TerraGoat : Vulnerable Terraform Infrastructure

TerraGoat is Bridgecrew’s “Vulnerable by Design” Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Introduction

TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.

TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Important notes

• Where to get help: the Bridge crew Community Slack

Before you proceed please take a not of these warning:

 Terra Goat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.

Requirements

• Terraform 0.12
• aws cli
• azure cli

To prevent vulnerable infrastructure from arriving to production see: Bridgecrew & checkov, the open source static analysis tool for infrastructure as code.

Getting started

AWS Setup

Installation (AWS)

You can deploy multiple TerraGoat stacks in a single AWS account using the parameter TF_VAR_environment.

Create an S3 Bucket backend to keep Terraform state

export TERRAGOAT_STATE_BUCKET=”mydevsecops-bucket”
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region=”us-west-2″
aws s3api create-bucket –bucket $TERRAGOAT_STATE_BUCKET \
–region $TF_VAR_region –create-bucket-configuration LocationConstraint=$TF_VAR_region
Enable versioning
aws s3api put-bucket-versioning –bucket $TERRAGOAT_STATE_BUCKET –versioning-configuration Status=Enabled
Enable encryption
aws s3api put-bucket-encryption –bucket $TERRAGOAT_STATE_BUCKET –server-side-encryption-configuration ‘{
“Rules”: [
{
“ApplyServerSideEncryptionByDefault”: {
“SSEAlgorithm”: “aws:kms”
}
}
]
}’

Apply TerraGoat (AWS)

cd terraform/aws/
terraform init \
-backend-config=”bucket=$TERRAGOAT_STATE_BUCKET” \
-backend-config=”key=$TF_VAR_company_name-$TF_VAR_environment.tfstate” \
-backend-config=”region=$TF_VAR_region”
terraform apply

Remove TerraGoat (AWS)

terraform destroy

Azure Setup

Installation (Azure)

You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter TF_VAR_environment.

Create an Azure Storage Account backend to keep Terraform state

export TERRAGOAT_RESOURCE_GROUP=”TerraGoatRG”
export TERRAGOAT_STATE_STORAGE_ACCOUNT=”mydevsecopssa”
export TERRAGOAT_STATE_CONTAINER=”mydevsecops”
export TF_VAR_environment=”dev”
export TF_VAR_region=”westus”
Create resource group
az group create –location $TF_VAR_region –name $TERRAGOAT_RESOURCE_GROUP
Create storage account
az storage account create –name $TERRAGOAT_STATE_STORAGE_ACCOUNT –resource-group $TERRAGOAT_RESOURCE_GROUP –location $TF_VAR_region –sku Standard_LRS –kind StorageV2 –https-only true –encryption-services blob
Get storage account key
ACCOUNT_KEY=$(az storage account keys list –resource-group $TERRAGOAT_RESOURCE_GROUP –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –query [0].value -o tsv)
Create blob container
az storage container create –name $TERRAGOAT_STATE_CONTAINER –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –account-key $ACCOUNT_KEY

GCP Setup

Installation (GCP)

You can deploy multiple TerraGoat stacks in a single GCP project using the parameter TF_VAR_environment.

Create a GCS backend to keep Terraform state

To use terraform, a Service Account and matching set of credentials are required. If they do not exist, they must be manually created for the relevant project. To create the Service Account:

• Sign into your GCP project, go to IAM > Service Accounts.
• Click the CREATE SERVICE ACCOUNT.
• Give a name to your service account (for example – terragoat) and click CREATE.
• Grant the Service Account the Project > Editor role and click CONTINUE.
• Click DONE.

To create the credentials:

• Sign into your GCP project, go to IAM > Service Accounts and click on the relevant Service Account.
• Click ADD KEY > Create new key > JSON and click CREATE. This will create a .json file and download it to your computer.

We recommend saving the key with a nicer name than the auto-generated one (i.e. terragoat_credentials.json), and storing the resulting JSON file inside terraform/gcp directory of terragoat. Once the credentials are set up, create the BE configuration as follows:

export TF_VAR_environment=”dev”
export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
export TF_VAR_credentials_path= # example: export TF_VAR_credentials_path=terragoat_credentials.json
export TF_VAR_project=
Create storage bucket
gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}

Apply TerraGoat (GCP)

cd terraform/gcp/
terraform init -reconfigure -backend-config=”bucket=$TF_TERRAGOAT_STATE_BUCKET” \
-backend-config “credentials=$TF_VAR_credentials_path” \
-backend-config “prefix=terragoat/${TF_VAR_environment}”
terraform apply

Remove TerraGoat (GCP)

terraform destroy