In this blog, we will see installation and demo of security tool called "tfsec"
TFSec : It is a security scanner tool, which helps to find any misconfiguration in terraform code which leads to any security risks
Github link : https://github.com/aquasecurity/tfsec
Requirements:
1.linux/Mac machine
2.Terraform code
Installation :
Install tfsec
we can install mac/linux,
in Linux use below command,
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
in mac use below command,
brew install tfsec
Run tfsec :
Go to the terraform script location and run "tfsec ." inside the directory
I have sample tf code to create a storage account in Azure cloud. Here is my main.tf
resource "azurerm_storage_account" "storageaccount" {
name = "devopsartstrgtest"
resource_group_name = "devopsart-non-prod"
location = "East US"
account_tier = "Standard"
account_replication_type = "GRS"
}
It will give a nice output which says where are the places the misconfiguration and fix needs to apply.
In the above result it says, "CRITICAL Storage account uses an insecure TLS version" so need to update with right configuration and run it.
We can run docker by using below command,
docker run --rm -it -v "$(pwd):/src" aquasec/tfsec /src
That's all. We have installed tfsec and experimented with it.
Few more functionalities with tfsec:
- We can create a new policy based on our requirements.
- We can set it to ignore any of the tf scripts by defining it in the tfscript.
#tfsec:ignore:az-vm-no-public-ip-rg
- We can also set it to ignore with an expiration date, so the section will be enabled after the given date
#tfsec:ignore:ignore:az-vm-no-public-ip-rg:2023-08-30
You can try with this tool and give your comments!
Post a Comment