[ Security ] Consider adding Terrascan to security assessment process

[gwright99]

https://runterrascan.io/

Scannable Resources

• Terraform code
• Helm charts
• K8s Manifests

Installation

CLI

$ curl -L "$(curl -s https://api.github.com/repos/tenable/terrascan/releases/latest | grep -o -E "https://.+?_Linux_x86_64.tar.gz")" > terrascan.tar.gz
$ tar -xf terrascan.tar.gz terrascan && rm terrascan.tar.gz
install terrascan /usr/local/bin && rm terrascan
$ sudo install terrascan /usr/local/bin

Docker

$ docker run --rm tenable/terrascan version

Custom Policies

Via Open Policy Agent(OPA).

• Default policies at pkg/policies/opa/rego
• rule.json controls what is applied / severity levels

Example (source)

The policy example below enforces Azure resources to be in “UK South” or “UK West” only. If resources are found elsewhere it will be reported by Terrascan.

# azure_region_policy.rego

package main

import input.tfplan as tfplan

default allow = false

allowed_regions = ["UK South", "UK West"]

# Iterate over all Azure resources in the Terraform plan.
azure_resources[resource_name] {
    resource_name = input.tfplan.resource_changes[_].address
    input.tfplan.resource_changes[_].type == "azurerm_resource"
}

# Check if the region of each Azure resource is allowed.
allow {
    resource_name
    resource_config := input.tfplan.resource_changes[resource_name].change.after
    resource_config.location == allowed_region
    allowed_region = allowed_regions[_]
}

rule.json

{
  "rules": {
    "azure_region_policy": {
      "severity": "HIGH",
      "message": "Azure resources should be deployed in 'UK South' or 'UK West' regions.",
      "rules_file": "azure_region_policy.rego"
    }
  }
}

Execution:

$ terrascan scan -rules /path/to/rule.json