/terrafirma

A static analysis tool for Terraform plans.

Primary LanguagePythonMIT LicenseMIT

Terrafirma

Terrafirma is a Terraform static analysis tool designed for detecting security misconfigurations. Inspired by projects such as bandit and SecurityMonkey it is designed for use in a continous integration/deployment environment.

Getting Started

These instructions will get you a copy of the project up and running on your local machine for development and testing purposes. See deployment for notes on how to deploy the project on a live system.

Prerequisites

Terrafirma requires tfjson. Terraform does not support JSON output (see PR:3170).

go get github.com/philips/tfjson

If you encounter errors with newer versions of go, try the following:

rm -rf "${GOPATH}/src/github.com/philips/tfjson/vendor"
rm -rf "${GOPATH}/src/github.com/philips/Gopkg.lock"
cd "${GOPATH}/src/github.com/philips/"
dep ensure
go install ./...

The package has half-populated dependencies, which dep does not like and a hardcoded Gopkg.lock.

Installing

build and install terrafirma as well as it's requirements. One way is to use wheels and virtualenv:

virtualenv -p python3 virtualenv
source virtualenv/bin/activate
pip install -r requirements.txt
python setup.py build bdist_wheel
pip install terrafirma --find-links=dist

You can determine if it was installed correctly by running the checks in the next section.

Testing

to check that terrafirma is installed and functioning correctly you can execute the included tests:

python setup.py test

Usage

  • See Basic Usage for examples of how to use Terrafirma
  • See Writing Checks for help understanding the check types and implementing new checks
  • See Tests for running terrafirma unit tests to ensure it's functioning correctly.