{"id":4712,"date":"2022-02-13T00:09:25","date_gmt":"2022-02-12T16:09:25","guid":{"rendered":"https:\/\/www.jameseduard.com\/?p=4712"},"modified":"2022-02-13T00:09:25","modified_gmt":"2022-02-12T16:09:25","slug":"terragoat-vulnerable-terraform-infrastructure","status":"publish","type":"post","link":"https:\/\/www.jameseduard.com\/?p=4712","title":{"rendered":"TerraGoat &#8211; Vulnerable Terraform Infrastructure"},"content":{"rendered":"\n\n\n<p class=\"wp-block-paragraph\">TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like&nbsp;<a href=\"https:\/\/bridgecrew.io\/?utm_source=github&amp;utm_medium=organic_oss&amp;utm_campaign=terragoat\">Bridgecrew<\/a>&nbsp;&amp;&nbsp;<a href=\"https:\/\/github.com\/bridgecrewio\/checkov\/\">Checkov<\/a>, inline-linters, pre-commit hooks or other code scanning methods.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"important-notes\">Important notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><strong>Where to get help:<\/strong>&nbsp;the&nbsp;<a href=\"https:\/\/slack.bridgecrew.io\/?utm_source=github&amp;utm_medium=organic_oss&amp;utm_campaign=terragoat\" rel=\"noreferrer noopener\" target=\"_blank\">Bridgecrew Community Slack<\/a><\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Before you proceed please take a not of these warning:TerraGoat creates intentionally vulnerable AWS resources into your account.&nbsp;<strong>DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"requirements\">Requirements<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li>Terraform 0.12<\/li><li>aws cli<\/li><li>azure cli<\/li><\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">To prevent&nbsp;<a href=\"https:\/\/www.kitploit.com\/search\/label\/Vulnerable%20Infrastructure\" target=\"_blank\" rel=\"noreferrer noopener\">vulnerable infrastructure<\/a>&nbsp;from arriving to production see:&nbsp;<a href=\"https:\/\/bridgecrew.io\/?utm_source=github&amp;utm_medium=organic_oss&amp;utm_campaign=terragoat\" rel=\"noreferrer noopener\" target=\"_blank\">Bridgecrew<\/a>&nbsp;&amp;&nbsp;<a href=\"https:\/\/github.com\/bridgecrewio\/checkov\/\" rel=\"noreferrer noopener\" target=\"_blank\">checkov<\/a>, the open source&nbsp;<a href=\"https:\/\/www.kitploit.com\/search\/label\/Static%20Analysis\" target=\"_blank\" rel=\"noreferrer noopener\">static analysis<\/a>&nbsp;tool for&nbsp;<a href=\"https:\/\/www.kitploit.com\/search\/label\/Infrastructure\" target=\"_blank\" rel=\"noreferrer noopener\">infrastructure<\/a>&nbsp;as code.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"getting-started\">Getting started<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"aws-setup\">AWS Setup<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"installation-aws\">Installation (AWS)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">You can deploy multiple TerraGoat stacks in a single AWS account using the parameter&nbsp;<code>TF_VAR_environment<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-an-s3-bucket-backend-to-keep-terraform-state\">Create an S3 Bucket backend to keep Terraform state<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">export TERRAGOAT_STATE_BUCKET=\"mydevsecops-bucket\"export TF_VAR_company_name=acmeexport TF_VAR_environment=mydevsecopsexport TF_VAR_region=\"us-west-2\"aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \\    --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region# Enable versioningaws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled# Enable encryptionaws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{  \"Rules\": [    {      \"ApplyServerSideEncryptionByDefault\": {        \"SSEAlgorithm\": \"aws:kms\"      }    }  ]}'<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"apply-terragoat-aws\">Apply TerraGoat (AWS)<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">cd terraform\/aws\/terraform init \\-backend-config=\"bucket=$TERRAGOAT_STATE_BUCKET\" \\-backend-config=\"key=$TF_VAR_company_name-$TF_VAR_environment.tfstate\" \\-backend-config=\"region=$TF_VAR_region\"terraform apply<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"remove-terragoat-aws\">Remove TerraGoat (AWS)<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">terraform destroy<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"creating-multiple-terragoat-aws-stacks\">Creating multiple TerraGoat AWS stacks<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">cd terraform\/aws\/export TERRAGOAT_ENV=$TF_VAR_environmentexport TERRAGOAT_STACKS_NUM=5for i in $(seq 1 $TERRAGOAT_STACKS_NUM)do    export TF_VAR_environment=$TERRAGOAT_ENV$i    terraform init \\    -backend-config=\"bucket=$TERRAGOAT_STATE_BUCKET\" \\    -backend-config=\"key=$TF_VAR_company_name-$TF_VAR_environment.tfstate\" \\    -backend-config=\"region=$TF_VAR_region\"    terraform apply -auto-approvedone<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"deleting-multiple-terragoat-stacks-aws\">Deleting multiple TerraGoat stacks (AWS)<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">cd terraform\/aws\/export TF_VAR_environment = $TERRAGOAT_ENVfor i in $(seq 1 $TERRAGOAT_STACKS_NUM)do    export TF_VAR_environment=$TERRAGOAT_ENV$i    terraform init \\    -backend-config=\"bucket=$TERRAGOAT_STATE_BUCKET\" \\    -backend-config=\"key=$TF_VAR_company_name-$TF_VAR_environment.tfstate\" \\    -backend-config=\"region=$TF_VAR_region\"    terraform destroy -auto-approvedone<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"azure-setup\">Azure Setup<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"installation-azure\">Installation (Azure)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter&nbsp;<code>TF_VAR_environment<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-an-azure-storage-account-backend-to-keep-terraform-state\">Create an Azure Storage Account backend to keep Terraform state<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">export TERRAGOAT_RESOURCE_GROUP=\"TerraGoatRG\"export TERRAGOAT_STATE_STORAGE_ACCOUNT=\"mydevsecopssa\"export TERRAGOAT_STATE_CONTAINER=\"mydevsecops\"export TF_VAR_environment=\"dev\"export TF_VAR_region=\"westus\"# Create resource groupaz group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP# Create storage accountaz storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob# Get storage account keyACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv)# Create blob containeraz storage container    create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"apply-terragoat-azure\">Apply TerraGoat (Azure)<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">cd terraform\/azure\/terraform init -reconfigure -backend-config=\"resource_group_name=$TERRAGOAT_RESOURCE_GROUP\" \\    -backend-config \"storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT\" \\    -backend-config=\"container_name=$TERRAGOAT_STATE_CONTAINER\" \\    -backend-config \"key=$TF_VAR_environment.terraform.tfstate\"terraform apply<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"remove-terragoat-azure\">Remove TerraGoat (Azure)<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">terraform destroy<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"gcp-setup\">GCP Setup<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"installation-gcp\">Installation (GCP)<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">You can deploy multiple TerraGoat stacks in a single GCP project using the parameter&nbsp;<code>TF_VAR_environment<\/code>.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"create-a-gcs-backend-to-keep-terraform-state\">Create a GCS backend to keep Terraform state<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">To use terraform, a Service Account and matching set of credentials are required. If they do not exist, they must be manually created for the relevant project. To create the Service Account:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign into your GCP project, go to&nbsp;<code>IAM<\/code>&nbsp;&gt;&nbsp;<code>Service Accounts<\/code>.<\/li><li>Click the&nbsp;<code>CREATE SERVICE ACCOUNT<\/code>.<\/li><li>Give a name to your service account (for example &#8211;&nbsp;<code>terragoat<\/code>) and click&nbsp;<code>CREATE<\/code>.<\/li><li>Grant the Service Account the&nbsp;<code>Project<\/code>&nbsp;&gt;&nbsp;<code>Editor<\/code>&nbsp;role and click&nbsp;<code>CONTINUE<\/code>.<\/li><li>Click&nbsp;<code>DONE<\/code>.<\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">To create the credentials:<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>Sign into your GCP project, go to&nbsp;<code>IAM<\/code>&nbsp;&gt;&nbsp;<code>Service Accounts<\/code>&nbsp;and click on the relevant Service Account.<\/li><li>Click&nbsp;<code>ADD KEY<\/code>&nbsp;&gt;&nbsp;<code>Create new key<\/code>&nbsp;&gt;&nbsp;<code>JSON<\/code>&nbsp;and click&nbsp;<code>CREATE<\/code>. This will create a&nbsp;<code>.json<\/code>&nbsp;file and download it to your computer.<\/li><\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">We recommend saving the key with a nicer name than the auto-generated one (i.e.&nbsp;<code>terragoat_credentials.json<\/code>), and storing the resulting JSON file inside&nbsp;<code>terraform\/gcp<\/code>&nbsp;directory of terragoat. Once the credentials are set up, create the BE configuration as follows:<\/p>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">export TF_VAR_environment=\"dev\"export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoatexport TF_VAR_credentials_path=&lt;PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.jsonexport TF_VAR_project=&lt;YOUR_PROJECT_NAME_HERE># Create storage bucketgsutil mb gs:\/\/${TF_TERRAGOAT_STATE_BUCKET}<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"apply-terragoat-gcp\">Apply TerraGoat (GCP)<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">cd terraform\/gcp\/terraform init -reconfigure -backend-config=\"bucket=$TF_TERRAGOAT_STATE_BUCKET\" \\    -backend-config \"credentials=$TF_VAR_credentials_path\" \\    -backend-config \"prefix=terragoat\/${TF_VAR_environment}\"terraform apply<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"remove-terragoat-gcp\">Remove TerraGoat (GCP)<\/h4>\n\n\n\n<pre class=\"wp-block-syntaxhighlighter-code\">terraform destroy<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"bridgecrew-s-iac-herd-of-goats\">Bridgecrew&#8217;s IaC herd of goats<\/h2>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"https:\/\/github.com\/bridgecrewio\/cfngoat\" rel=\"noreferrer noopener\" target=\"_blank\">CfnGoat<\/a>&nbsp;&#8211; Vulnerable by design Cloudformation template<\/li><li><a href=\"https:\/\/github.com\/bridgecrewio\/terragoat\" rel=\"noreferrer noopener\" target=\"_blank\">TerraGoat<\/a>&nbsp;&#8211; Vulnerable by design Terraform stack<\/li><li><a href=\"https:\/\/github.com\/bridgecrewio\/cdkgoat\" rel=\"noreferrer noopener\" target=\"_blank\">CDKGoat<\/a>&nbsp;&#8211; Vulnerable by design CDK application<\/li><\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"contributing\">Contributing<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Contribution is welcomed!<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"support\">Support<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/bridgecrew.io\/?utm_source=github&amp;utm_medium=organic_oss&amp;utm_campaign=terragoat\" rel=\"noreferrer noopener\" target=\"_blank\">Bridgecrew<\/a>&nbsp;builds and maintains TerraGoat to encourage the adoption of policy-as-code.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If you need direct support you can contact us at&nbsp;<a href=\"mailto:info@bridgecrew.io\" rel=\"noreferrer noopener\" target=\"_blank\">info@bridgecrew.io<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong><a href=\"https:\/\/github.com\/bridgecrewio\/terragoat\" rel=\"noreferrer noopener\" target=\"_blank\">Download Terragoat<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like&nbsp;Bridgecrew&nbsp;&amp;&nbsp;Checkov, inline-linters, pre-commit hooks or other code scanning methods. TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud<\/p>\n","protected":false},"author":1,"featured_media":4714,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[52,726,705,91],"tags":[34,92,870],"class_list":["post-4712","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops","category-security-assessment-tool","category-security-scanner","category-terraform","tag-security","tag-terraform","tag-terragoat"],"_links":{"self":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/4712","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4712"}],"version-history":[{"count":0,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=\/wp\/v2\/posts\/4712\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4712"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4712"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jameseduard.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4712"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}