🚨 Terraform Is Powerful. That’s Exactly Why It’s Dangerous.
With a single command:
terraform apply
I can provision:
- VPC
- EKS Cluster
- IAM Roles
- Security Groups
- Public Endpoints
In minutes.
Now look at this:
cidr_blocks = ["0.0.0.0/0"]
One line.
That’s enough to expose your infrastructure to the entire internet.
No attacker required.
No zero-day exploit needed.
Just misconfiguration.
That’s when I realized:
Infrastructure as Code without security is just automated risk.
So I decided to secure my Terraform AWS EKS project properly.
Repo:
👉 https://github.com/17J/Terraform-AWS-EKS
🎯 The Goal
I didn’t just want scanning.
I wanted:
- ✅ Security before
terraform apply - ✅ Pull Requests blocked if insecure
- ✅ Fully automated DevSecOps workflow
- ✅ No manual dependency
- ✅ Layered security validation
🛠 Step 1 — Break It on Purpose
Before adding tools, I intentionally introduced insecure configurations:
- Open security groups
- Public EKS endpoint
- Missing encryption
- No secrets encryption
- 0.0.0.0/0 ingress rules
- No VPC flow logs
If tools didn’t catch this, they weren’t worth using.
Security tools must prove themselves.
🔎 Step 2 — Checkov (The First Reality Check)
After integrating Checkov into GitHub Actions, I ran the pipeline.
Here’s what it detected:
🔥 Critical Findings:
- CKV_AWS_38 — EKS public endpoint open to 0.0.0.0/0
- CKV_AWS_39 — EKS public endpoint not disabled
- CKV_AWS_58 — Secrets encryption not enabled
- CKV_AWS_382 — Unrestricted security group egress
- CKV_AWS_24 — Open SSH (port 22)
- CKV_AWS_25 — Open RDP (port 3389)
- CKV_AWS_260 — Open HTTP (port 80)
This wasn’t cosmetic.
This was production-level exposure.
Manual review would never consistently catch all of this.
That’s when I understood:
Security scanning is not optional. It’s mandatory.
🔎 Step 3 — Terrascan (Different Engine, Different Perspective)
Then I integrated Terrascan.
Different policy engine.
Different rules.
Different detection logic.
Terrascan JSON Output Example:
It flagged:
- AC_AWS_0369 — VPC Flow Logs Not Enabled
- Logging and Monitoring gaps
- Multiple module-level misconfigurations
Terrascan Summary Report:
From the report:
- Policies Validated: 141
- Violated Policies: 3
- High: 2
- Low: 1
Terrascan caught issues that Checkov didn’t.
That’s when I realized:
Security is layered.
No single tool is enough.
🔎 Step 4 — Trivy (The Underrated Move)
Most engineers use Trivy only for container scanning.
But I ran:
trivy config .
Here’s the result summary:
Trivy scanned:
- Terraform code
- Module directories
- Multiple configuration layers
It identified:
- 6 misconfigurations in EKS module
- 2 misconfigurations in VPC module
One command.
Multiple IaC layers scanned.
This is where the pipeline became powerful.
🧠 The Final Secure Workflow
Here’s what my GitHub Actions pipeline now looks like:
Pull Request
↓
terraform fmt
↓
terraform init
↓
terraform validate
↓
Checkov Scan
↓
Terrascan Scan
↓
Trivy Config Scan
↓
terraform plan
↓
Manual Approval
↓
terraform apply
If any security tool fails → PR fails.
Infrastructure never gets deployed.
That’s the difference between:
DevOps → Automate infrastructure
DevSecOps → Automate secure infrastructure
🧠 What I Learned
Security is not about adding tools.
It’s about:
- Blocking insecure infrastructure early
- Enforcing policy automatically
- Removing human dependency
- Making insecure code impossible to merge
- Layering security validation
Shift Left isn’t a buzzword.
It’s survival.
🔥 Final Thought
Terraform can build your entire cloud in minutes.
If your security isn’t just as fast,
you’re not automating infrastructure.
You’re automating your next breach.
⚠️ Disclaimer
This repository intentionally contains insecure configurations for the purpose of testing security scanners and demonstrating DevSecOps validation workflows.
All misconfigurations were introduced in a controlled environment to validate policy enforcement and security automation.
This project is not intended for production use.
Top comments (0)