TerraGoat is Bridgecrew’s “Vulnerable by Design” Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.
TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.
Before you proceed please take a not of these warning:
Terra Goat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.
To prevent vulnerable infrastructure from arriving to production see: Bridgecrew & checkov, the open source static analysis tool for infrastructure as code.
You can deploy multiple TerraGoat stacks in a single AWS account using the parameter TF_VAR_environment
.
export TERRAGOAT_STATE_BUCKET=”mydevsecops-bucket”
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region=”us-west-2″
aws s3api create-bucket –bucket $TERRAGOAT_STATE_BUCKET \
–region $TF_VAR_region –create-bucket-configuration LocationConstraint=$TF_VAR_region
Enable versioning
aws s3api put-bucket-versioning –bucket $TERRAGOAT_STATE_BUCKET –versioning-configuration Status=Enabled
Enable encryption
aws s3api put-bucket-encryption –bucket $TERRAGOAT_STATE_BUCKET –server-side-encryption-configuration ‘{
“Rules”: [
{
“ApplyServerSideEncryptionByDefault”: {
“SSEAlgorithm”: “aws:kms”
}
}
]
}’
Apply TerraGoat (AWS)
cd terraform/aws/
terraform init \
-backend-config=”bucket=$TERRAGOAT_STATE_BUCKET” \
-backend-config=”key=$TF_VAR_company_name-$TF_VAR_environment.tfstate” \
-backend-config=”region=$TF_VAR_region”
terraform apply
Remove TerraGoat (AWS)
terraform destroy
You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter TF_VAR_environment
.
export TERRAGOAT_RESOURCE_GROUP=”TerraGoatRG”
export TERRAGOAT_STATE_STORAGE_ACCOUNT=”mydevsecopssa”
export TERRAGOAT_STATE_CONTAINER=”mydevsecops”
export TF_VAR_environment=”dev”
export TF_VAR_region=”westus”
Create resource group
az group create –location $TF_VAR_region –name $TERRAGOAT_RESOURCE_GROUP
Create storage account
az storage account create –name $TERRAGOAT_STATE_STORAGE_ACCOUNT –resource-group $TERRAGOAT_RESOURCE_GROUP –location $TF_VAR_region –sku Standard_LRS –kind StorageV2 –https-only true –encryption-services blob
Get storage account key
ACCOUNT_KEY=$(az storage account keys list –resource-group $TERRAGOAT_RESOURCE_GROUP –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –query [0].value -o tsv)
Create blob container
az storage container create –name $TERRAGOAT_STATE_CONTAINER –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –account-key $ACCOUNT_KEY
You can deploy multiple TerraGoat stacks in a single GCP project using the parameter TF_VAR_environment
.
To use terraform, a Service Account and matching set of credentials are required. If they do not exist, they must be manually created for the relevant project. To create the Service Account:
IAM
> Service Accounts
.CREATE SERVICE ACCOUNT
.terragoat
) and click CREATE
.Project
> Editor
role and click CONTINUE
.DONE
.To create the credentials:
IAM
> Service Accounts
and click on the relevant Service Account.ADD KEY
> Create new key
> JSON
and click CREATE
. This will create a .json
file and download it to your computer.We recommend saving the key with a nicer name than the auto-generated one (i.e. terragoat_credentials.json
), and storing the resulting JSON file inside terraform/gcp
directory of terragoat. Once the credentials are set up, create the BE configuration as follows:
export TF_VAR_environment=”dev”
export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
export TF_VAR_credentials_path= # example: export TF_VAR_credentials_path=terragoat_credentials.json
export TF_VAR_project=
Create storage bucket
gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}
Apply TerraGoat (GCP)
cd terraform/gcp/
terraform init -reconfigure -backend-config=”bucket=$TF_TERRAGOAT_STATE_BUCKET” \
-backend-config “credentials=$TF_VAR_credentials_path” \
-backend-config “prefix=terragoat/${TF_VAR_environment}”
terraform apply
Remove TerraGoat (GCP)
terraform destroy
The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…