bridgecrewio/terragoat TerraGoat is Bridgecrew’s “Vulnerable by Design” Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

TerraGoat – Vulnerable Terraform Infrastructure

Maintained by Bridgecrew.io
Terraform Version

TerraGoat is Bridgecrew’s “Vulnerable by Design” Terraform repository.
Terragoat

TerraGoat is Bridgecrew’s “Vulnerable by Design” Terraform repository.
TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments.

Table of Contents

Introduction

TerraGoat was built to enable DevSecOps design and implement a sustainable misconfiguration prevention strategy. It can be used to test a policy-as-code framework like Checkov, inline-linters, pre-commit hooks or other code scanning methods.

TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure.

Important notes

Before you proceed please take a not of these warning:

⚠️ TerraGoat creates intentionally vulnerable AWS resources into your account. DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.

Requirements

  • Terraform 0.12
  • aws cli

To prevent vulnerable infrastructure from arriving to production
see: checkov, the open source static analysis tool for infrastructure as code.

Getting started

Installation

You can deploy multiple TerraGoat stacks in a single AWS account using the parameters TF_VAR_environment and TF_VAR_environment.

Create an S3 bucket backend to keep Terraform state

export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket"
export TF_VAR_company_name=acme
export TF_VAR_environment=mydevsecops
export TF_VAR_region="us-east-1"

aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \
    --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region

# Enable versioning    
aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled

# Enable encryption
aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-encryption-configuration '{
  "Rules": [
    {
      "ApplyServerSideEncryptionByDefault": {
        "SSEAlgorithm": "aws:kms"
      }
    }
  ]
}'

Apply TerraGoat

cd terraform/
terraform init \
-backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
-backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
-backend-config="region=$TF_VAR_region"

terraform apply

Remove TerraGoat

terraform destroy

Creating multiple TerraGoat stacks

cd terraform/
export TERRAGOAT_ENV=$TF_VAR_environment
export TERRAGOAT_STACKS_NUM=5
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
    export TF_VAR_environment=$TERRAGOAT_ENV$i   
    terraform init \
    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
    -backend-config="region=$TF_VAR_region" 
    
    terraform apply -auto-approve
done

Deleting multiple TerraGoat stacks

cd terraform/
export TF_VAR_environment = $TERRAGOAT_ENV
for i in $(seq 1 $TERRAGOAT_STACKS_NUM)
do
    export TF_VAR_environment=$TERRAGOAT_ENV$i   
    terraform init \
    -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \
    -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \
    -backend-config="region=$TF_VAR_region" 
    
    terraform destroy -auto-approve
done

Bridgecrew’s IaC heard of goats:

  • CfnGoat – Vulnerable by design Cloudformation template
  • TerraGoat – Vulnerable by design Terraform stack

Contributing

Contribution is welcomed!

We would love to hear about more ideas on how to find vulnerable infrastructure-as-code design patterns.

Support

Bridgecrew builds and maintains TerraGoat to encourage the adoption of policy-as-code.

If you need direct support you can contact us at [email protected].

Existing vulnerabilities (Auto-Generated)

check_id file resource check_name
0 CKV_AWS_46 /ec2.tf aws_instance.web_host Ensure no hard coded AWS access key and and secret key exists in EC2 user data
1 CKV_AWS_8 /ec2.tf aws_instance.web_host Ensure all data stored in the Launch configuration EBS is securely encrypted
2 CKV_AWS_3 /ec2.tf aws_ebs_volume.web_host_storage Ensure all data stored in the EBS is securely encrypted
3 CKV_AWS_4 /ec2.tf aws_ebs_snapshot.example_snapshot Ensure all data stored in the EBS Snapshot is securely encrypted
4 CKV_AWS_24 /ec2.tf aws_security_group.web-node Ensure no security groups allow ingress from 0.0.0.0:0 to port 22
5 CKV_AWS_21 /ec2.tf aws_s3_bucket.flowbucket Ensure all data stored in the S3 bucket have versioning enabled
6 CKV_AWS_52 /ec2.tf aws_s3_bucket.flowbucket Ensure S3 bucket has MFA delete enabled
7 CKV_AWS_19 /ec2.tf aws_s3_bucket.flowbucket Ensure all data stored in the S3 bucket is securely encrypted at rest
8 CKV_AWS_18 /ec2.tf aws_s3_bucket.flowbucket Ensure the S3 bucket has access logging enabled
9 CKV_AWS_21 /s3.tf aws_s3_bucket.data Ensure all data stored in the S3 bucket have versioning enabled
10 CKV_AWS_52 /s3.tf aws_s3_bucket.data Ensure S3 bucket has MFA delete enabled
11 CKV_AWS_19 /s3.tf aws_s3_bucket.data Ensure all data stored in the S3 bucket is securely encrypted at rest
12 CKV_AWS_20 /s3.tf aws_s3_bucket.data S3 Bucket has an ACL defined which allows public READ access.
13 CKV_AWS_18 /s3.tf aws_s3_bucket.data Ensure the S3 bucket has access logging enabled
14 CKV_AWS_21 /s3.tf aws_s3_bucket.financials Ensure all data stored in the S3 bucket have versioning enabled
15 CKV_AWS_52 /s3.tf aws_s3_bucket.financials Ensure S3 bucket has MFA delete enabled
16 CKV_AWS_19 /s3.tf aws_s3_bucket.financials Ensure all data stored in the S3 bucket is securely encrypted at rest
17 CKV_AWS_18 /s3.tf aws_s3_bucket.financials Ensure the S3 bucket has access logging enabled
18 CKV_AWS_52 /s3.tf aws_s3_bucket.operations Ensure S3 bucket has MFA delete enabled
19 CKV_AWS_19 /s3.tf aws_s3_bucket.operations Ensure all data stored in the S3 bucket is securely encrypted at rest
20 CKV_AWS_18 /s3.tf aws_s3_bucket.operations Ensure the S3 bucket has access logging enabled
21 CKV_AWS_52 /s3.tf aws_s3_bucket.data_science Ensure S3 bucket has MFA delete enabled
22 CKV_AWS_19 /s3.tf aws_s3_bucket.data_science Ensure all data stored in the S3 bucket is securely encrypted at rest
23 CKV_AWS_52 /s3.tf aws_s3_bucket.logs Ensure S3 bucket has MFA delete enabled
24 CKV_AWS_18 /s3.tf aws_s3_bucket.logs Ensure the S3 bucket has access logging enabled
25 CKV_AWS_7 /kms.tf aws_kms_key.logs_key Ensure rotation for customer created CMKs is enabled
26 CKV_AWS_16 /db-app.tf aws_db_instance.default Ensure all data stored in the RDS is securely encrypted at rest
27 CKV_AWS_17 /db-app.tf aws_db_instance.default Ensure all data stored in the RDS bucket is not public accessible
28 CKV_AWS_23 /db-app.tf aws_security_group.default Ensure every security groups rule has a description
29 CKV_AWS_23 /db-app.tf aws_security_group_rule.ingress Ensure every security groups rule has a description
30 CKV_AWS_23 /db-app.tf aws_security_group_rule.egress Ensure every security groups rule has a description
31 CKV_AWS_8 /db-app.tf aws_instance.db_app Ensure all data stored in the Launch configuration EBS is securely encrypted
32 CKV_AWS_41 /providers.tf aws Ensure no hard coded AWS access key and and secret key exists in provider
33 CKV_AWS_40 /iam.tf aws_iam_user_policy.userpolicy Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)
34 CKV_AWS_50 /lambda.tf aws_lambda_function.analysis_lambda X-ray tracing is enabled for Lambda
35 CKV_AWS_45 /lambda.tf aws_lambda_function.analysis_lambda Ensure no hard coded AWS access key and and secret key exists in lambda environment