Liam Galvin and Owen Rumney are open source developers at Aqua Security. They focus on image and infrastructure security scanning. Both actively working on tfsec, which is the tool we will be focusing on today.

The opposite of infrastructure as code is setting up and maintaining your infrastructure in the cloud console. You will very quickly forget what and how you set up your resources. This is sometimes known as ClickOps.

On the other side, IaC uses tools like AWS CloudFormation, terraform or Pulumi to give you declarative code which you can execute idempotently. It gives a consistent, repeatable way of defining infrastructure. Checking in the code into source control also allows you to review and scale the working of the infrastructure across multiple teams.

Managing large infrastructures in the console is almost and impossible task, so IaC is the generally preferred solution.

Terraform is a human readable and machine readable language. It is simple and it lets you define all kinds of resources. For example, with a few lines of code you can define an S3 bucket. However, these resources need to be configured correctly, which can be quite a complicated task.

Third party Terraform modules allow us to package up definitions of everything from a simple resource to an entire systems. Using industry standard modules are a great way to ensure that your resources are secure as well.

Modules are also a great way to enable teams to do things in a standard way. For example, you could have the central platform team creating a bastion module, which other teams within the same organisation can leverage in their work.

There are a lot of examples where misconfigurations have caused large issues, either compliance or financial issues. Using the example of the S3 bucket, we could set an ACL on the bucket for authenticated reads. We would assume that this means authenticated users in our own account would be able to read the bucket. However, once we read the docs, we'd realise that any user authenticated in any account would be able to read the bucket, which could be a potentially huge security issue.

These kinds of issues happen often and is one of the reasons tfsec was created.

tfsec is an open source static code analysis tool written in Go. Terraform itself is written in Go, so tfsec was able to use their parser to find patterns in configuration. tfsec works in a similar way to the Terraform CI tool as well, making it a reliable tool. tfsec tries to analyze code as close to the Terraform process as possible, analysing the output HCL code. This makes it easier to resolve the executed state of the code, as opposed to its snapshot state.

Other tools had to use regular expressions instead, which is more difficult to build. Regular expressions are suitable for easy pattern matching, but an unsustainable tool for more complicated rules.

tfsec also uses custom checks to identify the particular line that causes the misconfiguration. It can write comments on PRs to let you know what needs fixing. Initially, the functionality was built together with the parser. This has been refactored to analyze the intermediary state of resources, without being tied to provider specific functionality and making it suitable to a variety of providers.

Terraform has a lot of quickly changing providers. The great community around tfsec steps in and are able to help with making all the required changes. tfsec is frequently released and has a great turnover for bug fixing.

If you are using tfsec, then you can use the standard checks, but also write your own custom checks that suit your needs. The team would be greatful if you could share any checks that might be useful to the rest of the community as well. Recently, tfsec also has support for Rego.

Read more about getting started and writing custom checks.

tfsec integrates with Aqua Security Trivy which allows you to scan a wide variety of resources, not just terraform.