tfsec VS terraformer

tfsec Owner/Maintainer: Aqua Security (acquired in 2021) Age: First released on GitHub on March 5th, 2019 License: MIT License tfsec project is no longer actively maintained in favor of the Trivy tool. But because many people still use it and it's quite famous, I added tfsec to this comparison. However, I recommend against using it for new projects.

‍Tfsec acts as a Terraform scanning tool. It is a security-focused linter for Terraform that scans code for security flaws, offering an additional layer of security assurance and helping to maintain a strong security posture.

... #************************** Terraform ************************************* ARG TERRAFORM_VERSION=1.7.3 RUN set -ex \ && curl -O https://releases.hashicorp.com/terraform/${TERRAFORM_VERSION}/terraform_${TERRAFORM_VERSION}_linux_amd64.zip && unzip terraform_${TERRAFORM_VERSION}_linux_amd64.zip -d /usr/local/bin/ RUN set -ex \ && mkdir -p $HOME/.terraform.d/plugin-cache && echo 'plugin_cache_dir = "$HOME/.terraform.d/plugin-cache"' > ~/.terraformrc #************************* Terragrunt ************************************* ARG TERRAGRUNT_VERSION=0.55.1 RUN set -ex \ && wget https://github.com/gruntwork-io/terragrunt/releases/download/v${TERRAGRUNT_VERSION}/terragrunt_linux_amd64 -q \ && mv terragrunt_linux_amd64 /usr/local/bin/terragrunt \ && chmod +x /usr/local/bin/terragrunt #*********************** Terramate **************************************** ARG TERRAMATE_VERSION=0.4.5 RUN set -ex \ && wget https://github.com/mineiros-io/terramate/releases/download/v${TERRAMATE_VERSION}/terramate_${TERRAMATE_VERSION}_linux_x86_64.tar.gz \ && tar -xzf terramate_${TERRAMATE_VERSION}_linux_x86_64.tar.gz \ && mv terramate /usr/local/bin/terramate \ && chmod +x /usr/local/bin/terramate #*********************** tfsec ******************************************** ARG TFSEC_VERSION=1.28.5 RUN set -ex \ && wget https://github.com/aquasecurity/tfsec/releases/download/v${TFSEC_VERSION}/tfsec-linux-amd64 \ && mv tfsec-linux-amd64 /usr/local/bin/tfsec \ && chmod +x /usr/local/bin/tfsec \ && terragrunt --version #**********************Terraform docs ************************************ ARG TERRRAFORM_DOCS_VERSION=0.17.0 RUN set -ex \ && curl -sSLo ./terraform-docs.tar.gz https://terraform-docs.io/dl/v${TERRRAFORM_DOCS_VERSION}/terraform-docs-v${TERRRAFORM_DOCS_VERSION}-$(uname)-amd64.tar.gz \ && tar -xzf terraform-docs.tar.gz \ && chmod +x terraform-docs \ && mv terraform-docs /usr/local/bin/terraform-docs #********************* ShellCheck ***************************************** ARG SHELLCHECK_VERSION="stable" RUN set -ex \ && wget -qO- "https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION?}/shellcheck-${SHELLCHECK_VERSION?}.linux.x86_64.tar.xz" | tar -xJv \ && cp "shellcheck-${SHELLCHECK_VERSION}/shellcheck" /usr/bin/ \ && shellcheck --version ...

You can give tfsec a try perhaps

Great toolchain, including Infracost or tfsec.

TFSec is an open-source tool for scanning and detecting potential security vulnerabilities in Terraform code in both HCL and JSON.

We use https://github.com/aquasecurity/tfsec we found checkov.io to be quite noisy

Beyond Snyk and Checkov - I have also used https://github.com/aquasecurity/tfsec at a few organizations both for use locally and in CI (PR Review Checks)

Once I completed the main steps of the challenge, I went back to do some security modificaions including enabled DNSSEC, deploying WAF (I ended up removing this as the costs were quite high and instead set up account level throttling for my API) and running IAM Access Analyser to flag anything I'd over permissioned. I also set up Git commit signing and added a new Git Action workflow to run Tfsec any time I updated my terraform config files

‍Terraformer is a CLI tool developed by Google that generates Terraform files from existing infrastructure (reverse Terraform), simplifying the process of adopting Terraform in existing environments and speeding up the initial setup process. Terraformer supports multiple cloud providers, including AWS, Google Cloud, Azure, and others.

Looking into efficient ways to import existing infrastructure. Using Terraformer to get the everything into Terraform and then refactoring into modules, for_each, etc. using moved blocks seems like it would be a good approach. Refactoring them to use existing modules from providers will take a little work and likely going back and forth with terraform plan, and assuming many things won't translate straight across because of what resources a module might be creating and how they are creating them.

We had thought about the ability to convert HCL to Go, but not much thought in querying existing infra to generate HCL (like terraformer). If you want to experiment building on top of Lingon then please go ahead! I’d be happy to help provide the context from Lingon.

If "ClickOps" is your starting point, as you mention, you could try creating a new scratch cloud provider account, do all your "ClickOps", then use a TF export tool (e.g., Terraformer) to see the exported TF resources to find all the references to other TF resources in the cloud resource dependency chain.

I haven't worked with any of the ones that purport to work with AWS, but a quick Google shows terraformer and Terracognita as options - maybe look into trying those out?

This maybe a bit more complicated if you're not into coding/terraform but I'd use terraformer to convert all of your infrastructure from implementation to code while in AWS, then switch providers and with a bit of jiggly of the code implement your infra into gcs as IaC and keep it that way if/when you switch again.

Maybe terraformer could help. I never tried it personally . https://github.com/GoogleCloudPlatform/terraformer

I've been wondering if this tool is any good. https://github.com/GoogleCloudPlatform/terraformer/blob/master/docs/aws.md

If you've to write the code (I assumed you just needed to reorganize it without TG) maybe consider https://github.com/GoogleCloudPlatform/terraformer