TerraGoat is Bridgecrew’s “Vulnerable by Design” Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.
TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Bridgecrew & Checkov, inline-linters, pre-commit hooks or other code scanning methods.
TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.
Before you proceed please take a not of these warning:
Terra Goat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.
To prevent vulnerable infrastructure from arriving to production see: Bridgecrew & checkov, the open source static analysis tool for infrastructure as code.
You can deploy multiple TerraGoat stacks in a single AWS account using the parameter TF_VAR_environment
.
export TERRAGOAT_STATE_BUCKET=”mydevsecops-bucket”
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region=”us-west-2″
aws s3api create-bucket –bucket $TERRAGOAT_STATE_BUCKET \
–region $TF_VAR_region –create-bucket-configuration LocationConstraint=$TF_VAR_region
Enable versioning
aws s3api put-bucket-versioning –bucket $TERRAGOAT_STATE_BUCKET –versioning-configuration Status=Enabled
Enable encryption
aws s3api put-bucket-encryption –bucket $TERRAGOAT_STATE_BUCKET –server-side-encryption-configuration ‘{
“Rules”: [
{
“ApplyServerSideEncryptionByDefault”: {
“SSEAlgorithm”: “aws:kms”
}
}
]
}’
Apply TerraGoat (AWS)
cd terraform/aws/
terraform init \
-backend-config=”bucket=$TERRAGOAT_STATE_BUCKET” \
-backend-config=”key=$TF_VAR_company_name-$TF_VAR_environment.tfstate” \
-backend-config=”region=$TF_VAR_region”
terraform apply
Remove TerraGoat (AWS)
terraform destroy
You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter TF_VAR_environment
.
export TERRAGOAT_RESOURCE_GROUP=”TerraGoatRG”
export TERRAGOAT_STATE_STORAGE_ACCOUNT=”mydevsecopssa”
export TERRAGOAT_STATE_CONTAINER=”mydevsecops”
export TF_VAR_environment=”dev”
export TF_VAR_region=”westus”
Create resource group
az group create –location $TF_VAR_region –name $TERRAGOAT_RESOURCE_GROUP
Create storage account
az storage account create –name $TERRAGOAT_STATE_STORAGE_ACCOUNT –resource-group $TERRAGOAT_RESOURCE_GROUP –location $TF_VAR_region –sku Standard_LRS –kind StorageV2 –https-only true –encryption-services blob
Get storage account key
ACCOUNT_KEY=$(az storage account keys list –resource-group $TERRAGOAT_RESOURCE_GROUP –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –query [0].value -o tsv)
Create blob container
az storage container create –name $TERRAGOAT_STATE_CONTAINER –account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT –account-key $ACCOUNT_KEY
You can deploy multiple TerraGoat stacks in a single GCP project using the parameter TF_VAR_environment
.
To use terraform, a Service Account and matching set of credentials are required. If they do not exist, they must be manually created for the relevant project. To create the Service Account:
IAM
> Service Accounts
.CREATE SERVICE ACCOUNT
.terragoat
) and click CREATE
.Project
> Editor
role and click CONTINUE
.DONE
.To create the credentials:
IAM
> Service Accounts
and click on the relevant Service Account.ADD KEY
> Create new key
> JSON
and click CREATE
. This will create a .json
file and download it to your computer.We recommend saving the key with a nicer name than the auto-generated one (i.e. terragoat_credentials.json
), and storing the resulting JSON file inside terraform/gcp
directory of terragoat. Once the credentials are set up, create the BE configuration as follows:
export TF_VAR_environment=”dev”
export TF_TERRAGOAT_STATE_BUCKET=remote-state-bucket-terragoat
export TF_VAR_credentials_path= # example: export TF_VAR_credentials_path=terragoat_credentials.json
export TF_VAR_project=
Create storage bucket
gsutil mb gs://${TF_TERRAGOAT_STATE_BUCKET}
Apply TerraGoat (GCP)
cd terraform/gcp/
terraform init -reconfigure -backend-config=”bucket=$TF_TERRAGOAT_STATE_BUCKET” \
-backend-config “credentials=$TF_VAR_credentials_path” \
-backend-config “prefix=terragoat/${TF_VAR_environment}”
terraform apply
Remove TerraGoat (GCP)
terraform destroy
Burrow is an open source tool for burrowing through firewalls, built by teenagers at Hack Club.…
Simple golang webserver that listens for basic auth or post requests and sends a notification…
Nutek Security Platform for macOS and Linux operating systems. Tools for hackers, bug hunters and…
Welcome to SecureSphere Labs, your go-to destination for a curated collection of powerful hacking tools…
All in one Docker-based workstation with hacking tools for Pentesting and offsec Labs by maintained…
Got it! Below is the updated README.md file with instructions for downloading the project on…