What is it?
tfsec is an open source static code analyzer for Terraform code. It will look at your Terraform and alert against any deviations from best practices. Currently it has the capabilities of checking AWS, Azure, and GCP cloud resources. There are also a few cloud agnostic checks included now.
Why would I use it?
Terraform allows you to create cloud resources and even if your Terraform code is perfect it is really easy to create a misconfigured cloud resource. This could lead to a security compromise, leaving data exposed publicly, or leaving your resources open to attack.
If you're someone responsible for maintaining the security of your infrastructure or the security posture of your Terraform code then tfsec is a great tool and to be running in your CI pipeline. For example you can run it in your CI pipeline and fail a build if tfsec detects any issues.
Who wrote it?
tfsec was created by Liam Galvin and is on GitHub now with 3 contributors (at the time of writing this) including Liam.
How can I get it?
- You can download binary from the
tfsecreleases page - You can install it with Homebrew
brew tap liamg/tfsec
brew install liamg/tfsec/tfsec
- You can install with Go
env GO111MODULE=on go get -u [github.com/liamg/tfsec/cmd/tfsec](http://github.com/liamg/tfsec/cmd/tfsec)
Usage
One of the great things about tfsec is it's really easy to get started. Now that we know what tfsec is and how to get it lets start using it. Below is a Terraform file that creates a standard S3 bucket and we've given it the name tfsec-bucket. It's a small and boring file but shows how easy it is to create a misconfigured cloud resource.
resource "aws_s3_bucket" "b" {
bucket = "tfsec-bucket"
}
- Create a file called
s3_bucket.tfwith the above contents and save the file - From the command line run
tfsec .
2 potential problems detected:
Problem 1
[AWS002][ERROR] Resource 'aws_s3_bucket.b' does not have logging enabled.
/tfsec_test/s3_bucket.tf:1-3
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "tfsec-bucket"
3 | }
4 |
See https://github.com/liamg/tfsec/wiki/AWS002 for more information.
Problem 2
[AWS017][ERROR] Resource 'aws_s3_bucket.b' defines an unencrypted S3 bucket (missing server_side_encryption_configuration block).
/tfsec_test/s3_bucket.tf:1-3
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "tfsec-bucket"
3 | }
4 |
See https://github.com/liamg/tfsec/wiki/AWS017 for more information.
tfsec tells you:
- The number of potential problems it found:
2 potential problems detected
- The rule number of the detected problem:
[AWS002]
- The resource identifier with the problem:
aws_s3_bucket.b
- What the problem is:
does not have logging enabled.
- The file path and the lines where it detected the problem:
/tfsec_test/s3_bucket.tf:1-3
- The Terraform code of the resource with line numbers:
1 | resource "aws_s3_bucket" "b" {
2 | bucket = "tfsec-bucket"
3 | }
4 |
- A link to more information about the finding
https://github.com/liamg/tfsec/wiki/AWS002
Summary
Just like with everything in security tfsec should be just another layer in your defense-in-depth approach to securing your assets and cloud infrastructure resources and absolutely not the end-all-be-all for your cloud security.
With that being said tfsec is a great tool and I'm really glad to see security tooling created and developed around Terraform. Hopefully this made you want to check it out!
Top comments (3)
Love me some tfsec. Great article Alexander.
Thanks David!
Thanks for sharing!