Secure Terrafrom IaC code using Checkov
In this blog, I will guide you on securing your terraform code and preventing and informing you before exposing access of your infrastructure.
As we know, Infrastructure as Code has become more popular and everyone’s from small startups to big MNCs using IaC tools like Terraform for creating and managing their infrastructure using code. But we see many challenges like security, and quality, which are also critical issues to be addressed. isn’t it?
To solve these important issues we can leverage static code analysis tools like Checkov.
Checkov is a static code analysis tool that is intended to analyze Infrastructure as Code (IaC) files. It is frequently employed before deployment to find and highlight possible security and compliance problems in the infrastructure code.
Checkov Advantages
- Checkov is compatible with many IaC languages, such as Kubernetes, CloudFormation, Terraform, and more.
- The program has more than 750 preconfigured policies covering a broad range of misconfiguration concerns that could result in security flaws or noncompliance with regulations.
- Teams can identify and address such problems early in the development lifecycle by including Checkov in the development or deployment process.
- It is important to note that when the tool is updated and new rules are added to meet new security concerns and best practices in the cloud and infrastructure area, the number of preconfigured policies may change over time.
Integrate Terraform with Checkov
Checkov can be integrated with Terraform in several ways.
- Checkov can find problems by scanning Terraform files using the Checkov CLI.
- There are Checkov IDE plugins available to assist in finding mistakes when creating code.
- To ensure consistency and evaluate the Terraform code, automate the Checkov scan using CI/CD technologies. This facilitates developers in receiving quick feedback.
In the blog, we will use the Checkov CLI approach to scan Terraform files.
Prerequisites
- Python
- Terraform CLI
Installing Checkov CLI
Use the following command to install Checkov CLI:
pip3 install checkovThe output will be looking like this:
Scan the Terraform Project
Let’s begin by utilizing Checkov to scan Terraform files. You can begin scanning the .tf files by using the command below. Checkov will indicate whether the check was successful or not.
Create and Navigate to a new directory:
mkdir terraform-checkov && cd terraform-checkovInitializing the Terraform Project:
terraform initOutput:
Create main.tf and write Terraform code for creating an EC2 instance with Security Group. A project can create many resources each resource can be part of a separate file. Checkov can scan a single file or directory.
resource "aws_security_group" "allow_all_traffic" {
name = "allow_all_traffic"
description = "Allow TLS inbound traffic"
vpc_id = aws_vpc.main.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
tags = {
Name = "allow_all_traffic"
}
}
resource "aws_instance" "app_server" {
ami = "ami-0efcece6bed30fd98"
instance_type = "t2.micro"
vpc_security_group_ids = [aws_security_group.allow_all_traffic.id]
tags = {
Name = "ExampleAppServerInstance"
}
}Use the following command to scan the Terraform project directory. In my case it is terraform-checkov.
Scan must be done during terraform plan before apply
checkov -d <terraform-project-dir>You can see Passed checks and Failed checks in the scan results:
To fix the failed checks follow the guide given in the output of each respective failed check. Once all the checks are passed. Good to go check the plan of the terraform configuration and then apply it.