Security and best practices tests for terraform
Project description
.. highlight:: shell
=========
Terrascan
=========
.. image:: https://img.shields.io/pypi/v/terrascan.svg
:target: https://pypi.python.org/pypi/terrascan
.. image:: https://img.shields.io/travis/cesar-rodriguez/terrascan.svg
:target: https://travis-ci.org/cesar-rodriguez/terrascan
.. image:: https://readthedocs.org/projects/terrascan/badge/?version=latest
:target: https://terrascan.readthedocs.io/en/latest/?badge=latest
:alt: Documentation Status
.. image:: https://pyup.io/repos/github/cesar-rodriguez/terrascan/shield.svg
:target: https://pyup.io/repos/github/cesar-rodriguez/terrascan/
:alt: Updates
A collection of security and best practice tests for static code analysis of terraform_ templates using terraform_validate_.
.. _terraform: https://www.terraform.io
.. _terraform_validate: https://github.com/elmundio87/terraform_validate
* GitHub Repo: https://github.com/cesar-rodriguez/terrascan
* Documentation: https://terrascan.readthedocs.io.
* Free software: GNU General Public License v3
--------
Features
--------
Terrascan will perform tests on your terraform templates to ensure:
- **Encryption**
- Server Side Encription (SSE) enabled
- Use of AWS Key Management Service (KMS) with Customer Managed Keys (CMK)
- Use of SSL/TLS and proper configuration
- **Security Groups**
- Provisioning SGs in EC2-classic
- Ingress open to 0.0.0.0/0
- **Public Exposure**
- Services with public exposure other than Gateways (NAT, VGW, IGW)
- **Logging & Monitoring**
- Access logs enabled to resources that support it
----------
Installing
----------
Terrascan uses Python and depends on terraform-validate and pyhcl. After installing python in your system you can follow these steps:
$ pip install terrascan
-----------------
Running the tests
-----------------
To run execute terrascan.py as follows replacing with the location of your terraform templates:
$ terrascan --location tests/infrastructure/success --tests all
To run a specific test run the following command replacing encryption with the name of the test to run:
$ terrascan --location tests/infrastructure/success --tests encryption
To learn more about the options to the cli execute the following:
$ terrascan -h
--------------
Feature Status
--------------
Legend:
- `:heavy_minus_sign:` = test needs to be implemented
- `:heavy_check_mark:` = test implemented
- **blank** - N/A
======================================== ====================== ====================== ====================== ======================
Terraform resources Encryption Security Groups Public exposure Logging & Monitoring
======================================== ====================== ====================== ====================== ======================
aws_alb `:heavy_check_mark:` `:heavy_check_mark:`
aws_alb_listener `:heavy_check_mark:`
aws_ami `:heavy_check_mark:`
aws_ami_copy `:heavy_check_mark:`
aws_api_gateway_domain_name `:heavy_check_mark:`
aws_cloudfront_distribution `:heavy_check_mark:` `:heavy_check_mark:`
aws_cloudtrail `:heavy_check_mark:` `:heavy_check_mark:`
aws_codebuild_project `:heavy_check_mark:`
aws_codepipeline `:heavy_check_mark:`
aws_db_instance `:heavy_check_mark:` `:heavy_check_mark:`
aws_db_security_group `:heavy_check_mark:`
aws_dms_endpoint `:heavy_check_mark:`
aws_dms_replication_instance `:heavy_check_mark:` `:heavy_check_mark:`
aws_ebs_volume `:heavy_check_mark:`
aws_efs_file_system `:heavy_check_mark:`
aws_elasticache_security_group `:heavy_check_mark:`
aws_efs_file_system `:heavy_check_mark:`
aws_elasticache_security_group `:heavy_check_mark:`
aws_elastictranscoder_pipeline `:heavy_check_mark:`
aws_elb `:heavy_check_mark:` `:heavy_check_mark:` `:heavy_check_mark:`
aws_emr_cluster `:heavy_check_mark:`
aws_instance `:heavy_check_mark:` `:heavy_check_mark:`
aws_kinesis_firehose_delivery_stream `:heavy_check_mark:` `:heavy_check_mark:`
aws_lambda_function `:heavy_check_mark:`
aws_launch_configuration `:heavy_check_mark:`
aws_lb_ssl_negotiation_policy `:heavy_minus_sign:`
aws_load_balancer_backend_server_policy `:heavy_minus_sign:`
aws_load_balancer_listener_policy `:heavy_minus_sign:`
aws_load_balancer_policy `:heavy_minus_sign:`
aws_opsworks_application `:heavy_check_mark:` `:heavy_minus_sign:`
aws_opsworks_custom_layer `:heavy_minus_sign:`
aws_opsworks_ganglia_layer `:heavy_minus_sign:`
aws_opsworks_haproxy_layer `:heavy_minus_sign:`
aws_opsworks_instance `:heavy_minus_sign:`
aws_opsworks_java_app_layer `:heavy_minus_sign:`
aws_opsworks_memcached_layer `:heavy_minus_sign:`
aws_opsworks_mysql_layer `:heavy_minus_sign:`
aws_opsworks_nodejs_app_layer `:heavy_minus_sign:`
aws_opsworks_php_app_layer `:heavy_minus_sign:`
aws_opsworks_rails_app_layer `:heavy_minus_sign:`
aws_opsworks_static_web_layer `:heavy_minus_sign:`
aws_rds_cluster `:heavy_check_mark:`
aws_rds_cluster_instance `:heavy_check_mark:`
aws_redshift_cluster `:heavy_check_mark:` `:heavy_check_mark:` `:heavy_check_mark:`
aws_redshift_parameter_group `:heavy_minus_sign:` `:heavy_minus_sign:`
aws_redshift_security_group `:heavy_check_mark:`
aws_s3_bucket `:heavy_check_mark:` `:heavy_check_mark:`
aws_s3_bucket_object `:heavy_check_mark:`
aws_security_group `:heavy_check_mark:`
aws_security_group_rule `:heavy_check_mark:`
aws_ses_receipt_rule `:heavy_minus_sign:`
aws_sqs_queue `:heavy_check_mark:`
aws_ssm_maintenance_window_task `:heavy_check_mark:`
aws_ssm_parameter `:heavy_check_mark:`
======================================== ====================== ====================== ====================== ======================
=======
History
=======
0.1.0 (2017-11-26)
------------------
* First release on PyPI.
=========
Terrascan
=========
.. image:: https://img.shields.io/pypi/v/terrascan.svg
:target: https://pypi.python.org/pypi/terrascan
.. image:: https://img.shields.io/travis/cesar-rodriguez/terrascan.svg
:target: https://travis-ci.org/cesar-rodriguez/terrascan
.. image:: https://readthedocs.org/projects/terrascan/badge/?version=latest
:target: https://terrascan.readthedocs.io/en/latest/?badge=latest
:alt: Documentation Status
.. image:: https://pyup.io/repos/github/cesar-rodriguez/terrascan/shield.svg
:target: https://pyup.io/repos/github/cesar-rodriguez/terrascan/
:alt: Updates
A collection of security and best practice tests for static code analysis of terraform_ templates using terraform_validate_.
.. _terraform: https://www.terraform.io
.. _terraform_validate: https://github.com/elmundio87/terraform_validate
* GitHub Repo: https://github.com/cesar-rodriguez/terrascan
* Documentation: https://terrascan.readthedocs.io.
* Free software: GNU General Public License v3
--------
Features
--------
Terrascan will perform tests on your terraform templates to ensure:
- **Encryption**
- Server Side Encription (SSE) enabled
- Use of AWS Key Management Service (KMS) with Customer Managed Keys (CMK)
- Use of SSL/TLS and proper configuration
- **Security Groups**
- Provisioning SGs in EC2-classic
- Ingress open to 0.0.0.0/0
- **Public Exposure**
- Services with public exposure other than Gateways (NAT, VGW, IGW)
- **Logging & Monitoring**
- Access logs enabled to resources that support it
----------
Installing
----------
Terrascan uses Python and depends on terraform-validate and pyhcl. After installing python in your system you can follow these steps:
$ pip install terrascan
-----------------
Running the tests
-----------------
To run execute terrascan.py as follows replacing with the location of your terraform templates:
$ terrascan --location tests/infrastructure/success --tests all
To run a specific test run the following command replacing encryption with the name of the test to run:
$ terrascan --location tests/infrastructure/success --tests encryption
To learn more about the options to the cli execute the following:
$ terrascan -h
--------------
Feature Status
--------------
Legend:
- `:heavy_minus_sign:` = test needs to be implemented
- `:heavy_check_mark:` = test implemented
- **blank** - N/A
======================================== ====================== ====================== ====================== ======================
Terraform resources Encryption Security Groups Public exposure Logging & Monitoring
======================================== ====================== ====================== ====================== ======================
aws_alb `:heavy_check_mark:` `:heavy_check_mark:`
aws_alb_listener `:heavy_check_mark:`
aws_ami `:heavy_check_mark:`
aws_ami_copy `:heavy_check_mark:`
aws_api_gateway_domain_name `:heavy_check_mark:`
aws_cloudfront_distribution `:heavy_check_mark:` `:heavy_check_mark:`
aws_cloudtrail `:heavy_check_mark:` `:heavy_check_mark:`
aws_codebuild_project `:heavy_check_mark:`
aws_codepipeline `:heavy_check_mark:`
aws_db_instance `:heavy_check_mark:` `:heavy_check_mark:`
aws_db_security_group `:heavy_check_mark:`
aws_dms_endpoint `:heavy_check_mark:`
aws_dms_replication_instance `:heavy_check_mark:` `:heavy_check_mark:`
aws_ebs_volume `:heavy_check_mark:`
aws_efs_file_system `:heavy_check_mark:`
aws_elasticache_security_group `:heavy_check_mark:`
aws_efs_file_system `:heavy_check_mark:`
aws_elasticache_security_group `:heavy_check_mark:`
aws_elastictranscoder_pipeline `:heavy_check_mark:`
aws_elb `:heavy_check_mark:` `:heavy_check_mark:` `:heavy_check_mark:`
aws_emr_cluster `:heavy_check_mark:`
aws_instance `:heavy_check_mark:` `:heavy_check_mark:`
aws_kinesis_firehose_delivery_stream `:heavy_check_mark:` `:heavy_check_mark:`
aws_lambda_function `:heavy_check_mark:`
aws_launch_configuration `:heavy_check_mark:`
aws_lb_ssl_negotiation_policy `:heavy_minus_sign:`
aws_load_balancer_backend_server_policy `:heavy_minus_sign:`
aws_load_balancer_listener_policy `:heavy_minus_sign:`
aws_load_balancer_policy `:heavy_minus_sign:`
aws_opsworks_application `:heavy_check_mark:` `:heavy_minus_sign:`
aws_opsworks_custom_layer `:heavy_minus_sign:`
aws_opsworks_ganglia_layer `:heavy_minus_sign:`
aws_opsworks_haproxy_layer `:heavy_minus_sign:`
aws_opsworks_instance `:heavy_minus_sign:`
aws_opsworks_java_app_layer `:heavy_minus_sign:`
aws_opsworks_memcached_layer `:heavy_minus_sign:`
aws_opsworks_mysql_layer `:heavy_minus_sign:`
aws_opsworks_nodejs_app_layer `:heavy_minus_sign:`
aws_opsworks_php_app_layer `:heavy_minus_sign:`
aws_opsworks_rails_app_layer `:heavy_minus_sign:`
aws_opsworks_static_web_layer `:heavy_minus_sign:`
aws_rds_cluster `:heavy_check_mark:`
aws_rds_cluster_instance `:heavy_check_mark:`
aws_redshift_cluster `:heavy_check_mark:` `:heavy_check_mark:` `:heavy_check_mark:`
aws_redshift_parameter_group `:heavy_minus_sign:` `:heavy_minus_sign:`
aws_redshift_security_group `:heavy_check_mark:`
aws_s3_bucket `:heavy_check_mark:` `:heavy_check_mark:`
aws_s3_bucket_object `:heavy_check_mark:`
aws_security_group `:heavy_check_mark:`
aws_security_group_rule `:heavy_check_mark:`
aws_ses_receipt_rule `:heavy_minus_sign:`
aws_sqs_queue `:heavy_check_mark:`
aws_ssm_maintenance_window_task `:heavy_check_mark:`
aws_ssm_parameter `:heavy_check_mark:`
======================================== ====================== ====================== ====================== ======================
=======
History
=======
0.1.0 (2017-11-26)
------------------
* First release on PyPI.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
terrascan-0.1.0.tar.gz
(20.5 kB
view details)
Built Distribution
File details
Details for the file terrascan-0.1.0.tar.gz.
File metadata
- Download URL: terrascan-0.1.0.tar.gz
- Upload date:
- Size: 20.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 44284e01b76fc105a67b43c2be27f39c36cac5320c6b4f585e1b499334260792 |
|
| MD5 | f4b3c799f5333cff027a0e7eca6e87c9 |
|
| BLAKE2b-256 | e4b942834ec65c4863dfcf61057711be4c3d5e0f08921e0059f757156f736b83 |
File details
Details for the file terrascan-0.1.0-py2.py3-none-any.whl.
File metadata
- Download URL: terrascan-0.1.0-py2.py3-none-any.whl
- Upload date:
- Size: 16.6 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 9f12544216ab11405c11a11c7249c062442bf7141baad9f6eb898ca2a36dbf59 |
|
| MD5 | 9424a19c365585a6ed7c650ed5957927 |
|
| BLAKE2b-256 | 2c6be8aca50584559712a1696ddd2c336f0649275be05b1caeb34bd6d284b25d |
