Terraform

Terraform enables you to safely and predictably create, change, and improve infrastructure.

The easy_infra project includes and secures Terraform as a component due to its popularity and versitility in provisioning and updating environments as Infrastructure as Code (IaC).

easy_infra’s Terraform security uses tools such as KICS, Checkov, tfsec, and Terrascan to semi-transparently assess the provided IaC against the defined security policy.

Varying levels of Terraform security are included in the easy_infra tags, including minimal, aws, az, and latest. For more information, see Disabling Security below.

Note

In the minimal, aws, and az images, only the KICS security tool is available. All other security tools will be skipped.

Use Cases

If you use Software Version Control (such as git) to manage your Terraform IaC, consider executing terraform validate with easy_infra as a pipeline action on commit or pull request:

docker run -v $(pwd):/iac seiso/easy_infra:latest-minimal terraform validate

You can also use easy_infra to deploy your infrastructure using terraform plan and terraform deploy:

docker run -v $(pwd):/iac seiso/easy_infra:latest-minimal /bin/bash -c "terraform plan && terraform apply -auto-approve"

Customizing KICS

Environment variable

Result

Example

KICS_QUERIES

Passes the value to --include-queries

4728cd65-a20c-49da-8b31-9c08b423e4db,46883ce1-dc3e-4b17-9195-c6a601624c73

KICS_EXCLUDE_SEVERITIES

Passes the value to --exclude-severities

info,low

KICS_QUERIES=4728cd65-a20c-49da-8b31-9c08b423e4db,46883ce1-dc3e-4b17-9195-c6a601624c73
KICS_EXCLUDE_SEVERITIES=info,low
docker run --env-file <(env | grep ^KICS_) -v $(pwd):/iac easy_infra:latest-minimal terraform validate

Terraform Caching

If you’re working with the same terraform code across multiple runs, you can leverage the cache:

docker run -v $(pwd):/iac -v $(pwd)/plugin-cache:/home/easy_infra/.terraform.d/plugin-cache easy_infra:latest-minimal /bin/bash -c "terraform init; terraform validate"

Disabling Security

The injected security tooling can be disabled entirely or individually, using easy_infra-specific command line arguments or environment variables.

Environment variable

Default

Result

DISABLE_SECURITY

false

Disables all security tooling (Not just Terraform-related)

SKIP_CHECKOV

false

Disables Checkov

SKIP_KICS

false

Disables KICS

SKIP_TERRASCAN

false

Disables Terrascan

SKIP_TFSEC

false

Disables tfsec

Parameter

Result

Example

--disable-security

Disable all security tooling

terraform validate --disable-security

--skip-checkov

Disable Checkov

terraform --skip-checkov validate

--skip-kics

Disable KICS

terraform validate --skip-kics

--skip-terrascan

Disable Terrascan

terraform --skip-terrascan validate

--skip-tfsec

Disable tfsec

terraform --skip-tfsec validate

Note

All command-line arguments in the above table are processed by easy_infra and removed prior to passing parameters to Terraform commands.

Resources

Configuring custom checks can be done by leveragin the robust Rego language, maintained by the, Open Policy Agent (OPA) offers useful resources for cloud native infrastructure administrators. Their example Terraform workflow is available here.

OPA also hosts The Rego Playground for testing custom Terrascan rules.