Metadata-Version: 2.1
Name: terrascan
Version: 0.1.1
Summary: Best practices tests for terraform
Home-page: https://github.com/cesar-rodriguez/terrascan
Author: Cesar Rodriguez
Author-email: therasec@gmail.com
License: GNU General Public License v3
Download-URL: https://github.com/cesar-rodriguez/terrascan/archive/v0.1.1.tar.gz
Keywords: terrascan
Platform: UNKNOWN
Classifier: Development Status :: 2 - Pre-Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: GNU General Public License v3 (GPLv3)
Classifier: Natural Language :: English
Classifier: Programming Language :: Python :: 3.6
Classifier: Programming Language :: Python :: 3.7
Classifier: Programming Language :: Python :: 3.8
Requires-Dist: terraform-validate (==2.5.0)

=========
Terrascan
=========


.. image:: https://img.shields.io/pypi/v/terrascan.svg
        :target: https://pypi.python.org/pypi/terrascan

.. image:: https://img.shields.io/travis/cesar-rodriguez/terrascan.svg
        :target: https://travis-ci.org/cesar-rodriguez/terrascan

.. image:: https://readthedocs.org/projects/terrascan/badge/?version=latest
        :target: https://terrascan.readthedocs.io/en/latest/?badge=latest
        :alt: Documentation Status

.. image:: https://pyup.io/repos/github/cesar-rodriguez/terrascan/shield.svg
     :target: https://pyup.io/repos/github/cesar-rodriguez/terrascan/
     :alt: Updates


A collection of security and best practice tests for static code analysis of terraform_ templates using terraform_validate_.

.. _terraform: https://www.terraform.io
.. _terraform_validate: https://github.com/elmundio87/terraform_validate

* GitHub Repo: https://github.com/cesar-rodriguez/terrascan
* Documentation: https://terrascan.readthedocs.io.
* Free software: GNU General Public License v3

--------
Features
--------
Terrascan will perform tests on your terraform templates to ensure:

- **Encryption**
    - Server Side Encryption (SSE) enabled
    - Use of AWS Key Management Service (KMS) with Customer Managed Keys (CMK)
    - Use of SSL/TLS and proper configuration
- **Security Groups**
    - Provisioning SGs in EC2-classic
    - Ingress open to 0.0.0.0/0
- **Public Exposure**
    - Services with public exposure other than Gateways (NAT, VGW, IGW)
- **Logging & Monitoring**
    - Access logs enabled to resources that support it

----------
Installing
----------
Terrascan uses Python and depends on terraform-validate and pyhcl. After installing python in your system you can follow these steps:

    $ pip install terrascan


-----------------
Running the tests
-----------------
To run execute terrascan.py as follows replacing with the location of your terraform templates:

    $ terrascan --location tests/infrastructure/success --tests all

To run a specific test run the following command replacing encryption with the name of the test to run:

    $ terrascan --location tests/infrastructure/success --tests encryption

To learn more about the options to the cli execute the following:

    $ terrascan -h

--------------
Feature Status
--------------
Legend:
    - `:heavy_minus_sign:` = test needs to be implemented
    - `:heavy_check_mark:` = test implemented
    - **blank** - N/A

========================================  ======================  ======================  ======================  ======================
 Terraform resources                       Encryption              Security Groups         Public exposure         Logging & Monitoring
========================================  ======================  ======================  ======================  ======================
 aws_alb                                                                                   `:heavy_check_mark:`    `:heavy_check_mark:`
 aws_alb_listener                          `:heavy_check_mark:`
 aws_ami                                   `:heavy_check_mark:`
 aws_ami_copy                              `:heavy_check_mark:`
 aws_api_gateway_domain_name               `:heavy_check_mark:`
 aws_cloudfront_distribution               `:heavy_check_mark:`                                                    `:heavy_check_mark:`
 aws_cloudtrail                            `:heavy_check_mark:`                                                    `:heavy_check_mark:`
 aws_codebuild_project                     `:heavy_check_mark:`
 aws_codepipeline                          `:heavy_check_mark:`
 aws_db_instance                           `:heavy_check_mark:`                            `:heavy_check_mark:`
 aws_db_security_group                                             `:heavy_check_mark:`
 aws_dms_endpoint                          `:heavy_check_mark:`
 aws_dms_replication_instance              `:heavy_check_mark:`                            `:heavy_check_mark:`
 aws_ebs_volume                            `:heavy_check_mark:`
 aws_efs_file_system                       `:heavy_check_mark:`
 aws_elasticache_security_group                                    `:heavy_check_mark:`
 aws_efs_file_system                       `:heavy_check_mark:`
 aws_elasticache_security_group                                    `:heavy_check_mark:`
 aws_elastictranscoder_pipeline            `:heavy_check_mark:`
 aws_elb                                   `:heavy_check_mark:`                            `:heavy_check_mark:`    `:heavy_check_mark:`
 aws_emr_cluster                                                                                                   `:heavy_check_mark:`
 aws_instance                              `:heavy_check_mark:`                            `:heavy_check_mark:`
 aws_kinesis_firehose_delivery_stream      `:heavy_check_mark:`                                                    `:heavy_check_mark:`
 aws_lambda_function                       `:heavy_check_mark:`
 aws_launch_configuration                                                                                          `:heavy_check_mark:`
 aws_lb_ssl_negotiation_policy             `:heavy_minus_sign:`
 aws_load_balancer_backend_server_policy   `:heavy_minus_sign:`
 aws_load_balancer_listener_policy         `:heavy_minus_sign:`
 aws_load_balancer_policy                  `:heavy_minus_sign:`
 aws_opsworks_application                  `:heavy_check_mark:`                            `:heavy_minus_sign:`
 aws_opsworks_custom_layer                                                                 `:heavy_minus_sign:`
 aws_opsworks_ganglia_layer                                                                `:heavy_minus_sign:`
 aws_opsworks_haproxy_layer                                                                `:heavy_minus_sign:`
 aws_opsworks_instance                                                                     `:heavy_minus_sign:`
 aws_opsworks_java_app_layer                                                               `:heavy_minus_sign:`
 aws_opsworks_memcached_layer                                                              `:heavy_minus_sign:`
 aws_opsworks_mysql_layer                                                                  `:heavy_minus_sign:`
 aws_opsworks_nodejs_app_layer                                                             `:heavy_minus_sign:`
 aws_opsworks_php_app_layer                                                                `:heavy_minus_sign:`
 aws_opsworks_rails_app_layer                                                              `:heavy_minus_sign:`
 aws_opsworks_static_web_layer                                                             `:heavy_minus_sign:`
 aws_rds_cluster                           `:heavy_check_mark:`
 aws_rds_cluster_instance                                                                  `:heavy_check_mark:`
 aws_redshift_cluster                      `:heavy_check_mark:`                            `:heavy_check_mark:`    `:heavy_check_mark:`
 aws_redshift_parameter_group              `:heavy_minus_sign:`                                                    `:heavy_minus_sign:`
 aws_redshift_security_group                                        `:heavy_check_mark:`
 aws_s3_bucket                                                                             `:heavy_check_mark:`    `:heavy_check_mark:`
 aws_s3_bucket_object                      `:heavy_check_mark:`
 aws_security_group                                                 `:heavy_check_mark:`
 aws_security_group_rule                                            `:heavy_check_mark:`
 aws_ses_receipt_rule                      `:heavy_minus_sign:`
 aws_sqs_queue                             `:heavy_check_mark:`
 aws_ssm_maintenance_window_task                                                                                   `:heavy_check_mark:`
 aws_ssm_parameter                         `:heavy_check_mark:`
========================================  ======================  ======================  ======================  ======================




