=$TERRAGOAT_ENV$i    terraform init \    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \    -backend-config="region=$TF_VAR_region"    terraform destroy -auto-approvedone

    Azure Setup

    Installation (Azure)

    You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter TF_VAR_environment.

    Create an Azure Storage Account backend to keep Terraform state

    export TERRAGOAT_RESOURCE_GROUP="TerraGoatRG"export TERRAGOAT_STATE_STORAGE_ACCOUNT="mydevsecopssa"export TERRAGOAT_STATE_CONTAINER="mydevsecops"export TF_VAR_environment="dev"export TF_VAR_region="westus"# Create resource groupaz group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP# Create storage accountaz storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob# Get storage account keyACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv)# Create blob containeraz storage container    create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY

    Apply TerraGoat (Azure)

    cd terraform/azure/terraform init -reconfigure -backend-config="resource_group_name=$TERRAGOAT_RESOURCE_GROUP" \    -backend-config "storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT" \    -backend-config="container_name=$TERRAGOAT_STATE_CONTAINER" \    -backend-config "key=$TF_VAR_environment.terraform.tfstate"terraform apply

    Remove TerraGoat (Azure)

    terraform destroy

    GCP Setup

    Installation (GCP)

    You can deploy multiple TerraGoat stacks in a single GCP project using the parameter TF_VAR_environment.

    Create a GCS backend to keep Terraform state

    To use terraform, a Service Account and matching set of credentials are required. If they do not exist, they must be manually created for the relevant project. To create the Service Account:

    1. Sign into your GCP project, go to IAM > Service Accounts.
    2. Click the CREATE SERVICE ACCOUNT.
    3. Give a name to your service account (for example – terragoat) and click CREATE.
    4. Grant the Service Account the Project > Editor role and click CONTINUE.
    5. Click DONE.

    To create the credentials:

    1. Sign into your GCP project, go to IAM > Service Accounts and click on the relevant Service Account.
    2. Click ADD KEY > Create new key > JSON and click CREATE. This will create a .json file and download it to your computer.

    We recommend saving the key with a nicer name than the auto-generated one (i.e. terragoat_credentials.json), and storing the resulting JSON file inside terraform/gcp directory of terragoat. Once the credentials are set up, create the BE configuration as follows:

    export TF_VAR_environment="dev"export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoatexport TF_VAR_credentials_path=<PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.jsonexport TF_VAR_project=<YOUR_PROJECT_NAME_HERE># Create storage bucketgsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}

    Apply TerraGoat (GCP)

    cd terraform/gcp/terraform init -reconfigure -backend-config="bucket=$TF_TERRAGOAT_STATE_BUCKET" \    -backend-config "credentials=$TF_VAR_credentials_path" \    -backend-config "prefix=terragoat/${TF_VAR_environment}"terraform apply

    Remove TerraGoat (GCP)

    terraform destroy

    Bridgecrew’s IaC herd of goats

    • CfnGoat – Vulnerable by design Cloudformation template
    • TerraGoat – Vulnerable by design Terraform stack
    • CDKGoat – Vulnerable by design CDK application

    Contributing

    Contribution is welcomed!

    We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

    Support

    Bridgecrew builds and maintains TerraGoat to encourage the adoption of policy-as-code.

    If you need direct support you can contact us at [email protected].

    Download Terragoat

    pir8g33k

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    Related Articles

    5 mins
    You May Have Missed