Bird
Raised Fist0
Terraformcloud~30 mins

Terraform security scanning tools - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Terraform Security Scanning Tools Setup
📖 Scenario: You are working as a cloud engineer responsible for ensuring your Terraform infrastructure code is secure before deployment. You want to integrate a security scanning tool to automatically check your Terraform files for common security issues.
🎯 Goal: Build a Terraform configuration that sets up a security scanning tool integration using a local-exec provisioner to run terraform-compliance checks on your Terraform files.
📋 What You'll Learn
Create a Terraform resource block for a null_resource named security_scan.
Add a local-exec provisioner inside the resource to run the command terraform-compliance -p plan.out -f features/.
Define a variable scan_command with the exact command string to run the security scan.
Add a depends_on attribute to the resource to depend on terraform_plan resource.
💡 Why This Matters
🌍 Real World
Security scanning tools help catch misconfigurations and vulnerabilities in Terraform code before deployment, reducing risks in cloud infrastructure.
💼 Career
Cloud engineers and DevOps professionals use Terraform security scanning tools to ensure infrastructure as code is safe and compliant with best practices.
Progress0 / 4 steps
1
Create a null_resource for security scanning
Create a Terraform resource block named security_scan of type null_resource.
Terraform
Hint

Use resource "null_resource" "security_scan" { } to start.

2
Define a variable for the scan command
Add a Terraform variable named scan_command with the default value "terraform-compliance -p plan.out -f features/".
Terraform
Hint

Use variable "scan_command" { default = "terraform-compliance -p plan.out -f features/" }.

3
Add local-exec provisioner to run the scan command
Inside the security_scan resource, add a provisioner "local-exec" block that runs the command stored in the variable scan_command.
Terraform
Hint

Use provisioner "local-exec" { command = var.scan_command } inside the resource.

4
Add depends_on to ensure scan runs after plan
Add a depends_on attribute to the security_scan resource that depends on a resource named terraform_plan.
Terraform
Hint

Add depends_on = ["terraform_plan"] inside the resource block.

Practice

(1/5)
1. What is the main purpose of Terraform security scanning tools like tfsec?
easy
A. To monitor cloud resource usage costs
B. To deploy Terraform infrastructure automatically
C. To write Terraform code faster with autocomplete
D. To find security risks in Terraform code before deployment

Solution

  1. Step 1: Understand Terraform security scanning tools

    These tools analyze Terraform code to detect potential security issues early.

  2. Step 2: Compare options with tool purpose

    Only To find security risks in Terraform code before deployment matches the purpose of finding security risks before deployment.

  3. Final Answer:

    To find security risks in Terraform code before deployment -> Option D

  4. Quick Check:

    Security scanning = find risks [OK]
Hint: Security tools find risks in code before cloud setup [OK]
Common Mistakes:
  • Confusing scanning tools with deployment tools
  • Thinking scanning tools write code
  • Assuming scanning tools track costs
2. Which command correctly runs tfsec to scan your Terraform project in the current folder?
easy
A. tfsec scan terraform
B. terraform scan
C. tfsec .
D. terraform tfsec run

Solution

  1. Step 1: Recall tfsec usage syntax

    The correct way to run tfsec is by specifying the folder, commonly the current folder with a dot.

  2. Step 2: Match command to syntax

    Only tfsec . correctly runs tfsec on the current directory.

  3. Final Answer:

    tfsec . -> Option C

  4. Quick Check:

    Run tfsec with folder path, dot means current folder [OK]
Hint: Run tfsec with dot for current folder scan [OK]
Common Mistakes:
  • Using terraform commands instead of tfsec
  • Adding extra words like 'scan' or 'run'
  • Not specifying folder or using wrong syntax
3. Given this tfsec output snippet:
Warning: AWS S3 bucket is publicly accessible
  File: main.tf:12
  Severity: HIGH

What does this output mean?
medium
A. The S3 bucket in main.tf line 12 allows public access, which is risky
B. The S3 bucket is encrypted and secure
C. The S3 bucket is missing from the Terraform code
D. The S3 bucket is private and safe

Solution

  1. Step 1: Interpret tfsec warning message

    The warning says the S3 bucket is publicly accessible, which means anyone can access it.

  2. Step 2: Understand security implication

    Public access to S3 buckets is a high-risk security issue, so this is a warning to fix it.

  3. Final Answer:

    The S3 bucket in main.tf line 12 allows public access, which is risky -> Option A

  4. Quick Check:

    Public access warning = risky bucket [OK]
Hint: Warnings show risky settings like public access [OK]
Common Mistakes:
  • Thinking warning means bucket is secure
  • Confusing missing resource with public access
  • Ignoring file and line number details
4. You ran tfsec . but got an error: command not found: tfsec. What is the most likely fix?
medium
A. Run terraform init first
B. Install tfsec on your system and ensure it's in your PATH
C. Change directory to the Terraform root folder
D. Update Terraform version to latest

Solution

  1. Step 1: Understand the error meaning

    The error means the system cannot find the tfsec command, so it is not installed or not accessible.

  2. Step 2: Fix by installing tfsec and adding to PATH

    Installing tfsec and ensuring the command is available in the system PATH fixes this error.

  3. Final Answer:

    Install tfsec on your system and ensure it's in your PATH -> Option B

  4. Quick Check:

    Command not found = install tool [OK]
Hint: Install tfsec if command not found error appears [OK]
Common Mistakes:
  • Running terraform commands instead of installing tfsec
  • Assuming directory change fixes command not found
  • Updating Terraform version unrelated to tfsec error
5. You want to automate security scanning in your CI pipeline using tfsec. Which approach best ensures security issues are caught before deployment?
hard
A. Run tfsec . before Terraform apply and fail pipeline on warnings
B. Run tfsec . after Terraform apply to check deployed resources
C. Run terraform plan and ignore tfsec
D. Run tfsec . only on production branch merges

Solution

  1. Step 1: Understand when to run security scans

    Security scanning should happen before deployment to catch issues early.

  2. Step 2: Choose pipeline behavior to enforce security

    Failing the pipeline on warnings ensures no risky code is deployed.

  3. Step 3: Evaluate other options

    Running after apply is too late; ignoring tfsec misses risks; scanning only production branch misses early detection.

  4. Final Answer:

    Run tfsec . before Terraform apply and fail pipeline on warnings -> Option A

  5. Quick Check:

    Scan before deploy and fail on warnings [OK]
Hint: Scan before deploy and fail on warnings to block risks [OK]
Common Mistakes:
  • Running scans after deployment
  • Ignoring tfsec in pipeline
  • Scanning only production branch too late