TerraGoat: Learning infrastructure for security vulnerabilities in Terraform

What is TerraGoat?

TerraGoat is a security vulnerability learning infrastructure specifically for Terraform, and all the security vulnerabilities in TerraGoat are deliberately left by software developers, which can better help researchers to deeply study and study the security vulnerabilities related to Terraform.

TerraGoat is a dedicated learning and training program that demonstrates many of the security vulnerabilities associated with Terraform and common misconfigurations, and it can lead researchers to find a path to penetration and enter the target cloud production environment.

TerraGoat is designed to allow DevSecOps (a framework and methodology that encompasses people, processes, and technologies to seamlessly and softly embed security capabilities into existing development processes, helping to identify security issues early in the development process rather than after product release) and making everyone accountable for information security, not just the security department. Ability to design and implement sustainable misconfiguration prevention strategies. It can be used as a code framework to test strategies, such as Bridgecrew & Checkov.

In short, TerraGoat provides a secure baseline training ground for Terraform that can be used to practice security development best practices for cloud infrastructure.

Note: TerraGoat will create an AWS resource in your account that contains security flaws, please do not deploy TerraGoat to a production environment or any AWS resource that contains sensitive information.


Terraform 0.12


Azure CLI


AWS configuration

We can deploy multiple TerraGoat instances in an AWS account using the “TF_VAR_environment” parameter.

First, create an S3 Bucket backend to store and get the state of Terraform:

export TERRAGOAT_STATE_BUCKET=”mydevsecops-bucket”

export TF_VAR_company_name=acme

export TF_VAR_environment=mydevsecops

export TF_VAR_region=”us-west-2″

aws s3api create-bucket –bucket $TERRAGOAT_STATE_BUCKET \

–region $TF_VAR_region –create-bucket-configuration LocationConstraint=$TF_VAR_region

# Enable versioning

aws s3api put-bucket-versioning –bucket $TERRAGOAT_STATE_BUCKET –versioning-configuration Status=Enabled

# Enable encryption

aws s3api put-bucket-encryption –bucket $TERRAGOAT_STATE_BUCKET –server-side-encryption-configuration ‘{

“Rules”: [


“ApplyServerSideEncryptionByDefault”: {

“SSEAlgorithm”: “aws:kms”





Next, use the following command to deploy TerraGoat (AWS):

cd terraform/aws/

terraform init \

-backend-config=”bucket=$TERRAGOAT_STATE_BUCKET” \

-backend-config=”key=$TF_VAR_company_name-$TF_VAR_environment.tfstate” \


terraform apply

The following command removes TerraGoat (AWS):

Trafolm de Strom

We can also create multiple TerraGoat AWS instance stacks with the following command:

cd terraform/aws/

export TERRAGOAT_ENV=$TF_VAR_environment


for i in $(seq 1 $TERRAGOAT_STACKS_NUM)


export TF_VAR_environment=$TERRAGOAT_ENV$i

terraform init \

-backend-config=”bucket=$TERRAGOAT_STATE_BUCKET” \

-backend-config=”key=$TF_VAR_company_name-$TF_VAR_environment.tfstate” \


terraform apply -auto-approve


To delete multiple TerraGoat AWS instance stacks:

cd terraform/aws/

export TF_VAR_environment = $TERRAGOAT_ENV

for i in $(seq 1 $TERRAGOAT_STACKS_NUM)


export TF_VAR_environment=$TERRAGOAT_ENV$i

terraform init \

-backend-config=”bucket=$TERRAGOAT_STATE_BUCKET” \

-backend-config=”key=$TF_VAR_company_name-$TF_VAR_environment.tfstate” \


terraform destroy -auto-approve


Azure configuration

You can use the “TF_VAR_environment” parameter to deploy multiple TerraGoat instance stacks in an Azure subscription account.

First, create an Azure storage account backend to store and get the status of Terraform:



export TERRAGOAT_STATE_CONTAINER=”mydevsecops”

export TF_VAR_environment=”dev”

export TF_VAR_region=”westus”

# Create resource group

az group create –location $TF_VAR_region –name $TERRAGOAT_RESOURCE_GROUP

# Create storage account

az storage account create –name $TERRAGOAT_STATE_STORAGE_ACCOUNT –resource-group $TERRAGOAT_RESOURCE_GROUP –location $TF_VAR_region –sku Standard_LRS –kind StorageV2 –https-only true –encryption-services blob

# Get storage account key

ACCOUNT_KEY=$(az storage account keys list –resource-group $TERRAGOAT_RESOURCE_GROUP –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –query [0].value -o tsv)

# Create blob container

az storage container create –name $TERRAGOAT_STATE_CONTAINER –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –account-key $ACCOUNT_KEY

Deploy TerraGoat (Azure):

cd terraform/azure/

terraform init -reconfigure -backend-config=”resource_group_name=$TERRAGOAT_RESOURCE_GROUP” \

-backend-config “storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT” \

-backend-config=”container_name=$TERRAGOAT_STATE_CONTAINER” \

-backend-config “key=$TF_VAR_environment.terraform.tfstate”

terraform apply

Remove TerraGoat (Azure):

terraform destroy

GCP configuration

We can deploy multiple TerraGoat instance stacks in a GCP project with the “TF_VAR_environment” parameter.

Create a GCS backend to get and store Terraform status:

When using Terraform, we need to have a service account number and associated credentials ready. If not, you must create it manually:

1. Log in to your GCP project and click “IAM” -> “Service Accounts”.


3. Fill in the service name (e.g. “terragoat”), and then click “CONTINUE”.

4. Authorize the “Editor” role of the service account, and then click “CONTINUE”.

5. Click “DONE”.

To create a credential:

1. Log in to your GCP project, click “IAM > Service Accounts”, and then click the corresponding service account.

2. Click “ADD KEY> Create new key > JSON”, and then click “CREATE”. A .json file will be created from this point and downloaded to the terraform/gcp directory on your device. After the credential creation is complete, the tool will create a BE configuration file as follows:

export TF_VAR_environment=”dev”

export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat

export TF_VAR_credentials_path=<PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.json


# Create storage bucket


Deploy TerraGoat (GCP):

cd terraform/gcp/

terraform init -reconfigure -backend-config=”bucket=$TF_TERRAGOAT_STATE_BUCKET” \

-backend-config “credentials=$TF_VAR_credentials_path” \

-backend-config “prefix=terragoat/${TF_VAR_environment}”

terraform apply

To remove TerraGoat (GCP):

terraform destroy

Project address