Liam and Owen from Aqua Security join us to share their work on the open source static analysis tool, tfsec. They give us an introduction to infrastructure as code with terraform, then explain what are the common problems they are trying to solve with tfsec. Finally, they tell us all about getting started with tfsec and getting involved with the project.
Liam Galvin and Owen Rumney are open source developers at Aqua Security. They focus on image and infrastructure security scanning. Both actively working on tfsec, which is the tool we will be focusing on today.
The opposite of infrastructure as code is setting up and maintaining your infrastructure in the cloud console. You will very quickly forget what and how you set up your resources. This is sometimes known as ClickOps.
On the other side, IaC uses tools like AWS CloudFormation, terraform or Pulumi to give you declarative code which you can execute idempotently. It gives a consistent, repeatable way of defining infrastructure. Checking in the code into source control also allows you to review and scale the working of the infrastructure across multiple teams.
Managing large infrastructures in the console is almost and impossible task, so IaC is the generally preferred solution.
Terraform is a human readable and machine readable language. It is simple and it lets you define all kinds of resources. For example, with a few lines of code you can define an S3 bucket. However, these resources need to be configured correctly, which can be quite a complicated task.
Third party Terraform modules allow us to package up definitions of everything from a simple resource to an entire systems. Using industry standard modules are a great way to ensure that your resources are secure as well.
Modules are also a great way to enable teams to do things in a standard way. For example, you could have the central platform team creating a bastion module, which other teams within the same organisation can leverage in their work.
There are a lot of examples where misconfigurations have caused large issues, either compliance or financial issues. Using the example of the S3 bucket, we could set an ACL on the bucket for authenticated reads. We would assume that this means authenticated users in our own account would be able to read the bucket. However, once we read the docs, we'd realise that any user authenticated in any account would be able to read the bucket, which could be a potentially huge security issue.
These kinds of issues happen often and is one of the reasons tfsec was created.
tfsec is an open source static code analysis tool written in Go. Terraform itself is written in Go, so tfsec was able to use their parser to find patterns in configuration. tfsec works in a similar way to the Terraform CI tool as well, making it a reliable tool. tfsec tries to analyze code as close to the Terraform process as possible, analysing the output HCL code. This makes it easier to resolve the executed state of the code, as opposed to its snapshot state.
Other tools had to use regular expressions instead, which is more difficult to build. Regular expressions are suitable for easy pattern matching, but an unsustainable tool for more complicated rules.
tfsec also uses custom checks to identify the particular line that causes the misconfiguration. It can write comments on PRs to let you know what needs fixing. Initially, the functionality was built together with the parser. This has been refactored to analyze the intermediary state of resources, without being tied to provider specific functionality and making it suitable to a variety of providers.
Terraform has a lot of quickly changing providers. The great community around tfsec steps in and are able to help with making all the required changes. tfsec is frequently released and has a great turnover for bug fixing.
If you are using tfsec, then you can use the standard checks, but also write your own custom checks that suit your needs. The team would be greatful if you could share any checks that might be useful to the rest of the community as well. Recently, tfsec also has support for Rego.
Read more about getting started and writing custom checks.
tfsec integrates with Aqua Security Trivy which allows you to scan a wide variety of resources, not just terraform.
Adelina is a polyglot engineer and developer relations professional, with a decade of technical experience at multiple startups in London. She started her career as a Java backend engineer, converted later to Go, and then transitioned to a full-time developer relations role. She has published multiple online courses about Go on the LinkedIn Learning platform, helping thousands of developers up-skill with Go. She has a passion for public speaking, having presented on cloud architectures at major European conferences. Adelina holds an MSc. Mathematical Modelling and Computing degree.
Blogs · 10 min
Maintaining customer satisfaction during incidents is crucial for any business. In this blogpost, Piotr shares how we leverage Prometheus to expose business metrics in a secure and cost-effective way to keep customers informed and happy during those stressful situations.
May 24, 2023
Blogs · 4 min
Michael Kerrisk is a Linux expert and trainer. He joins us to explain what containers are and deep dive into the four core components of containers: namespaces, capabilities, cgroups and seccomp. He also draws parallels on how they are used by Docker to power container systems as we know them today.
May 17, 2023
Blogs · 5 min
In this post, Michał walks you through a sample setup of the AWS Gateway Load Balancer. We will provision the infrastructure using Terraform, write a simple virtual appliance application and show it all in action. He demonstrates how this service can be used to route network traffic through a virtual appliance where each network packet can be inspected, modified, or dropped.
May 11, 2023