What is TerraGoat?
TerraGoat is a security vulnerability learning infrastructure specifically for Terraform, and all the security vulnerabilities in TerraGoat are deliberately left by software developers, which can better help researchers to deeply study and study the security vulnerabilities related to Terraform.
TerraGoat is a dedicated learning and training program that demonstrates many of the security vulnerabilities associated with Terraform and common misconfigurations, and it can lead researchers to find a path to penetration and enter the target cloud production environment.
TerraGoat is designed to allow DevSecOps (a framework and methodology that encompasses people, processes, and technologies to seamlessly and softly embed security capabilities into existing development processes, helping to identify security issues early in the development process rather than after product release) and making everyone accountable for information security, not just the security department. Ability to design and implement sustainable misconfiguration prevention strategies. It can be used as a code framework to test strategies, such as Bridgecrew & Checkov.
In short, TerraGoat provides a secure baseline training ground for Terraform that can be used to practice security development best practices for cloud infrastructure.
Note: TerraGoat will create an AWS resource in your account that contains security flaws, please do not deploy TerraGoat to a production environment or any AWS resource that contains sensitive information.
request
Terraform 0.12
AWS CLI
Azure CLI
Installation
AWS configuration
We can deploy multiple TerraGoat instances in an AWS account using the “TF_VAR_environment” parameter.
First, create an S3 Bucket backend to store and get the state of Terraform:
export TERRAGOAT_STATE_BUCKET=”mydevsecops-bucket”
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region=”us-west-2″
aws s3api create-bucket –bucket $TERRAGOAT_STATE_BUCKET \
–region $TF_VAR_region –create-bucket-configuration LocationConstraint=$TF_VAR_region
# Enable versioning
aws s3api put-bucket-versioning –bucket $TERRAGOAT_STATE_BUCKET –versioning-configuration Status=Enabled
# Enable encryption
aws s3api put-bucket-encryption –bucket $TERRAGOAT_STATE_BUCKET –server-side-encryption-configuration ‘{
“Rules”: [
{
“ApplyServerSideEncryptionByDefault”: {
“SSEAlgorithm”: “aws:kms”
}
}
]
}’
Next, use the following command to deploy TerraGoat (AWS):
cd terraform/aws/
terraform init \
-backend-config=”bucket=$TERRAGOAT_STATE_BUCKET” \
-backend-config=”key=$TF_VAR_company_name-$TF_VAR_environment.tfstate” \
-backend-config=”region=$TF_VAR_region”
terraform apply
The following command removes TerraGoat (AWS):
Trafolm de Strom
We can also create multiple TerraGoat AWS instance stacks with the following command:
cd terraform/aws/
export TERRAGOAT_ENV=$TF_VAR_environment
export TERRAGOAT_STACKS_NUM=5
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
export TF_VAR_environment=$TERRAGOAT_ENV$i
terraform init \
-backend-config=”bucket=$TERRAGOAT_STATE_BUCKET” \
-backend-config=”key=$TF_VAR_company_name-$TF_VAR_environment.tfstate” \
-backend-config=”region=$TF_VAR_region”
terraform apply -auto-approve
done
To delete multiple TerraGoat AWS instance stacks:
cd terraform/aws/
export TF_VAR_environment = $TERRAGOAT_ENV
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
export TF_VAR_environment=$TERRAGOAT_ENV$i
terraform init \
-backend-config=”bucket=$TERRAGOAT_STATE_BUCKET” \
-backend-config=”key=$TF_VAR_company_name-$TF_VAR_environment.tfstate” \
-backend-config=”region=$TF_VAR_region”
terraform destroy -auto-approve
done
Azure configuration
You can use the “TF_VAR_environment” parameter to deploy multiple TerraGoat instance stacks in an Azure subscription account.
First, create an Azure storage account backend to store and get the status of Terraform:
export TERRAGOAT_RESOURCE_GROUP=”TerraGoatRG”
export TERRAGOAT_STATE_STORAGE_ACCOUNT=”mydevsecopssa”
export TERRAGOAT_STATE_CONTAINER=”mydevsecops”
export TF_VAR_environment=”dev”
export TF_VAR_region=”westus”
# Create resource group
az group create –location $TF_VAR_region –name $TERRAGOAT_RESOURCE_GROUP
# Create storage account
az storage account create –name $TERRAGOAT_STATE_STORAGE_ACCOUNT –resource-group $TERRAGOAT_RESOURCE_GROUP –location $TF_VAR_region –sku Standard_LRS –kind StorageV2 –https-only true –encryption-services blob
# Get storage account key
ACCOUNT_KEY=$(az storage account keys list –resource-group $TERRAGOAT_RESOURCE_GROUP –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –query [0].value -o tsv)
# Create blob container
az storage container create –name $TERRAGOAT_STATE_CONTAINER –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –account-key $ACCOUNT_KEY
Deploy TerraGoat (Azure):
cd terraform/azure/
terraform init -reconfigure -backend-config=”resource_group_name=$TERRAGOAT_RESOURCE_GROUP” \
-backend-config “storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT” \
-backend-config=”container_name=$TERRAGOAT_STATE_CONTAINER” \
-backend-config “key=$TF_VAR_environment.terraform.tfstate”
terraform apply
Remove TerraGoat (Azure):
terraform destroy
GCP configuration
We can deploy multiple TerraGoat instance stacks in a GCP project with the “TF_VAR_environment” parameter.
Create a GCS backend to get and store Terraform status:
When using Terraform, we need to have a service account number and associated credentials ready. If not, you must create it manually:
1. Log in to your GCP project and click “IAM” -> “Service Accounts”.
2. Click “CREATE SERVICE ACCOUNT”.
3. Fill in the service name (e.g. “terragoat”), and then click “CONTINUE”.
4. Authorize the “Editor” role of the service account, and then click “CONTINUE”.
5. Click “DONE”.
To create a credential:
1. Log in to your GCP project, click “IAM > Service Accounts”, and then click the corresponding service account.
2. Click “ADD KEY> Create new key > JSON”, and then click “CREATE”. A .json file will be created from this point and downloaded to the terraform/gcp directory on your device. After the credential creation is complete, the tool will create a BE configuration file as follows:
export TF_VAR_environment=”dev”
export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
export TF_VAR_credentials_path=<PATH_TO_CREDNETIALS_FILE> # example: export TF_VAR_credentials_path=terragoat_credentials.json
export TF_VAR_project=<YOUR_PROJECT_NAME_HERE>
# Create storage bucket
gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}
Deploy TerraGoat (GCP):
cd terraform/gcp/
terraform init -reconfigure -backend-config=”bucket=$TF_TERRAGOAT_STATE_BUCKET” \
-backend-config “credentials=$TF_VAR_credentials_path” \
-backend-config “prefix=terragoat/${TF_VAR_environment}”
terraform apply
To remove TerraGoat (GCP):
terraform destroy
Project address
