diff --git a/.github/template.md b/.github/template.md index f9a163542a..131420fb43 100644 --- a/.github/template.md +++ b/.github/template.md @@ -1,18 +1,20 @@ -# TerraGoat - Vulnerable Terraform Infrastructure +# TerraGoat - Vulnerable Terraform Infrastructure + [![Maintained by Bridgecrew.io](https://img.shields.io/badge/maintained%20by-bridgecrew.io-blueviolet)](https://bridge.dev/2WBms5Q) ![Terraform Version](https://img.shields.io/badge/tf-%3E%3D0.12.0-blue.svg) TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. -[![Terragoat](terragoat-logo.png)](#) +![Terragoat](terragoat-logo.png) TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments. - ## Table of Contents * [Introduction](#introduction) * [Getting Started](#getting-started) + * [AWS](#aws-setup) + * [Azure](#azure-setup) * [Contributing](#contributing) * [Support](#support) @@ -23,23 +25,30 @@ TerraGoat was built to enable DevSecOps design and implement a sustainable misco TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure. ## Important notes + * **Where to get help:** the [Bridgecrew Community Slack](https://codified-security.herokuapp.com/) Before you proceed please take a not of these warning: > :warning: TerraGoat creates intentionally vulnerable AWS resources into your account. **DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.** ## Requirements -* Terraform 0.12 + +* Terraform 0.12 * aws cli +* azure cli -To prevent vulnerable infrastructure from arriving to production -see: [checkov](https://github.com/bridgecrewio/checkov/), the open source static analysis tool for infrastructure as code. +To prevent vulnerable infrastructure from arriving to production see: [checkov](https://github.com/bridgecrewio/checkov/), the open source static analysis tool for infrastructure as code. ## Getting started -### Installation -You can deploy multiple TerraGoat stacks in a single AWS account using the parameters `TF_VAR_environment` and `TF_VAR_environment`. - -#### Create an S3 bucket backend to keep Terraform state + +### AWS Setup + +#### Installation (AWS) + +You can deploy multiple TerraGoat stacks in a single AWS account using the parameter `TF_VAR_environment`. + +#### Create an S3 Bucket backend to keep Terraform state + ```bash export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket" export TF_VAR_company_name=acme @@ -49,7 +58,7 @@ export TF_VAR_region="us-west-2" aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \ --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region -# Enable versioning +# Enable versioning aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled # Enable encryption @@ -64,9 +73,10 @@ aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-e }' ``` -#### Apply TerraGoat +#### Apply TerraGoat (AWS) + ```bash -cd terraform/ +cd terraform/aws/ terraform init \ -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \ -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \ @@ -75,48 +85,95 @@ terraform init \ terraform apply ``` -#### Remove TerraGoat +#### Remove TerraGoat (AWS) + ```bash terraform destroy ``` -#### Creating multiple TerraGoat stacks -```bash +#### Creating multiple TerraGoat AWS stacks -cd terraform/ +```bash +cd terraform/aws/ export TERRAGOAT_ENV=$TF_VAR_environment export TERRAGOAT_STACKS_NUM=5 for i in $(seq 1 $TERRAGOAT_STACKS_NUM) do - export TF_VAR_environment=$TERRAGOAT_ENV$i + export TF_VAR_environment=$TERRAGOAT_ENV$i terraform init \ -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \ -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \ - -backend-config="region=$TF_VAR_region" - + -backend-config="region=$TF_VAR_region" + terraform apply -auto-approve done ``` -#### Deleting multiple TerraGoat stacks -```bash +#### Deleting multiple TerraGoat stacks (AWS) -cd terraform/ +```bash +cd terraform/aws/ export TF_VAR_environment = $TERRAGOAT_ENV for i in $(seq 1 $TERRAGOAT_STACKS_NUM) do - export TF_VAR_environment=$TERRAGOAT_ENV$i + export TF_VAR_environment=$TERRAGOAT_ENV$i terraform init \ -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \ -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \ - -backend-config="region=$TF_VAR_region" - + -backend-config="region=$TF_VAR_region" + terraform destroy -auto-approve done ``` +### Azure Setup + +#### Installation (Azure) + +You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter `TF_VAR_environment`. + +#### Create an Azure Storage Account backend to keep Terraform state + +```bash +export TERRAGOAT_RESOURCE_GROUP="TerraGoatRG" +export TERRAGOAT_STATE_STORAGE_ACCOUNT="mydevsecopssa" +export TERRAGOAT_STATE_CONTAINER="mydevsecops" +export TF_VAR_environment="dev" +export TF_VAR_region="westus" + +# Create resource group +az group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP + +# Create storage account +az storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob + +# Get storage account key +ACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv) + +# Create blob container +az storage container create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY +``` + +#### Apply TerraGoat (Azure) + +```bash +cd terraform/azure/ +terraform init -reconfigure -backend-config="resource_group_name=$TERRAGOAT_RESOURCE_GROUP" \ + -backend-config "storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT" \ + -backend-config="container_name=$TERRAGOAT_STATE_CONTAINER" \ + -backend-config "key=$TF_VAR_environment.terraform.tfstate" + +terraform apply +``` + +#### Remove TerraGoat (Azure) + +```bash +terraform destroy +``` + +## Bridgecrew's IaC herd of goats -## Bridgecrew's IaC heard of goats: * [CfnGoat](https://github.com/bridgecrewio/cfngoat) - Vulnerable by design Cloudformation template * [TerraGoat](https://github.com/bridgecrewio/terragoat) - Vulnerable by design Terraform stack @@ -132,4 +189,4 @@ We would love to hear about more ideas on how to find vulnerable infrastructure- If you need direct support you can contact us at [info@bridgecrew.io](mailto:info@bridgecrew.io). -# Existing vulnerabilities (Auto-Generated) +## Existing vulnerabilities (Auto-Generated) diff --git a/README.md b/README.md index bc315057a9..738af1dbd8 100644 --- a/README.md +++ b/README.md @@ -1,18 +1,20 @@ -# TerraGoat - Vulnerable Terraform Infrastructure +# TerraGoat - Vulnerable Terraform Infrastructure + [![Maintained by Bridgecrew.io](https://img.shields.io/badge/maintained%20by-bridgecrew.io-blueviolet)](https://bridge.dev/2WBms5Q) ![Terraform Version](https://img.shields.io/badge/tf-%3E%3D0.12.0-blue.svg) TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. -[![Terragoat](terragoat-logo.png)](#) +![Terragoat](terragoat-logo.png) TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments. - ## Table of Contents * [Introduction](#introduction) * [Getting Started](#getting-started) + * [AWS](#aws-setup) + * [Azure](#azure-setup) * [Contributing](#contributing) * [Support](#support) @@ -23,23 +25,30 @@ TerraGoat was built to enable DevSecOps design and implement a sustainable misco TerraGoat follows the tradition of existing *Goat projects that provide a baseline training ground to practice implementing secure development best practices for cloud infrastructure. ## Important notes + * **Where to get help:** the [Bridgecrew Community Slack](https://codified-security.herokuapp.com/) Before you proceed please take a not of these warning: > :warning: TerraGoat creates intentionally vulnerable AWS resources into your account. **DO NOT deploy TerraGoat in a production environment or alongside any sensitive AWS resources.** ## Requirements -* Terraform 0.12 + +* Terraform 0.12 * aws cli +* azure cli -To prevent vulnerable infrastructure from arriving to production -see: [checkov](https://github.com/bridgecrewio/checkov/), the open source static analysis tool for infrastructure as code. +To prevent vulnerable infrastructure from arriving to production see: [checkov](https://github.com/bridgecrewio/checkov/), the open source static analysis tool for infrastructure as code. ## Getting started -### Installation -You can deploy multiple TerraGoat stacks in a single AWS account using the parameters `TF_VAR_environment` and `TF_VAR_environment`. - -#### Create an S3 bucket backend to keep Terraform state + +### AWS Setup + +#### Installation (AWS) + +You can deploy multiple TerraGoat stacks in a single AWS account using the parameter `TF_VAR_environment`. + +#### Create an S3 Bucket backend to keep Terraform state + ```bash export TERRAGOAT_STATE_BUCKET="mydevsecops-bucket" export TF_VAR_company_name=acme @@ -49,7 +58,7 @@ export TF_VAR_region="us-west-2" aws s3api create-bucket --bucket $TERRAGOAT_STATE_BUCKET \ --region $TF_VAR_region --create-bucket-configuration LocationConstraint=$TF_VAR_region -# Enable versioning +# Enable versioning aws s3api put-bucket-versioning --bucket $TERRAGOAT_STATE_BUCKET --versioning-configuration Status=Enabled # Enable encryption @@ -64,9 +73,10 @@ aws s3api put-bucket-encryption --bucket $TERRAGOAT_STATE_BUCKET --server-side-e }' ``` -#### Apply TerraGoat +#### Apply TerraGoat (AWS) + ```bash -cd terraform/ +cd terraform/aws/ terraform init \ -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \ -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \ @@ -75,48 +85,95 @@ terraform init \ terraform apply ``` -#### Remove TerraGoat +#### Remove TerraGoat (AWS) + ```bash terraform destroy ``` -#### Creating multiple TerraGoat stacks -```bash +#### Creating multiple TerraGoat AWS stacks -cd terraform/ +```bash +cd terraform/aws/ export TERRAGOAT_ENV=$TF_VAR_environment export TERRAGOAT_STACKS_NUM=5 for i in $(seq 1 $TERRAGOAT_STACKS_NUM) do - export TF_VAR_environment=$TERRAGOAT_ENV$i + export TF_VAR_environment=$TERRAGOAT_ENV$i terraform init \ -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \ -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \ - -backend-config="region=$TF_VAR_region" - + -backend-config="region=$TF_VAR_region" + terraform apply -auto-approve done ``` -#### Deleting multiple TerraGoat stacks -```bash +#### Deleting multiple TerraGoat stacks (AWS) -cd terraform/ +```bash +cd terraform/aws/ export TF_VAR_environment = $TERRAGOAT_ENV for i in $(seq 1 $TERRAGOAT_STACKS_NUM) do - export TF_VAR_environment=$TERRAGOAT_ENV$i + export TF_VAR_environment=$TERRAGOAT_ENV$i terraform init \ -backend-config="bucket=$TERRAGOAT_STATE_BUCKET" \ -backend-config="key=$TF_VAR_company_name-$TF_VAR_environment.tfstate" \ - -backend-config="region=$TF_VAR_region" - + -backend-config="region=$TF_VAR_region" + terraform destroy -auto-approve done ``` +### Azure Setup + +#### Installation (Azure) + +You can deploy multiple TerraGoat stacks in a single Azure subscription using the parameter `TF_VAR_environment`. + +#### Create an Azure Storage Account backend to keep Terraform state + +```bash +export TERRAGOAT_RESOURCE_GROUP="TerraGoatRG" +export TERRAGOAT_STATE_STORAGE_ACCOUNT="mydevsecopssa" +export TERRAGOAT_STATE_CONTAINER="mydevsecops" +export TF_VAR_environment="dev" +export TF_VAR_region="westus" + +# Create resource group +az group create --location $TF_VAR_region --name $TERRAGOAT_RESOURCE_GROUP + +# Create storage account +az storage account create --name $TERRAGOAT_STATE_STORAGE_ACCOUNT --resource-group $TERRAGOAT_RESOURCE_GROUP --location $TF_VAR_region --sku Standard_LRS --kind StorageV2 --https-only true --encryption-services blob + +# Get storage account key +ACCOUNT_KEY=$(az storage account keys list --resource-group $TERRAGOAT_RESOURCE_GROUP --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --query [0].value -o tsv) + +# Create blob container +az storage container create --name $TERRAGOAT_STATE_CONTAINER --account-name $TERRAGOAT_STATE_STORAGE_ACCOUNT --account-key $ACCOUNT_KEY +``` + +#### Apply TerraGoat (Azure) + +```bash +cd terraform/azure/ +terraform init -reconfigure -backend-config="resource_group_name=$TERRAGOAT_RESOURCE_GROUP" \ + -backend-config "storage_account_name=$TERRAGOAT_STATE_STORAGE_ACCOUNT" \ + -backend-config="container_name=$TERRAGOAT_STATE_CONTAINER" \ + -backend-config "key=$TF_VAR_environment.terraform.tfstate" + +terraform apply +``` + +#### Remove TerraGoat (Azure) + +```bash +terraform destroy +``` + +## Bridgecrew's IaC herd of goats -## Bridgecrew's IaC heard of goats: * [CfnGoat](https://github.com/bridgecrewio/cfngoat) - Vulnerable by design Cloudformation template * [TerraGoat](https://github.com/bridgecrewio/terragoat) - Vulnerable by design Terraform stack @@ -132,52 +189,92 @@ We would love to hear about more ideas on how to find vulnerable infrastructure- If you need direct support you can contact us at [info@bridgecrew.io](mailto:info@bridgecrew.io). -# Existing vulnerabilities (Auto-Generated) -| | check_id | file | resource | check_name | -|----|------------|---------------|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0 | CKV_AWS_41 | /providers.tf | aws | Ensure no hard coded AWS access key and and secret key exists in provider | -| 1 | CKV_AWS_5 | /es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure all data stored in the Elasticsearch is securely encrypted at rest | -| 2 | CKV_AWS_46 | /ec2.tf | aws_instance.web_host | Ensure no hard coded AWS access key and and secret key exists in EC2 user data | -| 3 | CKV_AWS_8 | /ec2.tf | aws_instance.web_host | Ensure all data stored in the Launch configuration EBS is securely encrypted | -| 4 | CKV_AWS_3 | /ec2.tf | aws_ebs_volume.web_host_storage | Ensure all data stored in the EBS is securely encrypted | -| 5 | CKV_AWS_4 | /ec2.tf | aws_ebs_snapshot.example_snapshot | Ensure all data stored in the EBS Snapshot is securely encrypted | -| 6 | CKV_AWS_24 | /ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | -| 7 | CKV_AWS_21 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket have versioning enabled | -| 8 | CKV_AWS_18 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure the S3 bucket has access logging enabled | -| 9 | CKV_AWS_52 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure S3 bucket has MFA delete enabled | -| 10 | CKV_AWS_19 | /ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | -| 11 | CKV_AWS_40 | /iam.tf | aws_iam_user_policy.userpolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | -| 12 | CKV_AWS_51 | /ecr.tf | aws_ecr_repository.repository | Ensure ECR Image Tags are immutable | -| 13 | CKV_AWS_33 | /ecr.tf | aws_ecr_repository.repository | Ensure ECR image scanning on push is enabled | -| 14 | CKV_AWS_21 | /s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket have versioning enabled | -| 15 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.data | Ensure the S3 bucket has access logging enabled | -| 16 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.data | Ensure S3 bucket has MFA delete enabled | -| 17 | CKV_AWS_20 | /s3.tf | aws_s3_bucket.data | S3 Bucket has an ACL defined which allows public READ access. | -| 18 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket is securely encrypted at rest | -| 19 | CKV_AWS_21 | /s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket have versioning enabled | -| 20 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.financials | Ensure the S3 bucket has access logging enabled | -| 21 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.financials | Ensure S3 bucket has MFA delete enabled | -| 22 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket is securely encrypted at rest | -| 23 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.operations | Ensure the S3 bucket has access logging enabled | -| 24 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.operations | Ensure S3 bucket has MFA delete enabled | -| 25 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.operations | Ensure all data stored in the S3 bucket is securely encrypted at rest | -| 26 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.data_science | Ensure S3 bucket has MFA delete enabled | -| 27 | CKV_AWS_19 | /s3.tf | aws_s3_bucket.data_science | Ensure all data stored in the S3 bucket is securely encrypted at rest | -| 28 | CKV_AWS_18 | /s3.tf | aws_s3_bucket.logs | Ensure the S3 bucket has access logging enabled | -| 29 | CKV_AWS_52 | /s3.tf | aws_s3_bucket.logs | Ensure S3 bucket has MFA delete enabled | -| 30 | CKV_AWS_16 | /db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS is securely encrypted at rest | -| 31 | CKV_AWS_17 | /db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS bucket is not public accessible | -| 32 | CKV_AWS_23 | /db-app.tf | aws_security_group.default | Ensure every security groups rule has a description | -| 33 | CKV_AWS_23 | /db-app.tf | aws_security_group_rule.ingress | Ensure every security groups rule has a description | -| 34 | CKV_AWS_23 | /db-app.tf | aws_security_group_rule.egress | Ensure every security groups rule has a description | -| 35 | CKV_AWS_8 | /db-app.tf | aws_instance.db_app | Ensure all data stored in the Launch configuration EBS is securely encrypted | -| 36 | CKV_AWS_50 | /lambda.tf | aws_lambda_function.analysis_lambda | X-ray tracing is enabled for Lambda | -| 37 | CKV_AWS_45 | /lambda.tf | aws_lambda_function.analysis_lambda | Ensure no hard coded AWS access key and and secret key exists in lambda environment | -| 38 | CKV_AWS_7 | /kms.tf | aws_kms_key.logs_key | Ensure rotation for customer created CMKs is enabled | -| 39 | CKV_AWS_37 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | -| 40 | CKV_AWS_38 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | -| 41 | CKV_AWS_39 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint disabled | -| 42 | CKV_AWS_58 | /eks.tf | aws_eks_cluster.eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | +## Existing vulnerabilities (Auto-Generated) +| | check_id | file | resource | check_name | +|----|--------------|---------------------------|------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| 0 | CKV_AZURE_2 | /azure/storage.tf | azurerm_managed_disk.example | Ensure Azure managed disk have encryption enabled | +| 1 | CKV_AZURE_3 | /azure/storage.tf | azurerm_storage_account.example | Ensure that 'Secure transfer required' is set to 'Enabled' | +| 2 | CKV_AZURE_35 | /azure/storage.tf | azurerm_storage_account.example | Ensure default network access rule for Storage Accounts is set to deny | +| 3 | CKV_AZURE_33 | /azure/storage.tf | azurerm_storage_account.example | Ensure Storage logging is enabled for Queue service for read, write and delete requests | +| 4 | CKV_AZURE_36 | /azure/storage.tf | azurerm_storage_account_network_rules.test | Ensure 'Trusted Microsoft Services' is enabled for Storage Account access | +| 5 | CKV_AZURE_39 | /azure/roles.tf | azurerm_role_definition.example | Ensure that no custom subscription owner roles are created | +| 6 | CKV_AZURE_14 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure web app redirects all HTTP traffic to HTTPS in Azure App Service | +| 7 | CKV_AZURE_18 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that 'HTTP Version' is the latest if used to run the web app | +| 8 | CKV_AZURE_16 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure that Register with Azure Active Directory is enabled on App Service | +| 9 | CKV_AZURE_17 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | +| 10 | CKV_AZURE_13 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure App Service Authentication is set on Azure App Service | +| 11 | CKV_AZURE_15 | /azure/app_service.tf | azurerm_app_service.app-service1 | Ensure web app is using the latest version of TLS encryption | +| 12 | CKV_AZURE_18 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that 'HTTP Version' is the latest if used to run the web app | +| 13 | CKV_AZURE_16 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure that Register with Azure Active Directory is enabled on App Service | +| 14 | CKV_AZURE_17 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure the web app has 'Client Certificates (Incoming client certificates)' set | +| 15 | CKV_AZURE_13 | /azure/app_service.tf | azurerm_app_service.app-service2 | Ensure App Service Authentication is set on Azure App Service | +| 16 | CKV_AZURE_42 | /azure/key_vault.tf | azurerm_key_vault.example | Ensure the key vault is recoverable | +| 17 | CKV_AZURE_40 | /azure/key_vault.tf | azurerm_key_vault_key.generated | Ensure that the expiration date is set on all keys | +| 18 | CKV_AZURE_41 | /azure/key_vault.tf | azurerm_key_vault_secret.secret | Ensure that the expiration date is set on all secrets | +| 19 | CKV_AZURE_23 | /azure/sql.tf | azurerm_sql_server.example | Ensure that 'Auditing' is set to 'On' for SQL servers | +| 20 | CKV_AZURE_24 | /azure/sql.tf | azurerm_sql_server.example | Ensure that 'Auditing' Retention is 'greater than 90 days' for SQL servers | +| 21 | CKV_AZURE_27 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Email service and co-administrators' is 'Enabled' for MSSQL servers | +| 22 | CKV_AZURE_26 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Send Alerts To' is enabled for MSSQL servers | +| 23 | CKV_AZURE_25 | /azure/sql.tf | azurerm_mssql_server_security_alert_policy.example | Ensure that 'Threat Detection types' is set to 'All' | +| 24 | CKV_AZURE_28 | /azure/sql.tf | azurerm_mysql_server.example | Ensure 'Enforce SSL connection' is set to 'ENABLED' for MySQL Database Server | +| 25 | CKV_AZURE_29 | /azure/sql.tf | azurerm_postgresql_server.example | Ensure 'Enforce SSL connection' is set to 'ENABLED' for PostgreSQL Database Server | +| 26 | CKV_AZURE_32 | /azure/sql.tf | azurerm_postgresql_configuration.thrtottling_config | Ensure server parameter 'connection_throttling' is set to 'ON' for PostgreSQL Database Server | +| 27 | CKV_AZURE_30 | /azure/sql.tf | azurerm_postgresql_configuration.example | Ensure server parameter 'log_checkpoints' is set to 'ON' for PostgreSQL Database Server | +| 28 | CKV_AZURE_1 | /azure/instance.tf | azurerm_linux_virtual_machine.linux_machine | Ensure Azure Instance does not use basic authentication(Use SSH Key Instead) | +| 29 | CKV_AZURE_8 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure Kube Dashboard is disabled | +| 30 | CKV_AZURE_7 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS cluster has Network Policy configured | +| 31 | CKV_AZURE_5 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure RBAC is enabled on AKS clusters | +| 32 | CKV_AZURE_6 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS has an API Server Authorized IP Ranges enabled | +| 33 | CKV_AZURE_4 | /azure/aks.tf | azurerm_kubernetes_cluster.k8s_cluster | Ensure AKS logging to Azure Monitoring is Configured | +| 34 | CKV_AZURE_19 | /azure/security_center.tf | azurerm_security_center_subscription_pricing.pricing | Ensure that standard pricing tier is selected | +| 35 | CKV_AZURE_21 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | +| 36 | CKV_AZURE_20 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that security contact 'Phone number' is set | +| 37 | CKV_AZURE_22 | /azure/security_center.tf | azurerm_security_center_contact.contact | Ensure that 'Send email notification for high severity alerts' is set to 'On' | +| 38 | CKV_AZURE_37 | /azure/logging.tf | azurerm_monitor_log_profile.logging_profile | Ensure that Activity Log Retention is set 365 days or greater | +| 39 | CKV_AZURE_38 | /azure/logging.tf | azurerm_monitor_log_profile.logging_profile | Ensure audit profile captures all the activities | +| 40 | CKV_AZURE_9 | /azure/networking.tf | azurerm_network_security_group.bad_sg | Ensure that RDP access is restricted from the internet | +| 41 | CKV_AZURE_10 | /azure/networking.tf | azurerm_network_security_group.bad_sg | Ensure that SSH access is restricted from the internet | +| 42 | CKV_AZURE_12 | /azure/networking.tf | azurerm_network_watcher_flow_log.flow_log | Ensure that Network Security Group Flow Log retention period is 'greater than 90 days' | +| 43 | CKV_AWS_7 | /aws/kms.tf | aws_kms_key.logs_key | Ensure rotation for customer created CMKs is enabled | +| 44 | CKV_AWS_45 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | Ensure no hard coded AWS access key and and secret key exists in lambda environment | +| 45 | CKV_AWS_50 | /aws/lambda.tf | aws_lambda_function.analysis_lambda | X-ray tracing is enabled for Lambda | +| 46 | CKV_AWS_40 | /aws/iam.tf | aws_iam_user_policy.userpolicy | Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.) | +| 47 | CKV_AWS_37 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS control plane logging enabled for all log types | +| 48 | CKV_AWS_39 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint disabled | +| 49 | CKV_AWS_38 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure Amazon EKS public endpoint not accessible to 0.0.0.0/0 | +| 50 | CKV_AWS_58 | /aws/eks.tf | aws_eks_cluster.eks_cluster | Ensure EKS Cluster has Secrets Encryption Enabled | +| 51 | CKV_AWS_51 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure ECR Image Tags are immutable | +| 52 | CKV_AWS_33 | /aws/ecr.tf | aws_ecr_repository.repository | Ensure ECR image scanning on push is enabled | +| 53 | CKV_AWS_46 | /aws/ec2.tf | aws_instance.web_host | Ensure no hard coded AWS access key and and secret key exists in EC2 user data | +| 54 | CKV_AWS_8 | /aws/ec2.tf | aws_instance.web_host | Ensure all data stored in the Launch configuration EBS is securely encrypted | +| 55 | CKV_AWS_3 | /aws/ec2.tf | aws_ebs_volume.web_host_storage | Ensure all data stored in the EBS is securely encrypted | +| 56 | CKV_AWS_4 | /aws/ec2.tf | aws_ebs_snapshot.example_snapshot | Ensure all data stored in the EBS Snapshot is securely encrypted | +| 57 | CKV_AWS_24 | /aws/ec2.tf | aws_security_group.web-node | Ensure no security groups allow ingress from 0.0.0.0:0 to port 22 | +| 58 | CKV_AWS_21 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket have versioning enabled | +| 59 | CKV_AWS_52 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure S3 bucket has MFA delete enabled | +| 60 | CKV_AWS_18 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure the S3 bucket has access logging enabled | +| 61 | CKV_AWS_19 | /aws/ec2.tf | aws_s3_bucket.flowbucket | Ensure all data stored in the S3 bucket is securely encrypted at rest | +| 62 | CKV_AWS_17 | /aws/db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS bucket is not public accessible | +| 63 | CKV_AWS_16 | /aws/db-app.tf | aws_db_instance.default | Ensure all data stored in the RDS is securely encrypted at rest | +| 64 | CKV_AWS_8 | /aws/db-app.tf | aws_instance.db_app | Ensure all data stored in the Launch configuration EBS is securely encrypted | +| 65 | CKV_AWS_41 | /aws/providers.tf | aws | Ensure no hard coded AWS access key and and secret key exists in provider | +| 66 | CKV_AWS_5 | /aws/es.tf | aws_elasticsearch_domain.monitoring-framework | Ensure all data stored in the Elasticsearch is securely encrypted at rest | +| 67 | CKV_AWS_20 | /aws/s3.tf | aws_s3_bucket.data | S3 Bucket has an ACL defined which allows public READ access. | +| 68 | CKV_AWS_21 | /aws/s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket have versioning enabled | +| 69 | CKV_AWS_52 | /aws/s3.tf | aws_s3_bucket.data | Ensure S3 bucket has MFA delete enabled | +| 70 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.data | Ensure the S3 bucket has access logging enabled | +| 71 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.data | Ensure all data stored in the S3 bucket is securely encrypted at rest | +| 72 | CKV_AWS_21 | /aws/s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket have versioning enabled | +| 73 | CKV_AWS_52 | /aws/s3.tf | aws_s3_bucket.financials | Ensure S3 bucket has MFA delete enabled | +| 74 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.financials | Ensure the S3 bucket has access logging enabled | +| 75 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.financials | Ensure all data stored in the S3 bucket is securely encrypted at rest | +| 76 | CKV_AWS_52 | /aws/s3.tf | aws_s3_bucket.operations | Ensure S3 bucket has MFA delete enabled | +| 77 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.operations | Ensure the S3 bucket has access logging enabled | +| 78 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.operations | Ensure all data stored in the S3 bucket is securely encrypted at rest | +| 79 | CKV_AWS_52 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure S3 bucket has MFA delete enabled | +| 80 | CKV_AWS_19 | /aws/s3.tf | aws_s3_bucket.data_science | Ensure all data stored in the S3 bucket is securely encrypted at rest | +| 81 | CKV_AWS_52 | /aws/s3.tf | aws_s3_bucket.logs | Ensure S3 bucket has MFA delete enabled | +| 82 | CKV_AWS_18 | /aws/s3.tf | aws_s3_bucket.logs | Ensure the S3 bucket has access logging enabled | --- diff --git a/terraform/consts.tf b/terraform/aws/consts.tf similarity index 100% rename from terraform/consts.tf rename to terraform/aws/consts.tf diff --git a/terraform/db-app.tf b/terraform/aws/db-app.tf similarity index 86% rename from terraform/db-app.tf rename to terraform/aws/db-app.tf index 395a3415f9..f71f548b72 100644 --- a/terraform/db-app.tf +++ b/terraform/aws/db-app.tf @@ -1,14 +1,14 @@ resource "aws_db_instance" "default" { - name = var.dbname - engine = "mysql" - option_group_name = aws_db_option_group.default.name - parameter_group_name = aws_db_parameter_group.default.name - db_subnet_group_name = aws_db_subnet_group.default.name - vpc_security_group_ids = ["${aws_security_group.default.id}"] + name = var.dbname + engine = "mysql" + option_group_name = aws_db_option_group.default.name + parameter_group_name = aws_db_parameter_group.default.name + db_subnet_group_name = aws_db_subnet_group.default.name + vpc_security_group_ids = ["${aws_security_group.default.id}"] identifier = "rds-${local.resource_prefix.value}" engine_version = "8.0" # Latest major version - instance_class = "db.t3.micro" + instance_class = "db.t3.micro" allocated_storage = "20" username = "admin" password = var.password @@ -21,8 +21,8 @@ resource "aws_db_instance" "default" { publicly_accessible = true tags = { - Name = "${local.resource_prefix.value}-rds" - Environment = local.resource_prefix.value + Name = "${local.resource_prefix.value}-rds" + Environment = local.resource_prefix.value } # Ignore password changes from tf plan diff @@ -37,16 +37,16 @@ resource "aws_db_option_group" "default" { major_engine_version = "8.0" option_group_description = "Terraform OG" - tags = { - Name = "${local.resource_prefix.value}-og" - Environment = local.resource_prefix.value + tags = { + Name = "${local.resource_prefix.value}-og" + Environment = local.resource_prefix.value } } resource "aws_db_parameter_group" "default" { - name = "pg-${local.resource_prefix.value}" - family = "mysql8.0" - description = "Terraform PG" + name = "pg-${local.resource_prefix.value}" + family = "mysql8.0" + description = "Terraform PG" parameter { name = "character_set_client" @@ -59,17 +59,17 @@ resource "aws_db_parameter_group" "default" { value = "utf8" apply_method = "immediate" } - + tags = { - Name = "${local.resource_prefix.value}-pg" - Environment = local.resource_prefix.value + Name = "${local.resource_prefix.value}-pg" + Environment = local.resource_prefix.value } } resource "aws_db_subnet_group" "default" { - name = "sg-${local.resource_prefix.value}" - subnet_ids = ["${aws_subnet.web_subnet.id}", "${aws_subnet.web_subnet2.id}"] - description = "Terraform DB Subnet Group" + name = "sg-${local.resource_prefix.value}" + subnet_ids = ["${aws_subnet.web_subnet.id}", "${aws_subnet.web_subnet2.id}"] + description = "Terraform DB Subnet Group" tags = { Name = "sg-${local.resource_prefix.value}" @@ -78,10 +78,10 @@ resource "aws_db_subnet_group" "default" { } resource "aws_security_group" "default" { - name = "${local.resource_prefix.value}-rds-sg" - vpc_id = aws_vpc.web_vpc.id + name = "${local.resource_prefix.value}-rds-sg" + vpc_id = aws_vpc.web_vpc.id - tags = { + tags = { Name = "${local.resource_prefix.value}-rds-sg" Environment = local.resource_prefix.value } @@ -132,7 +132,7 @@ resource "aws_iam_role" "ec2role" { } EOF - tags = { + tags = { Name = "${local.resource_prefix.value}-role" Environment = local.resource_prefix.value } @@ -162,7 +162,7 @@ EOF data "aws_ami" "amazon-linux-2" { most_recent = true - owners = [ "amazon" ] + owners = ["amazon"] filter { name = "owner-alias" @@ -177,8 +177,8 @@ data "aws_ami" "amazon-linux-2" { resource "aws_instance" "db_app" { # ec2 have plain text secrets in user data - ami = data.aws_ami.amazon-linux-2.id - instance_type = "t2.nano" + ami = data.aws_ami.amazon-linux-2.id + instance_type = "t2.nano" iam_instance_profile = aws_iam_instance_profile.ec2profile.name vpc_security_group_ids = [ diff --git a/terraform/ec2.tf b/terraform/aws/ec2.tf similarity index 98% rename from terraform/ec2.tf rename to terraform/aws/ec2.tf index 8d9a1f8bf2..7768949b0a 100644 --- a/terraform/ec2.tf +++ b/terraform/aws/ec2.tf @@ -26,7 +26,7 @@ resource "aws_ebs_volume" "web_host_storage" { # unencrypted volume availability_zone = "${var.availability_zone}" #encrypted = false # Setting this causes the volume to be recreated on apply - size = 1 + size = 1 tags = { Name = "${local.resource_prefix.value}-ebs" } @@ -169,7 +169,7 @@ resource "aws_flow_log" "vpcflowlogs" { } resource "aws_s3_bucket" "flowbucket" { - bucket = "${local.resource_prefix.value}-flowlogs" + bucket = "${local.resource_prefix.value}-flowlogs" force_destroy = true tags = { diff --git a/terraform/ecr.tf b/terraform/aws/ecr.tf similarity index 69% rename from terraform/ecr.tf rename to terraform/aws/ecr.tf index 99639ce99d..67bb0eee46 100644 --- a/terraform/ecr.tf +++ b/terraform/aws/ecr.tf @@ -1,14 +1,14 @@ resource aws_ecr_repository "repository" { - name = "${local.resource_prefix.value}-repository" + name = "${local.resource_prefix.value}-repository" image_tag_mutability = "MUTABLE" tags = { - Name = "${local.resource_prefix.value}-repository" + Name = "${local.resource_prefix.value}-repository" } } locals { - docker_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${aws_ecr_repository.repository.name}" + docker_image = "${data.aws_caller_identity.current.account_id}.dkr.ecr.${var.region}.amazonaws.com/${aws_ecr_repository.repository.name}" } diff --git a/terraform/eks.tf b/terraform/aws/eks.tf similarity index 81% rename from terraform/eks.tf rename to terraform/aws/eks.tf index 89f71a8a56..99659f32e6 100644 --- a/terraform/eks.tf +++ b/terraform/aws/eks.tf @@ -6,17 +6,17 @@ locals { data aws_iam_policy_document "iam_policy_eks" { statement { - effect = "Allow" + effect = "Allow" actions = ["sts:AssumeRole"] principals { - type = "Service" - identifiers = ["eks.amazonaws.com"] + type = "Service" + identifiers = ["eks.amazonaws.com"] } } } resource aws_iam_role "iam_for_eks" { - name = "${local.resource_prefix.value}-iam-for-eks" + name = "${local.resource_prefix.value}-iam-for-eks" assume_role_policy = data.aws_iam_policy_document.iam_policy_eks.json } @@ -45,7 +45,7 @@ resource aws_subnet "eks_subnet1" { availability_zone = var.availability_zone map_public_ip_on_launch = true tags = { - Name = "${local.resource_prefix.value}-eks-subnet" + Name = "${local.resource_prefix.value}-eks-subnet" "kubernetes.io/cluster/${local.eks_name.value}" = "shared" } } @@ -56,7 +56,7 @@ resource aws_subnet "eks_subnet2" { availability_zone = var.availability_zone2 map_public_ip_on_launch = true tags = { - Name = "${local.resource_prefix.value}-eks-subnet2" + Name = "${local.resource_prefix.value}-eks-subnet2" "kubernetes.io/cluster/${local.eks_name.value}" = "shared" } } @@ -67,7 +67,7 @@ resource aws_eks_cluster "eks_cluster" { vpc_config { endpoint_private_access = true - subnet_ids = ["${aws_subnet.eks_subnet1.id}", "${aws_subnet.eks_subnet2.id}"] + subnet_ids = ["${aws_subnet.eks_subnet1.id}", "${aws_subnet.eks_subnet2.id}"] } depends_on = [ diff --git a/terraform/elb.tf b/terraform/aws/elb.tf similarity index 69% rename from terraform/elb.tf rename to terraform/aws/elb.tf index 6f13813869..5c189dd3e0 100644 --- a/terraform/elb.tf +++ b/terraform/aws/elb.tf @@ -1,6 +1,6 @@ # Create a new load balancer resource "aws_elb" "weblb" { - name = "weblb-terraform-elb" + name = "weblb-terraform-elb" listener { instance_port = 8000 @@ -17,9 +17,9 @@ resource "aws_elb" "weblb" { interval = 30 } - subnets = ["${aws_subnet.web_subnet.id}"] - security_groups = ["${aws_security_group.web-node.id}"] - instances = ["${aws_instance.web_host.id}"] + subnets = [aws_subnet.web_subnet.id] + security_groups = [aws_security_group.web-node.id] + instances = [aws_instance.web_host.id] cross_zone_load_balancing = true idle_timeout = 400 connection_draining = true @@ -27,4 +27,5 @@ resource "aws_elb" "weblb" { tags = { Name = "foobar-terraform-elb" - } \ No newline at end of file + } +} \ No newline at end of file diff --git a/terraform/es.tf b/terraform/aws/es.tf similarity index 88% rename from terraform/es.tf rename to terraform/aws/es.tf index 463db52423..c86e607bd3 100644 --- a/terraform/es.tf +++ b/terraform/aws/es.tf @@ -18,7 +18,7 @@ resource "aws_elasticsearch_domain" "monitoring-framework" { data aws_iam_policy_document "policy" { statement { - actions = ["es:*"] + actions = ["es:*"] principals { type = "AWS" identifiers = ["*"] @@ -28,6 +28,6 @@ data aws_iam_policy_document "policy" { } resource "aws_elasticsearch_domain_policy" "monitoring-framework-policy" { - domain_name = aws_elasticsearch_domain.monitoring-framework.domain_name + domain_name = aws_elasticsearch_domain.monitoring-framework.domain_name access_policies = data.aws_iam_policy_document.policy.json } diff --git a/terraform/iam.tf b/terraform/aws/iam.tf similarity index 100% rename from terraform/iam.tf rename to terraform/aws/iam.tf diff --git a/terraform/kms.tf b/terraform/aws/kms.tf similarity index 100% rename from terraform/kms.tf rename to terraform/aws/kms.tf diff --git a/terraform/lambda.tf b/terraform/aws/lambda.tf similarity index 100% rename from terraform/lambda.tf rename to terraform/aws/lambda.tf diff --git a/terraform/providers.tf b/terraform/aws/providers.tf similarity index 100% rename from terraform/providers.tf rename to terraform/aws/providers.tf diff --git a/terraform/resources/Dockerfile b/terraform/aws/resources/Dockerfile similarity index 100% rename from terraform/resources/Dockerfile rename to terraform/aws/resources/Dockerfile diff --git a/terraform/resources/customer-master.xlsx b/terraform/aws/resources/customer-master.xlsx similarity index 100% rename from terraform/resources/customer-master.xlsx rename to terraform/aws/resources/customer-master.xlsx diff --git a/terraform/resources/lambda_function_payload.zip b/terraform/aws/resources/lambda_function_payload.zip similarity index 100% rename from terraform/resources/lambda_function_payload.zip rename to terraform/aws/resources/lambda_function_payload.zip diff --git a/terraform/s3.tf b/terraform/aws/s3.tf similarity index 94% rename from terraform/s3.tf rename to terraform/aws/s3.tf index a51b8287f4..c0f2b9651c 100644 --- a/terraform/s3.tf +++ b/terraform/aws/s3.tf @@ -13,9 +13,9 @@ resource "aws_s3_bucket" "data" { } resource "aws_s3_bucket_object" "data_object" { - bucket = aws_s3_bucket.data.id - key = "customer-master.xlsx" - source = "resources/customer-master.xlsx" + bucket = aws_s3_bucket.data.id + key = "customer-master.xlsx" + source = "resources/customer-master.xlsx" tags = { Name = "${local.resource_prefix.value}-customer-master" Environment = local.resource_prefix.value diff --git a/terraform/azure/aks.tf b/terraform/azure/aks.tf new file mode 100644 index 0000000000..55c870ab2b --- /dev/null +++ b/terraform/azure/aks.tf @@ -0,0 +1,25 @@ +resource azurerm_kubernetes_cluster "k8s_cluster" { + dns_prefix = "terragoat-${var.environment}" + location = var.location + name = "terragoat-aks-${var.environment}" + resource_group_name = azurerm_resource_group.example.name + identity { + type = "SystemAssigned" + } + default_node_pool { + name = "default" + vm_size = "Standard_D2_v2" + node_count = 2 + } + addon_profile { + oms_agent { + enabled = false + } + kube_dashboard { + enabled = true + } + } + role_based_access_control { + enabled = false + } +} \ No newline at end of file diff --git a/terraform/azure/app_service.tf b/terraform/azure/app_service.tf new file mode 100644 index 0000000000..45f01f142c --- /dev/null +++ b/terraform/azure/app_service.tf @@ -0,0 +1,34 @@ +resource azurerm_app_service_plan "example" { + name = "terragoat-app-service-plan-${var.environment}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + sku { + tier = "Dynamic" + size = "S1" + } +} + +resource azurerm_app_service "app-service1" { + app_service_plan_id = azurerm_app_service_plan.example.id + location = var.location + name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + https_only = false + site_config { + min_tls_version = "1.1" + } +} + +resource azurerm_app_service "app-service2" { + app_service_plan_id = azurerm_app_service_plan.example.id + location = var.location + name = "terragoat-app-service-${var.environment}${random_integer.rnd_int.result}" + resource_group_name = azurerm_resource_group.example.name + https_only = true + + auth_settings { + enabled = false + } +} + diff --git a/terraform/azure/instance.tf b/terraform/azure/instance.tf new file mode 100644 index 0000000000..30a2d777a3 --- /dev/null +++ b/terraform/azure/instance.tf @@ -0,0 +1,59 @@ +resource random_string "password" { + length = 16 + special = false + min_lower = 1 + min_numeric = 1 + min_upper = 1 +} + +resource azurerm_linux_virtual_machine "linux_machine" { + admin_username = "terragoat-linux" + admin_password = random_string.password.result + location = var.location + name = "terragoat-linux" + network_interface_ids = [azurerm_network_interface.ni_linux.id] + resource_group_name = azurerm_resource_group.example.name + size = "Standard_F2" + disable_password_authentication = false + source_image_reference { + publisher = "Canonical" + offer = "UbuntuServer" + sku = "16.04-LTS" + version = "latest" + } + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + tags = { + terragoat = true + environment = var.environment + } +} + +resource azurerm_windows_virtual_machine "windows_machine" { + admin_password = random_string.password.result + admin_username = "tg-${var.environment}" + location = var.location + name = "tg-win" + network_interface_ids = [azurerm_network_interface.ni_win.id] + resource_group_name = azurerm_resource_group.example.name + size = "Standard_F2" + os_disk { + caching = "ReadWrite" + storage_account_type = "Standard_LRS" + } + + source_image_reference { + publisher = "MicrosoftWindowsServer" + offer = "WindowsServer" + sku = "2016-Datacenter" + version = "latest" + } + + tags = { + terragoat = true + environment = var.environment + } +} \ No newline at end of file diff --git a/terraform/azure/key_vault.tf b/terraform/azure/key_vault.tf new file mode 100644 index 0000000000..878a3ec7f7 --- /dev/null +++ b/terraform/azure/key_vault.tf @@ -0,0 +1,43 @@ +resource "azurerm_key_vault" "example" { + name = "terragoat-key-${var.environment}${random_integer.rnd_int.result}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + tenant_id = data.azurerm_client_config.current.tenant_id + sku_name = "premium" + access_policy { + tenant_id = data.azurerm_client_config.current.tenant_id + object_id = data.azurerm_client_config.current.object_id + key_permissions = [ + "create", + "get", + ] + secret_permissions = [ + "set", + ] + } + tags = { + environment = var.environment + terragoat = true + } +} + +resource "azurerm_key_vault_key" "generated" { + name = "terragoat-generated-certificate-${var.environment}" + key_vault_id = azurerm_key_vault.example.id + key_type = "RSA" + key_size = 2048 + key_opts = [ + "decrypt", + "encrypt", + "sign", + "unwrapKey", + "verify", + "wrapKey", + ] +} + +resource "azurerm_key_vault_secret" "secret" { + key_vault_id = azurerm_key_vault.example.id + name = "terragoat-secret-${var.environment}" + value = random_string.password.result +} \ No newline at end of file diff --git a/terraform/azure/logging.tf b/terraform/azure/logging.tf new file mode 100644 index 0000000000..b7854fbd6c --- /dev/null +++ b/terraform/azure/logging.tf @@ -0,0 +1,10 @@ +resource azurerm_monitor_log_profile "logging_profile" { + storage_account_id = azurerm_storage_account.example.id + categories = ["Action"] + locations = [var.location] + name = "terragoat-${var.environment}" + retention_policy { + enabled = true + days = 30 + } +} \ No newline at end of file diff --git a/terraform/azure/networking.tf b/terraform/azure/networking.tf new file mode 100644 index 0000000000..da022a3e48 --- /dev/null +++ b/terraform/azure/networking.tf @@ -0,0 +1,85 @@ +resource "azurerm_virtual_network" "example" { + name = "terragoat-vn-${var.environment}" + address_space = ["10.0.0.0/16"] + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name +} + +resource "azurerm_subnet" "example" { + name = "terragoat-${var.environment}" + resource_group_name = azurerm_resource_group.example.name + virtual_network_name = azurerm_virtual_network.example.name + address_prefixes = ["10.0.0.0/24"] +} + +resource "azurerm_network_interface" "ni_linux" { + name = "terragoat-linux-${var.environment}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } +} + +resource "azurerm_network_interface" "ni_win" { + name = "terragoat-win-${var.environment}" + location = azurerm_resource_group.example.location + resource_group_name = azurerm_resource_group.example.name + + ip_configuration { + name = "internal" + subnet_id = azurerm_subnet.example.id + private_ip_address_allocation = "Dynamic" + } +} + +resource azurerm_network_security_group "bad_sg" { + location = var.location + name = "terragoat-${var.environment}" + resource_group_name = azurerm_resource_group.example.name + + security_rule { + access = "Allow" + direction = "Inbound" + name = "AllowSSH" + priority = 200 + protocol = "TCP" + source_address_prefix = "*" + source_port_range = "*" + destination_port_range = "22-22" + destination_address_prefix = "*" + } + + security_rule { + access = "Allow" + direction = "Inbound" + name = "AllowRDP" + priority = 300 + protocol = "TCP" + source_address_prefix = "*" + source_port_range = "*" + destination_port_range = "3389-3389" + destination_address_prefix = "*" + } +} + +resource azurerm_network_watcher "network_watcher" { + location = var.location + name = "terragoat-network-watcher-${var.environment}" + resource_group_name = azurerm_resource_group.example.name +} + +resource azurerm_network_watcher_flow_log "flow_log" { + enabled = false + network_security_group_id = azurerm_network_security_group.bad_sg.id + network_watcher_name = azurerm_network_watcher.network_watcher.name + resource_group_name = azurerm_resource_group.example.name + storage_account_id = azurerm_storage_account.example.id + retention_policy { + enabled = false + days = 10 + } +} \ No newline at end of file diff --git a/terraform/azure/policies.tf b/terraform/azure/policies.tf new file mode 100644 index 0000000000..76ffd9f123 --- /dev/null +++ b/terraform/azure/policies.tf @@ -0,0 +1,51 @@ +resource "azurerm_policy_definition" "policy-res" { + name = "terragoat-policy-${var.environment}" + policy_type = "Custom" + mode = "Indexed" + display_name = "acceptance test policy definition" + metadata = <