Introducing TerraGoat, a “vulnerable-by-design” Terraform training project
Tl;dr — We’re excited to release TerraGoat 🐐, a training project for developers to learn about how to identify and avoid infrastructure as code misconfigurations and security risks.
At Bridgecrew, we’re firm believers that cloud security needs to happen as early as possible — ideally when infrastructure is planned and applied using code.
We also believe that DevOps, security, and engineering teams strive to do this. Unfortunately, there’s a major knowledge, skills, and access gap between those functions, making it difficult to achieve.
- Detecting and responding to misconfigurations in multiple AWS accounts requires not only general security and compliance know-how but also confidence in making changes to immutable infrastructure logic.
- Coordinating infrastructure as code configuration best-practices across multiple engineering teams is difficult, not to mention that not every development squad has the right DevOps security skills.
- To monitor and track best practices in cloud configurations, developers need to learn best practices for CIS, SOC2, PCI, HIPAA, NIST, AWS Foundations, Hightrust, and others across multiple versions. Expecting all cloud developers to know all those best practices is a little unrealistic.
- There are very few readily available examples of what “bad” infrastructure code looks like, and there aren’t any resources out there to help train and test your infrastructure as code skills.
In the same vein as RhinoLabs’ fantastic penetration testing training tool, CloudGoat, TerraGoat is a complementing resource for Terraform, the popular infrastructure as code framework from HashiCorp.
Terragoat is a vulnerable-by-design Terraform project designed to give devops engineers a place to learn how to identifying misconfigured infrastructure as code modules and test infrastructure code without polluting their own professional AWS account.
How TerraGoat works
Check out TerraGoat on Github to get started. Terragoat can be deployed using
terraform apply and removed using
Once deployed, you’ll be able to explore several violations of infrastructure security best practices such as:
- Ensure all data stored in the RDS is not publicly accessible
- Ensure no hardcoded AWS access key and secret key exists in EC2 user data
- Ensure no security groups allow ingress from 0.0.0.0:0 to port 22
- Ensure no hardcoded AWS access key and secret key exists in lambda environment
- S3 Bucket has an ACL defined, which allows public READ access
- and many, many more!
We welcome teams to fork the TerraGoat repo and practice troubleshooting and debugging bad infrastructure.
Scanning for misconfigs in TerraGoat with Checkov
Another reason we built TerraGoat is to support the development of and the community around Checkov. If you’re not familiar, Checkov is the open-source static analysis tool for infrastructure as code that we released earlier this year.
With Checkov you can scan the growing list of vulnerable resources that Terraform provisions into an AWS account.
Use Checkov pre-commit hooks or linters to identify errors before getting pushed into run-time, identify common missing arguments, and explore security layering concepts like security groups and IAM hardening.
# clone the project
git clone email@example.com:bridgecrewio/terragoat.gitcd terragoat# install terraform policy as code engine (checkov)
pip install checkov# scan terrgoat
checkov -d terraform
Review the results:
Scanning for these violations first-hand is a great way to get acquainted with what Terraform misconfigurations look like and the associated risks.
Terraform security is becoming an increasingly important area for DevOps engineers to learn and implement. We hope that TerraGoat helps bridge the knowledge gap for those looking for ways to start down that path.
Be sure to ⭐️ this project on GitHub, and keep an eye out for what’s coming next, CfnGoat, a “vulnerable-by-design” training project for CloudFormation.