Skip to content

joubin/iac-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
cloudgoat
cloudgoat
 
 
localstack
localstack
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 

Repository files navigation

How to work with this

About

This project comes with everything you need in one place. It utilizes terraform-compliance and cloudgoat. It does contain some modifications to make it work.

In order to emulate AWS, we use localstack.

Running This

First you need to get the services up. Simply run:

docker compose up --build -d

This will take some time, but once completed, you will have your own working AWS system and a development box that you can use to do your work.

To start interacting, run docker exec -it iac-demo_dev_1 bash.

if you renamed the folder, your base path may be different from iac-demo.

Once in the dev container, we need to do a few things.

cd /app/scenarios/s3

This directory holds a simplified version of one of CloudGoats frameworks.

Once there, initialize your terraform

terraform init

To create your plan file, simply run

terraform plan -out plan.json

Now at this point, you can run:

terraform apply plan.json

But we want to know if this is a safe thing to do.

terraform-compliance -f git:https://github.com/terraform-compliance/user-friendly-features.git -S -p plan.json

Which will provide this output:

root@613798c07389:/app/scenarios/s3# terraform-compliance -f git:https://github.com/terraform-compliance/user-friendly-features.git -S -p plan.json
terraform-compliance v1.3.22 initiated

Using remote git repository: https://github.com/terraform-compliance/user-friendly-features.git
. Converting terraform plan file.
🚩 Features     : /tmp/tmp7_x4ak58/ (https://github.com/terraform-compliance/user-friendly-features.git)
🚩 Plan File    : /app/scenarios/s3/plan.json.json
🚩 Suppressing output enabled.
Feature: S3 related general feature  # /tmp/tmp7_x4ak58/aws/S3.feature
    Implemented
    - Data must be encrypted at rest (what if it's suppose to be public?, maybe check if it's suppose to be public before? What if it's mistakenly set as public?)
    - Data stored in S3 has versioning enabled
    Questionable checks (only checks if one pass)
    - S3 must have access logging enabled

    Scenario: Data must be encrypted at rest
        Given I have aws_s3_bucket defined
        Then it must have server_side_encryption_configuration
          Failure: aws_s3_bucket.cg-cardholder-data-bucket (aws_s3_bucket) does not have server_side_encryption_configuration property.

    @noskip_at_line_20
    Scenario: S3 must have access logging enabled
        Given I have aws_s3_bucket defined
        When it has logging
          Failure: Can not find any logging property for aws_s3_bucket resource in terraform plan.

    Scenario: Data stored in S3 has versioning enabled
        Given I have aws_s3_bucket defined
        Then it must have versioning
        Then it must have enabled
        And its value must be true
          Failure: enabled property in aws_s3_bucket.cg-cardholder-data-bucket resource does not match with ^true$ case insensitive regex. It is set to False.

25 features (0 passed, 1 failed, 24 skipped)
62 scenarios (0 passed, 3 failed, 59 skipped)
222 steps (5 passed, 3 failed, 59 skipped)
Run 1626929278 finished within a moment

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

0 stars

Watchers

4 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages