In application development, automated tests often stop at the application level. But what if we could push the boundaries and extend this to the very foundation of our applications – the infrastructure level?

In this two-part blog series, we will discuss various tools available for infrastructure testing, focusing on Terraform, a popular Infrastructure as Code (IaC) tool. In this first part, we will discuss three tools that excel in static analysis: tfsec, Terrascan, and driftctl.

First Things First: The Art of Using Git

Before we start our overview of static analysis tools, let’s focus on the basics. Git is more than just a version control system; it’s a powerful tool that, when used correctly, can provide a robust first line of defence.

Running a Terraform plan when creating a pull request also allows us to evaluate more than just the code itself. It gives us a glimpse into the potential impact of our changes on the infrastructure.

Pull requests can sometimes be accepted too quickly, so it’s crucial to review each other’s code. By dedicating time to thoroughly reviewing code and using the four-eyes principle, we can make sure that our code is not just functional, but also secure and efficient.

Tfsec: The Security Sentinel

tfsec is a static analysis tool (now part of the overarching Trivy solution) with a focus on security checks that constantly scans your Terraform code for potential security vulnerabilities. It is basically a dataset full of rules for code, like naming your objects according to certain rules.

Of course, some of the default rules make no sense in some cases. To solve this, we can ignore checks by adding the following line above the resource or module block.

#tfsec:ignore:<RULE_ID> 
Resource "" "" {}  
#or 
#tfsec:ignore:<RULE_ID> tfsec:ignore:<RULE_ID> 
Module "" "" {}

Tfsec features a high degree of customisability, letting you alter just about everything you want. You can create a config file to exclude rules, edit the severity of checks, and add your own checks formatted in JSON or YAML, like in this example.

--- 
exclude: 
  - aws-ec2-add-description-to-security-group-rule 
severity_overrides: 
  aws-ssm-secret-use-customer-key: HIGH 
custom_rules: 
  .tfsec/ec2_tag_name_tfchecks.json

It also runs great in your CI/CD pipeline, including the option to add comments on pull requests. If you want to try out tfsec’s many possibilities, you’ll be happy to know that it also has some great documentation available.

Terrascan: The Compliance Crusader

Terrascan is designed for security and compliance scanning of Terraform configurations and infrastructure code, making sure that it aligns with best practices and meets compliance requirements.

Terrascan is similar to tfsec, but less flexible to customise. Customising its rules requires frequent references to documentation, because you’ll have to search for the descriptions of specific rules if you want to ignore them. There are also multiple sources where you can get Terrascan and, depending on your source, features might work differently or just be unavailable.

Compare this to just adding a single line of code in tfsec, as we’ve shown above, and you’ll understand why getting your setup right with Terrascan can be a frustrating experience.

Driftctl: The Drift Detective

Unlike tfsec and Terrascan, driftctl has a more niche use case: tracking and managing infrastructure drift. It’s constantly on the lookout for discrepancies between your Terraform state file and the actual state of your deployed infrastructure by checking with your cloud provider.

This also lets you check the usage of your IaC tools by showing you a coverage percentage. A low number might indicate that your account has different environments, your IaC is split up in different state files, or there are a few resources that have been created manually.

However, there is one big catch: the project’s GitHub repository mentions that it is currently in maintenance mode. New contributions may not be reviewed or integrated, posing potential security risks. It’s still worth using for its niche use case, but you should definitely use at least one other tool to check your code’s security.

Conclusion

Each of these tools brings unique strengths to the table. tfsec shines in its simplicity and focus on security, Terrascan offers comprehensive security and compliance scanning, and driftctl excels in detecting and managing infrastructure drift. The choice between these tools depends on your specific needs and the challenges you face in managing your Terraform infrastructure.

Stay tuned for part two of our Terraform testing blog series, where we’ll compare two tools for unit and integration testing: Terratest and Terraform Test.

Need some help figuring out the latest Terraform tools, or have some other DevOps-related questions? Don’t hesitate to contact us, we’ll gladly help you out!