Terraform¶
Terraform enables you to safely and predictably create, change, and improve infrastructure.
The easy_infra
project includes and secures Terraform as a component due to
its popularity and versitility in provisioning and updating environments as
Infrastructure as Code (IaC).
easy_infra
’s Terraform security uses tools such as KICS, Checkov, tfsec, and Terrascan to semi-transparently assess
the provided IaC against the defined security policy.
Varying levels of Terraform security are included in the easy_infra
tags,
including minimal, aws, az, and latest. For more information, see
Disabling Security below.
Note
In the minimal, aws, and az images, only the KICS security tool is available. All other security tools will be skipped.
Use Cases¶
If you use Software Version Control (such as git
) to manage your Terraform
IaC, consider executing terraform validate
with easy_infra as a pipeline
action on commit or pull request:
docker run -v $(pwd):/iac seiso/easy_infra:latest-minimal terraform validate
You can also use easy_infra to deploy your infrastructure using terraform
plan
and terraform deploy
:
docker run -v $(pwd):/iac seiso/easy_infra:latest-minimal /bin/bash -c "terraform plan && terraform apply -auto-approve"
Customizing KICS¶
Environment variable |
Result |
Example |
---|---|---|
|
Passes the value to |
|
|
Passes the value to |
|
KICS_QUERIES=4728cd65-a20c-49da-8b31-9c08b423e4db,46883ce1-dc3e-4b17-9195-c6a601624c73
KICS_EXCLUDE_SEVERITIES=info,low
docker run --env-file <(env | grep ^KICS_) -v $(pwd):/iac easy_infra:latest-minimal terraform validate
Terraform Caching¶
If you’re working with the same terraform code across multiple runs, you can leverage the cache:
docker run -v $(pwd):/iac -v $(pwd)/plugin-cache:/home/easy_infra/.terraform.d/plugin-cache easy_infra:latest-minimal /bin/bash -c "terraform init; terraform validate"
Disabling Security¶
The injected security tooling can be disabled entirely or individually, using
easy_infra
-specific command line arguments or environment variables.
Environment variable |
Default |
Result |
---|---|---|
|
|
Disables all security tooling (Not just Terraform-related) |
|
|
Disables Checkov |
|
|
Disables KICS |
|
|
Disables Terrascan |
|
|
Disables tfsec |
Parameter |
Result |
Example |
---|---|---|
|
Disable all security tooling |
|
|
Disable Checkov |
|
|
Disable KICS |
|
|
Disable Terrascan |
|
|
Disable tfsec |
|
Note
All command-line arguments in the above table are processed by easy_infra and removed prior to passing parameters to Terraform commands.
Resources¶
Configuring custom checks can be done by leveragin the robust Rego language, maintained by the, Open Policy Agent (OPA) offers useful resources for cloud native infrastructure administrators. Their example Terraform workflow is available here.
OPA also hosts The Rego Playground for testing custom Terrascan rules.