Awesome
terraform-opa-ibm
Introduction
This is a Rego based policy library, the policy language used by the Open Policy Agent (OPA), for the IBM Cloud Provider plugin for Terraform
. It is designed to be a helper, for your own OPA Policy repository. This Rego library provides a simple abstractions to read the policy-information generated by Terraform, in a common and consistent manner. For example, the terraform generated plan json
file and the state
file. It also include a set of generic and customizable Rego rules for IBM Cloud resources, provisioned using IBM Cloud Provider plugin for Terraform
. It can be used in your DevOps pipelines, to assess for potential mis-configurations or compliance violations in IBM Cloud, prior to the infrastructure deployment. Use this library to develop the following types of IT Controls policies:
- Naming & tagging policy
- Configuration threshold policy
- Resource sizing policy
- IAM Security policy
- Network Security policy
- Data Security policy
- Change management policy
- and more..
Framework structure
The directory structure for the framework is as shown below.
terraform-opa-ibm
├── README.md
├── lib
│ ├── plan
│ │ └── base_tfplan.rego
│ └── state
│ └── state.rego
└── resources
├── ibm_container_vpc_cluster
│ └── ibm_container_vpc_cluster.rego
├── ibm_is_public_gateway
│ └── ibm_is_public_gateway.rego
├── ibm_is_subnet
│ └── ibm_is_subnet.rego
└── ibm_is_vpc
└── ibm_is_vpc.rego
.
.
.
- lib directory has Rego functions for terraform plan and generic rules.
- resources directory has the rules-evaluation logic for individual ibmcloud resource.
Evaluating terraform-plan locally
Install the prerequisites:
How does terraform-opa-ibm work?
terraform-opa-ibm provides a Rego based function to read the IBM Cloud 'resource' information, provisioned using IBM Cloud Provider plugin for Terraform
. The functions available to read:
- Resource information from Terraform plan file.
- Resource information from Terraform state file.
How to use terraform-opa-ibm in the users policy repo:
Run the following command:
git-vendor https://github.com/IBM-Cloud/terraform-opa-ibm.git
Use the the directory where terraform-opa-ibm
is vendored and Rego code defined while evaluating the policy.
Some example:
-
To check Terraform plan file against
terraform-op-ibm
based rules:opa eval --format pretty -d <path_to_terraform-opa-ibm based rule> -d <path-to-plan-json-file> "data.terraform.analysis.ibm.cos"
-
To check Terraform state file against
terraform-op-ibm
based rules:opa eval --format pretty -d <path_to_terraform-opa-ibm based rule> -d <path-to-state-json-file> "data.terraform.analysis.ibm.cos"