Secure and analyse your Terraform code using AWS CodeCommit, AWS CodePipeline, AWS CodeBuild and tfsec
More and more customers are using Infrastructure-as-Code (IaC) to design and implement their infrastructure on AWS. This is why it is essential to have pipelines with Continuous Integration/Continuous Deployment (CI/CD) for infrastructure deployment. HashiCorp Terraform is one of the popular IaC tools for customers on AWS.
In this blog, I will guide you through building a CI/CD pipeline on AWS to analyze and identify possible configurations issues in your Terraform code templates. This will help mitigate security risks within our infrastructure deployment pipelines as part of our CI/CD. To do this, we utilize AWS tools and the Open Source tfsec tool, a static analysis security scanner for your Terraform code, including more than 90 preconfigured checks with the ability to add custom checks.
Our demo has two separate pipelines:
- CI/CD Pipeline to build and push our custom Docker image to Amazon ECR
- CI/CD Pipeline where our tfsec analysis is executed and Terraform provisions infrastructure
The tfsec configuration and Terraform goes through a buildspec specification file defined within an AWS CodeBuild action. This action will calculate how many potential security risks we currently have within our Terraform templates, which will be displayed in our manual acceptance process for verification.
Provisioning the infrastructure
We have created an AWS Cloud Development Kit (AWS CDK) app hosted in a Git Repository written in Python. Here you can deploy the two main pipelines in order to manage this scenario. For a list of the deployment prerequisites, see the README.md file.
Clone the repo in your local machine. Then, bootstrap and deploy the CDK stack:
git clone https://github.com/aws-samples/aws-cdk-tfsec cd aws-cdk-tfsec pip install -r requirements.txt cdk bootstrap aws://account_id/eu-west-1 cdk deploy --all
The infrastructure creation takes around 5-10 minutes due the AWS CodePipelines and referenced repository creation. Once the CDK has deployed the infrastructure, clone the two new AWS CodeCommit repos that have already been created and push the example code. First, one for the custom Docker image, and later for your Terraform code, like this:
git clone https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/awsome-terraform-example-container cd awsome-terraform-example-container git checkout -b main cp repos/docker_image/* . git add . git commit -am "First commit" git push origin main
Once the Docker image is built and pushed to the Amazon ECR, proceed with Terraform repo. Check the pipeline process on the AWS CodePipeline console.
git clone https://git-codecommit.eu-west-1.amazonaws.com/v1/repos/awsome-terraform-example cd awsome-terraform-example git checkout -b main cp -aR repos/terraform_code/* . git add . git commit -am "First commit" git push origin main
The Terraform provisioning AWS CodePipeline has the following aspect:
The pipeline has three main stages:
- Source – AWS CodeCommit stores the Terraform repository infrastructure and every time we push code to the main branch the AWS CodePipeline will be triggered.
- tfsec analysis – AWS CodeBuild looks for a buildspec to execute the tfsec actions configured on the same buildspec.
The output shows the potential security issues detected by tfsec for our Terraform code. The output is linking to the different security issues already defined on tfsec. Check the security checks defined by tfsec here. After tfsec execution, a manual approval action is set up to decide if we should go for the next steps or if we reject and stop the AWS CodePipeline execution.
The URL for review is linking to our tfsec output console.
- Terraform plan and Terraform apply – This will be applied to our infrastructure plan. After the Terraform plan command and before the Terraform apply, a manual action is set up to decide if we can apply the changes.
After going through all of the stages, our Terraform infrastructure should be created.
After completing your demo, feel free to delete your stack using the CDK cli:
cdk destroy --all
At AWS, security is our top priority. This post demonstrates how to build a CI/CD pipeline by using AWS Services to automate and secure your infrastructure as code via Terraform and tfsec.
Learn more about tfsec through the official documentation: https://tfsec.dev/
About the authors
César Prieto Ballester is a DevOps Consultant at Amazon Web Services. He enjoys automating everything and building infrastructure using code. Apart from work, he plays electric guitar and loves riding his mountain bike.
Bruno Bardelli is a Senior DevOps Consultant at Amazon Web Services. He loves to build applications and in his free time plays video games, practices aikido, and goes on walks with his dog.