Terraform enables you to safely and predictably create, change, and improve infrastructure.
The easy_infra
project includes and secures Terraform as a component due to its popularity and versatility in provisioning and updating environments as Infrastructure as Code (IaC).
easy_infra
uses security tools, such as Checkov, to transparently assess the provided IaC against the defined security policy.
Warning
easy_infra
's terraform images are incompatable with the terraform -chdir
argument as documented here.
If you use Software Version Control (such as git
) to manage your Terraform IaC, consider executing terraform validate
with easy_infra as a pipeline action on commit or pull request:
docker run -v $(pwd):/iac seiso/easy_infra:latest-terraform terraform validate
You can also use easy_infra to deploy your infrastructure using terraform plan
and terraform deploy
:
docker run -v $(pwd):/iac seiso/easy_infra:latest-terraform /bin/bash -c "terraform plan && terraform apply -auto-approve"
Many of the checkov
command line parameters can be customized or configured at runtime by setting the below environment variables. By setting these environment variables starting with CHECKOV_
, easy_infra
will dynamically add the related arguments to the checkov
security scanning command, and pass the value of the environment variable to the argument.
For more details regarding how these parameters work, see the checkov documentation.
Environment Variable | CLI Argument |
---|---|
CHECKOV_BASELINE CHECKOV_BC_API_KEY CHECKOV_BLOCK_LIST_SECRET_SCAN CHECKOV_CA_CERTIFICATE CHECKOV_CHECK CHECKOV_CREATE_CONFIG CHECKOV_DOWNLOAD_EXTERNAL_MODULES CHECKOV_EVALUATE_VARIABLES CHECKOV_EXTERNAL_CHECKS_DIR CHECKOV_EXTERNAL_CHECKS_GIT CHECKOV_EXTERNAL_MODULES_DOWNLOAD_PATH CHECKOV_HARD_FAIL_ON CHECKOV_OPENAI_API_KEY CHECKOV_POLICY_METADATA_FILTER CHECKOV_PRISMA_API_URL CHECKOV_REPO_ID CHECKOV_REPO_ROOT_FOR_PLAN_ENRICHMENT CHECKOV_SECRETS_HISTORY_TIMEOUT CHECKOV_SECRETS_SCAN_FILE_TYPE CHECKOV_SKIP_CHECK CHECKOV_SKIP_CVE_PACKAGE CHECKOV_SOFT_FAIL_ON CHECKOV_VAR_FILE |
--baseline --bc-api-key --block-list-secret-scan --ca-certificate --check --create-config --download-external-modules --evaluate-variables --external-checks-dir --external-checks-git --external-modules-download-path --hard-fail-on --openai-api-key --policy-metadata-filter --prisma-api-url --repo-id --repo-root-for-plan-enrichment --secrets-history-timeout --secrets-scan-file-type --skip-check --skip-cve-package --soft-fail-on --var-file |
For instance:
CHECKOV_BASELINE=/iac/.checkov.baseline
CHECKOV_EXTERNAL_CHECKS_DIR=/iac/checkov_rules/
CHECKOV_SKIP_CHECK=CKV_AWS_20
docker run --env-file <(env | grep ^CHECKOV_) -v $(pwd):/iac easy_infra:latest-terraform terraform validate
In addition, you can customize some checkov
-specific environment variables at runtime for different effects. By setting these environment variables, you are customizing the checkov
environment only while it is running.
Environment Variable | Checkov Environment |
---|---|
CHECKOV_LOG_LEVEL |
LOG_LEVEL |
For instance, the following command will run with checkov
in debug mode (which is separate from running easy_infra
in debug mode):
CHECKOV_LOG_LEVEL=DEBUG
docker run --env CHECKOV_LOG_LEVEL -v $(pwd):/iac easy_infra:latest-terraform terraform validate
There are some preinstalled hooks in /opt/hooks/bin/
which apply to terraform commands:
- If the
TERRAFORM_VERSION
environment variable is customized, easy_infra will attempt to install and switch to that version at runtime. This effectively makes it the "new default" in place of the version which was preinstalled in the version of the easy_infra container. - If
AUTODETECT
is set totrue
, easy_infra will attempt to detect and install the correct version of terraform for each folder that aterraform
command runs in using therequired_version
block in the code. Since this is module-specific, it will override the default terraform version to use (specified byTERRAFORM_VERSION
; see the prior bullet).
If you're working with the same terraform code across multiple runs, you can leverage the cache:
docker run -v $(pwd):/iac -v $(pwd)/plugin-cache:/home/easy_infra/.terraform.d/plugin-cache easy_infra:latest-terraform /bin/bash -c "terraform init; terraform validate"
The injected security tooling can be disabled entirely or individually, using easy_infra
-specific command line arguments or environment variables.
Environment variable | Default | Result |
---|---|---|
DISABLE_SECURITY |
false |
Disables all security tooling (Not just Terraform-related) when set to true |
SKIP_CHECKOV |
false |
Disables Checkov when set to true |
Parameter | Result | Example |
---|---|---|
--disable-security |
Disable all security tooling | terraform validate --disable-security |
--skip-checkov |
Disable Checkov | terraform --skip-checkov validate |
Note
All command-line arguments in the above table are processed by easy_infra and removed prior to passing parameters to Terraform commands.
If you'd like to autodetect where your Terraform files exist and run the provided command in each of those detected folders, this is the feature for you. This is useful in cases where there is a single repository containing folders which store varying terraform files, and you would like to run a command (or series of commands) on all of them without needing to maintain a method of looping through them yourself.
Environment variable | Default | Result |
---|---|---|
AUTODETECT |
false |
Autodetect folders containing Terraform files when set to true |
FAIL_FAST |
false |
Exit as soon as the first failure is encountered, if LEARNING_MODE is also false |
Note
Only .tf files are supported; .tf.json files will not be detected
Note
When AUTODETECT is enabled, the exit code will be the last non-zero exit code in the series
Checkov allow numerous methods for creating custom policies, such as by writing them in Python or using the Checkov-specific DSL in yaml files. These options are described in more detail here