Kustomize gets Policy as Code with Terrascan

Most organizations – in fact, over 78% – leverage Kubernetes in their move to cloud-native applications. This powerful and flexible platform enables teams to deploy and manage sophisticated systems while delivering innovation to market faster than ever. Unfortunately, that power and flexibility often requires significant care and effort, especially as apps migrate through their lifecycle. Each new environment may require configuration and connectivity changes which need to be tracked and managed.

Kustomize helps teams address these challenges by providing a way to tweak configurations based on declarative overrides. It works great for building environment-specific configurations into automated processes without adding brittle pre-processing steps or managing external properties and templates.

Given the popularity of Kustomize and Kubernetes – they are regularly downloaded millions of times each month – we’re excited to include support for both Kustomize and Kubernetes in release 1.2.0 of Terrascan.

Terrascan is an open, extensible architecture that enables teams to enforce policies and compliance in numerous types of IaC, and has supported Kubernetes for some time now. With the addition of Kustomize support, it now has a better understanding of those configurations and can deliver more accurate and relevant results. Policy as Code guardrails are a best practice for cloud native development, and this is just one more example of Terrascan’s commitment to delivering that capability for the most popular technologies.

Kustomize and Terrascan: Getting Started

Getting started with Terrascan is easy, regardless of whether you use the portable Go binary, a Docker container, or you build from source. The command line interface works well in many contexts, regardless of whether you want to run from a shell, a script, or in a pipeline.

Start in the directory where your Kustomize project is stored and launch Terrascan:

terrrascan scan -i kustomize

Kustomize support is implemented as a new IaC provider, leveraging Terrascan’s extensible architecture. The “scan” command will scan the infrastructure, and the “-i” option enables the Kustomize IaC provider.

Terrascan defaults to scanning from the current directory, and you can add the -d option one or more times if you would like to scan other directories. The output will be sent to the terminal in YAML format by default, and includes a summary of the results as well as the details needed to prioritize and fix the findings. The structured output works well for programmatic processing and is easy for humans to read.

Please tell us what you’d like to see next! Feedback is always welcome in our Community Discord or via Terrascan GitHub Issues.

Terrascan extends Policy as Code to Kubernetes

Accurics is excited to announce Terrascan v1.1.0, with Kubernetes (k8s) support! Cloud native apps and infrastructure are notoriously complex and difficult to secure with traditional tools, and kubernetes adds automation and orchestration that es##calate those problems to another level. Practically speaking, security automation is mandatory because it’s not realistic to expect humans to comprehend such complex, dynamic environments.

Terrascan is an extensible, open source tool that enables teams to detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure. By adding k8s support to Terrascan, we’re ensuring that all teams, regardless of budget, have access to the tools they need to secure their cloud native apps and infrastructure well before they are ever deployed in the cloud.

Release 1.1.0 works with k8s YAML and JSON configurations, and includes policies for security risks present in those files. Future releases will add support for k8s infrastructure managed through other IaC providers such as Terraform.

Using Terrascan with Kubernetes

Terrascan is usually run as a portable Go binary or a Docker container. Its command line interface can easily be adapted to run it from a terminal, a script, from within a pipeline, and numerous other contexts. To use it, simply run terrascan from a directory where your kubernetes project lives.

terrascan scan -t k8s

Terrascan defaults to scanning YAML and JSON files in the current directory and subdirectories. If your project spans multiple directories, you can use the -d option one or more times to specify which directories to scan.

By default, output is sent to the terminal in YAML format.

The structured output includes a summary of the results as well as the details needed to prioritize and fix the findings. It’s suitable for humans to read, and for programmatic processing.

We’re just getting started, and we’re excited about the opportunity to help teams secure their cloud native apps and infrastructure. Join us in the Community Discord for more Terrascan tips and tricks, and stay tuned for more exciting announcements about new technologies and policies that cover even more of the cloud native landscape.

Terrascan Leverages OPA to Make Policy as Code Extensible

I’m really excited about our release of Terrascan v1.0!

Brief history of Terrascan and Accurics

When I created Terrascan, I was working on a big cloud migration project, doing assessments on my employer’s cloud security posture. One of the most tedious parts of the job was manually reviewing Terraform to ensure it adhered to security best practices. My second child was born, and I was having sleepless nights during my paternity leave.

I kept thinking about the problem we had where developers relied on security experts to help them secure their Infrastructure as Code (IaC). I thought that there should be a way to automatically scan IaC similar to what we were doing for application code (e.g. Java, Python, C#, etc.), where we had static code analysis tools to give developers immediate feedback on security risks.

At the time, I couldn’t find any existing tools that could scan Terraform and meet the requirements I had. So I put something together with some Python packages that worked with Terraform HCL, some regexes, and that’s how Terrascan was born. The project was really useful and I decided that the best way to maintain a project like this would be to open source it.

A couple of months ago, I joined Accurics to start the next phase in Terrascan’s journey. We have a lot of exciting ideas for Terrascan, and perhaps a few surprises in store. The release of v1.0 is the first step on that path.

New features, Extensibility

Terrascan was initially designed to serve a specific need: static analysis of Terraform templates for the security risks my applications faced. A primary goal of Terrascan v1.0 is extensibility. We’ve introduced a pluggable architecture that can use the same approach to scan Terraform, AWS CloudFormation, Kubernetes and any other type of IaC tooling. We will be adding new configuration languages in the future, and it’s easy to extend to your needs.

In addition to allowing multiple input formats, we wanted to have a standardized way to create and apply policies across these IaC tools. So we replaced the regular expression based rules with the Open Policy Agent (OPA) engine from the CNCF. Using the Rego policy language it’s easy to create, modify, or extend the policies that apply to your specific needs.

The new architecture uses a common intermediate language for IaC with the idea being to be able to leverage the 500+ policies we’re initially releasing with v1.0 across AWS, GCP, and Azure in a provider agnostic way. This means, for example, that the policy we wrote to detect public S3 buckets can be leveraged when scanning Terraform, CloudFormation, or any other IaC language that provisions AWS resources.

With v1.0 we’re also introducing server mode. This allows you to run Terrascan as a server, where an API will give you the ability to scan any IaC being sent with the policies configured. With this capability, Terrascan can be used as the central hub of policy enforcement across your organization.

Given this new extensibility, we wanted to ensure that users have a place to share ideas and experience. So the release of Terrascan v1.0 is accompanied by the launch of the Accurics Community, a place for users of Terrascan and other Accurics solutions to discuss and collaborate. Please check it out, and remember that it’s only as useful as what you put into it.

Dedicated to open source, vision for future

Security is an important, foundational concern of any cloud project, and open source tools like Terrascan help to standardize and democratize security in a way that anyone can contribute to. It benefits all organizations, and the community itself, to have security policies exposed for everyone to look at so we can quickly identify the best practices, and then apply those consistently across all applications.

Be safe.

Securing Infrastructure as Code Using Terrascan

I remember one of my first public cloud projects. We created a cross functional team that included representatives from the business, developers, architects, security, and operations. The goal was to have a minimum viable product for an important customer facing system as our first cloud native deployment in 12 weeks.

At first the task seemed daunting. There was a lot to learn and implement in a short period of time, and as the representative of the security team, I wanted to make sure security was embedded into every decision we made.

That meant having a scalable way to review and provision network security settings and configuration, identity and access management policies, and ensuring that any cloud resource was configured following security best practices.

IaC Benefits

Around that time I discovered a tool called Terraform and the concept of Infrastructure as Code (IaC). Using Terraform we were able to quickly provision our infrastructure in a consistent manner where the code to provision our infrastructure lived side by side to our application code.

At the same time, using Terraform to provision and manage the security of our cloud environment meant that development teams had greater visibility into how the security of the infrastructure was configured, how it affected our application, and they were empowered to submit pull requests if there were any changes needed.

This was a huge benefit compared to the way things were done in our on-premises data center. Where we used ticketing systems to engage the security team and from the perspective of developers security was a black box that a siloed team handled.

The Challenge

Although IaC empowered our development teams to take ownership of their infrastructure and devops lifecycle, it also presented some challenges. Our architecture was increasingly complex due to being in a hybrid environment and the pace of change was increasing as we increased our cloud adoption.

Security defects in our IaC could be augmented and replicated through the environment if we didn’t have a way to review or control changes to prevent security defects. Issues like exposing your private network to the public internet, not encrypting any sensitive data at rest, or missing access logs could put the environment and business at risk.

What’s Terrascan?

As I thought about these issues I realized that the same techniques we were using for our application’s code like static code analysis could be used to identify security weaknesses in our IaC. This would ensure security best practices were embedded as early as possible into the development lifecycle.

To solve this I developed Terrascan. Terrascan is an open source static code analyzer for Terraform. It helps you test your Terraform code to find security weaknesses including:

  • Server side encryption misconfigurations
  • Using AWS Key Management Service (KMS) with Customer Managed Keys (CMS)
  • Encryption in-transit SSL/TLS is not enabled and configured properly
  • Security Groups open to the public internet
  • Inadvertent public exposure of cloud services
  • Access logs not enabled on resources that support them

Using Terrascan

To install Terrascan, you’ll need Python 3.6 or later installed in your system.

$ pip install terrascan
Collecting terrascan
  Downloading terrascan-0.2.1-py2.py3-none-any.whl (28 kB)
Requirement already satisfied: pyhcl>=0.4.4 in ./.pyenv/versions/3.7.5/envs/terrascan/lib/python3.7/site-packages (from terrascan) (0.4.4)
Installing collected packages: terrascan
Successfully installed terrascan-0.2.1

Now that you have Terrascan installed, lets scan some code. Here’s an example s3_bucket resource that’s missing encryption.

resource "aws_s3_bucket" "my_insecure_s3_bucket" {
  bucket = "my-insecure-s3-bucket"

  logging {
	target_bucket = "logging_bucket"
	target_prefix = "log/"

  tags = {
	Name    	= "my-insecure-s3-bucket"
	Environment = "production"

Here are the results of running Terrascan against that resource.

$ terrascan -l .
Logging level set to error.
Ran 72 tests in 0.005s


Processed 1 files in /Users/therasec/test/.

Processed on 06/20/2020 at 22:45
Results (took 0.26 seconds):

Failures: (1)
[high] [aws_s3_bucket.my_s3_bucket] should have property: 'server_side_encryption_configuration' in module ., file /Users/therasec/test/./s3.tf

Errors: (0)

As you can see, Terrascan detected that the s3 bucket resource is missing the “server_side_encrytpion_configuration”.

Terrascan can be installed as a pre-commit hook to help detect issues before code is pushed into your repository. It can also be integrated into your CI/CD pipeline. You can learn more about Terrascan or contribute at github.com/accurics/terrascan.

Accurics Commitment to Open Source

I am thrilled to join the Accurics team and continue to support Terrascan together. We’re also committed to increasing our contributions to the open source community - you can expect to see more projects from us in the future