terracop 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 74d2da000770e8368a6f10a0743761edde55a5da61828714725b7567462c13c0
+  data.tar.gz: 05b65c4774aa057bed14d6cc4760c73354ae8675897d3fd7921d2e44952d426d
+SHA512:
+  metadata.gz: 303ef1de659d6d6192c20e4ff171b4078e6df28b3c14a1cb2201ea1971c0e2d587c357d1f862b951a194ca60326fb898853bf1476bf487af045a2ac029537c3b
+  data.tar.gz: bb449b0e607af344ac09e5acec0b198e91d8fe4d2a7c1ac55d53e49a1c3dbd815eaa680675a53a211ce5e03a3c9d00bd8d1d5f8a55de3561d1f206a85ba1804f

data/.github/workflows/ruby.yml

@@ -0,0 +1,20 @@
+name: Ruby
+
+on: [push]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+    - uses: actions/checkout@v1
+    - name: Set up Ruby 2.6
+      uses: actions/setup-ruby@v1
+      with:
+        ruby-version: 2.6.x
+    - name: Build and test with Rake
+      run: |
+        gem install bundler
+        bundle install --jobs 4 --retry 3
+        bundle exec rspec

data/.gitignore

@@ -0,0 +1,14 @@
+/.bundle/
+/.yardoc
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+
+# rspec failure tracking
+.rspec_status
+
+.DS_Store
+.byebug_history

data/.rspec

@@ -0,0 +1,3 @@
+--format documentation
+--color
+--require spec_helper

data/.rubocop.yml

@@ -0,0 +1,14 @@
+require:
+  - rubocop-rspec
+
+Metrics/BlockLength:
+  Exclude:
+    - spec/**/*
+    - terracop.gemspec
+
+Style/AsciiComments:
+  # I will use emojis!
+  Enabled: false
+
+RSpec/NestedGroups:
+  Max: 7

data/.travis.yml

@@ -0,0 +1,7 @@
+---
+sudo: false
+language: ruby
+cache: bundler
+rvm:
+  - 2.6.3
+before_install: gem install bundler -v 2.0.2

data/CHANGELOG.md

@@ -0,0 +1,14 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+This project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## 0.1.0
+
+- Initial release.
+- Can load Terraform 0.12 state and plan files.
+- Performs a number of generic checks on all resources.
+- Performs some AWS-specific security checks on some resources.
+- Loads a default configuration file.
+- Allows configuration overrides through `.terracop.yml`.

data/Gemfile

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in terracop.gemspec
+gemspec
+
+# Use latest unreleased simplecov to get Branch Coverage
+# gem 'simplecov', git: 'https://github.com/colszowka/simplecov.git'
+# gem 'simplecov-html', git: 'https://github.com/colszowka/simplecov-html.git'

data/Gemfile.lock

@@ -0,0 +1,66 @@
+PATH
+  remote: .
+  specs:
+    terracop (0.1.0)
+      colorize (~> 0.8)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    ast (2.4.0)
+    byebug (11.0.1)
+    colorize (0.8.1)
+    diff-lcs (1.3)
+    docile (1.3.2)
+    jaro_winkler (1.5.4)
+    json (2.3.0)
+    parallel (1.19.1)
+    parser (2.6.5.0)
+      ast (~> 2.4.0)
+    rainbow (3.0.0)
+    rake (10.5.0)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.0)
+      rspec-support (~> 3.9.0)
+    rspec-expectations (3.9.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.0)
+    rubocop (0.78.0)
+      jaro_winkler (~> 1.5.1)
+      parallel (~> 1.10)
+      parser (>= 2.6)
+      rainbow (>= 2.2.2, < 4.0)
+      ruby-progressbar (~> 1.7)
+      unicode-display_width (>= 1.4.0, < 1.7)
+    rubocop-rspec (1.37.1)
+      rubocop (>= 0.68.1)
+    ruby-progressbar (1.10.1)
+    simplecov (0.17.1)
+      docile (~> 1.1)
+      json (>= 1.8, < 3)
+      simplecov-html (~> 0.10.0)
+    simplecov-html (0.10.2)
+    unicode-display_width (1.6.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bundler (~> 2.0)
+  byebug (~> 11.0)
+  rake (~> 10.0)
+  rspec (~> 3.0)
+  rubocop (~> 0.78)
+  rubocop-rspec (~> 1.37)
+  simplecov (~> 0.10)
+  terracop!
+
+BUNDLED WITH
+   2.0.2

data/LICENSE.md

@@ -0,0 +1,21 @@
+# The MIT License (MIT)
+Copyright © 2019 Francesco Boffa
+
+* * *
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the “Software”), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,49 @@
+# Terracop
+
+Terracop is a HashiCorp [Terraform](https://www.terraform.io/) state / plan
+parser and analyzer. Put it in a CI pipeline to analyze your Terraform plans
+or run it on already applied states and see what could be improved.
+
+The checks run by Terracop go anywhere from resource names guidelines to
+identifying security holes in your configuration.
+
+_Terracop is massively inspired by [Rubocop](https://github.com/rubocop-hq/rubocop)._
+
+## Installation
+
+**Terracop** installation is pretty standard:
+
+    $ gem install terracop
+
+If you'd rather install RuboCop using bundler, don't require it in your Gemfile:
+
+    gem 'terracop', require: false
+
+## Compatibility
+
+Terracop can work with state and plan files generated by Terraform 0.12.
+
+## Usage
+
+You can run terracop from the same directory where you would run terraform and
+it will automatically pull the state file and analyze it.
+
+If you want to analyze a state file somewhere on your machine you can pass it
+like this:
+
+    $ terracop --state path/to/state/file
+
+Terracop can (will) parse also terraform plan files, in order to report
+potential issues before you apply the plan and make the problem permanent. Eg:
+
+    $ terraform plan -out tfplan
+    $ terracop --plan tfplan
+    $ terraform apply tfplan
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/aomega08/terracop.
+
+## Copyright
+
+Copyright (c) 2019-2020 Francesco Boffa. See [LICENSE.md](LICENSE.md) for further details.

data/Rakefile

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task default: :spec

data/bin/console

@@ -0,0 +1,15 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require 'bundler/setup'
+require 'terracop'
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require 'irb'
+IRB.start(__FILE__)

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/bin/terracop

@@ -0,0 +1,52 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+$LOAD_PATH.unshift(File.expand_path('../lib', __dir__))
+
+require 'bundler/setup'
+require 'optparse'
+require 'terracop'
+
+formatter = :default
+state = nil
+plan = nil
+type = :state
+
+OptionParser.new do |opts|
+  opts.banner += ' <state_file.json>'
+
+  opts.on(
+    '-f', '--format FORMAT', /(default|html|json)/,
+    'Use a specific formatter for the output'
+  ) do |arg|
+    formatter = arg[0].to_sym
+  end
+
+  opts.on('-s', '--state FILE', 'Specify the state file to analyze') do |arg|
+    state = arg
+  end
+
+  opts.on('-p', '--plan FILE', 'Specify the terraform plan to analyze') do |arg|
+    plan = arg
+    type = :plan
+  end
+
+  opts.on_tail('-h', '--help', 'Prints this help') do
+    puts opts
+    exit
+  end
+
+  opts.on_tail('-v', '--version', 'Show version') do
+    puts Terracop::VERSION
+    exit
+  end
+
+  opts.parse!
+end
+
+if state && plan
+  puts 'You can analyze either a state or a plan, but not both.'
+  exit
+end
+
+Terracop::Runner.new(type, state || plan, formatter).run

data/default_config.yml

@@ -0,0 +1 @@
+---

data/lib/terracop/cop/aws/describe_security_group_rules.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop checks for AWS Security Group rules with no description.
+      # Reading terraform code can immediately tell why a rule is in place, but
+      # the AWS console is a bit more cryptic and a description can help.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group_rule" "rule" {
+      #     source_security_group_id = "sg-123456"
+      #   }
+      #
+      #   # good
+      #   resource "aws_security_group_rule" "rule" {
+      #     source_security_group_id = "sg-123456"
+      #     description = "Traffic from the load balancer"
+      #   }
+      class DescribeSecurityGroupRules < Base
+        register
+        applies_to :aws_security_group_rule
+
+        def check
+          return unless attributes['description'] == ''
+
+          offense('Add a description to security group rules.')
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/ensure_tags.rb

@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop makes sure that AWS resources that can be tagged, are indeed
+      # tagged.
+      # By default it just checks that resources have at least one tag, any tag.
+      # It is configurable to enforce the existance of some specific tags.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_alb" "lb" {
+      #     name_prefix = "app"
+      #   }
+      #
+      #   # good
+      #   resource "aws_alb" "lb" {
+      #     name_prefix = "app"
+      #     tags = {
+      #       environment = "staging"
+      #     }
+      #   }
+      class EnsureTags < Base
+        register
+
+        def check
+          return unless attributes['tags']
+
+          if self.class.config['Required']
+            check_required(self.class.config['Required'])
+          elsif attributes['tags'].empty?
+            offense 'Tag resources properly.'
+          end
+        end
+
+        private
+
+        def check_required(required_tags)
+          required_tags.each do |key|
+            unless attributes['tags'][key]
+              offense "Required tag \"#{key}\" is missing on this resource."
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/iam_role_policy.rb

@@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against the use of inline role policies.
+      # Inline policies tend to be copy/pasted, sometimes with minor changes
+      # and are not shown in the "Policies" tab of AWS IAM.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_role" "role" { }
+      #
+      #   resource "aws_iam_role_policy" "policy" {
+      #     role = aws_role.role.id
+      #     name = "policy"
+      #
+      #     policy = <some policy>
+      #   }
+      #
+      #   # good
+      #   resource "aws_role" "role" { }
+      #
+      #   resource "aws_iam_policy" "policy" {
+      #     name        = "test-policy"
+      #
+      #     policy = <some policy>
+      #   }
+      #
+      #   resource "aws_iam_role_policy_attachment" "attach" {
+      #     role       = aws_iam_role.role.name
+      #     policy_arn = aws_iam_policy.policy.arn
+      #   }
+      class IamRolePolicy < Base
+        register
+        applies_to :aws_iam_role_policy
+
+        def check
+          offense('Use aws_iam_role_policy_attachment instead of attaching ' \
+                  'inline policies with aws_iam_role_policy.')
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/open_egress.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/aws/security_group_rule_cop'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against an egress rule to 0.0.0.0/0.
+      # While very common, and not necessarily an offense, you may want to lock
+      # the outbound traffic to some specific addresses (or even other security
+      # groups), especially in highly regulated environments.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group_rule" "egress" {
+      #     type        = "egress"
+      #     cidr_blocks = ["0.0.0.0/0"]
+      #   }
+      #
+      #   # good
+      #   resource "aws_security_group_rule" "egress" {
+      #     type        = "egress"
+      #     cidr_blocks = ["10.4.0.0/16"]
+      #   }
+      #
+      #   # better
+      #   resource "aws_security_group_rule" "egress" {
+      #     type              = "egress"
+      #     security_group_id = aws_security_group.destination.id
+      #   }
+      class OpenEgress < SecurityGroupRuleCop
+        register
+
+        def check
+          return unless egress? && any_ip?
+
+          offense('Avoid allowing egress traffic to 0.0.0.0/0.', :security)
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/open_ingress.rb

@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/aws/security_group_rule_cop'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against an ingress rule from 0.0.0.0/0.
+      # With a couple of specific exceptions, you don't want to allow traffic
+      # from anywhere in the world to most of your infrastructure.
+      # A common exception is the external Load Balancer receiving traffic
+      # for a website. Use the `Except` configuration to whitelist that specific
+      # rule.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type        = "ingress"
+      #     cidr_blocks = ["0.0.0.0/0"]
+      #   }
+      #
+      #   # good
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type        = "ingress"
+      #     cidr_blocks = ["10.4.0.0/16"]
+      #   }
+      #
+      #   # better
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type              = "ingress"
+      #     security_group_id = aws_security_group.source.id
+      #   }
+      class OpenIngress < SecurityGroupRuleCop
+        register
+
+        def check
+          return unless ingress? && any_ip?
+
+          offense('Avoid allowing ingress traffic from 0.0.0.0/0.', :security)
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/open_ssh.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/aws/security_group_rule_cop'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against an ingress rule from 0.0.0.0/0 on port 22 (SSH).
+      # That is a Very Bad Idea™.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type        = "ingress"
+      #     cidr_blocks = ["0.0.0.0/0"]
+      #     # Notice this port range includes 22
+      #     from_port   = 10
+      #     to_port     = 30
+      #   }
+      #
+      #   # good
+      #   resource "aws_security_group_rule" "ingress" {
+      #     type       = "ingress"
+      #     cidr_blocks = ["1.2.3.4/32"]
+      #     from_port   = 22
+      #     to_port     = 22
+      #   }
+      class OpenSsh < SecurityGroupRuleCop
+        register
+
+        def check
+          return unless ingress? && any_ip? && tcp? && port?(22)
+
+          offense('Do not leave port 22 (SSH) open to the world.', :security)
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/security_group_rule_cop.rb

@@ -0,0 +1,45 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/base'
+
+module Terracop
+  module Cop
+    module Aws
+      # Base class that provides helper methods for other Cops checking
+      # Security Group rules.
+      class SecurityGroupRuleCop < Base
+        applies_to :aws_security_group_rule
+
+        protected
+
+        def ingress?
+          attributes['type'] == 'ingress'
+        end
+
+        def egress?
+          attributes['type'] == 'egress'
+        end
+
+        def any_ip?
+          attributes['cidr_blocks'].include?('0.0.0.0/0')
+        end
+
+        def tcp?
+          attributes['protocol'] == 'tcp'
+        end
+
+        def udp?
+          attributes['protocol'] == 'udp'
+        end
+
+        def port?(port)
+          (attributes['from_port']..attributes['to_port']).include?(port)
+        end
+
+        def any_port?
+          (attributes['from_port']..attributes['to_port']).count == 65_536
+        end
+      end
+    end
+  end
+end

data/lib/terracop/cop/aws/unrestricted_egress_ports.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+require 'terracop/cop/aws/security_group_rule_cop'
+
+module Terracop
+  module Cop
+    module Aws
+      # This cop warns against egress security group rules that allow any port.
+      # This would, for example, allow an attacker to use your machine to send
+      # spam emails, since you left port 25 outbound open.
+      #
+      # @example
+      #   # bad
+      #   resource "aws_security_group_rule" "egress" {
+      #     type        = "egress"
+      #     from_port   = 0
+      #     to_port     = 65535
+      #   }
+      #
+      #   # good
+      #   resource "aws_security_group_rule" "egress" {
+      #     type        = "egress"
+      #     from_port   = 443
+      #     to_port     = 443
+      #   }
+      class UnrestrictedEgressPorts < SecurityGroupRuleCop
+        register
+
+        def check
+          return unless egress? && (tcp? || udp?) && any_port?
+
+          offense('Limit egress traffic to small port ranges.', :security)
+        end
+      end
+    end
+  end
+end