Awesome

terraform-opa-ibm

• Introduction
• How does terraform-opa-ibm work?
• Framework structure
• Evaluating terraform-plan locally

Introduction

This is a Rego based policy library, the policy language used by the Open Policy Agent (OPA), for the IBM Cloud Provider plugin for Terraform. It is designed to be a helper, for your own OPA Policy repository. This Rego library provides a simple abstractions to read the policy-information generated by Terraform, in a common and consistent manner. For example, the terraform generated plan json file and the state file. It also include a set of generic and customizable Rego rules for IBM Cloud resources, provisioned using IBM Cloud Provider plugin for Terraform. It can be used in your DevOps pipelines, to assess for potential mis-configurations or compliance violations in IBM Cloud, prior to the infrastructure deployment. Use this library to develop the following types of IT Controls policies:

• Naming & tagging policy
• Configuration threshold policy
• Resource sizing policy
• IAM Security policy
• Network Security policy
• Data Security policy
• Change management policy
• and more..

Framework structure

The directory structure for the framework is as shown below.

terraform-opa-ibm
├── README.md
├── lib
│   ├── plan
│   │   └── base_tfplan.rego
│   └── state
│       └── state.rego
└── resources
    ├── ibm_container_vpc_cluster
    │   └── ibm_container_vpc_cluster.rego
    ├── ibm_is_public_gateway
    │   └── ibm_is_public_gateway.rego
    ├── ibm_is_subnet
    │   └── ibm_is_subnet.rego
    └── ibm_is_vpc
        └── ibm_is_vpc.rego
    .
    .
    .

• lib directory has Rego functions for terraform plan and generic rules.
• resources directory has the rules-evaluation logic for individual ibmcloud resource.

Evaluating terraform-plan locally

Install the prerequisites:

• Open Policy Agent
• Terraform 0.12+

How does terraform-opa-ibm work?

terraform-opa-ibm provides a Rego based function to read the IBM Cloud 'resource' information, provisioned using IBM Cloud Provider plugin for Terraform. The functions available to read:

• Resource information from Terraform plan file.
• Resource information from Terraform state file.

How to use terraform-opa-ibm in the users policy repo:

Run the following command:

git-vendor https://github.com/IBM-Cloud/terraform-opa-ibm.git

Use the the directory where terraform-opa-ibm is vendored and Rego code defined while evaluating the policy.

Some example:

• To check Terraform plan file against terraform-op-ibm based rules:

  opa eval --format pretty -d <path_to_terraform-opa-ibm based rule> -d <path-to-plan-json-file> "data.terraform.analysis.ibm.cos"

• To check Terraform state file against terraform-op-ibm based rules:

  opa eval --format pretty -d <path_to_terraform-opa-ibm based rule> -d <path-to-state-json-file> "data.terraform.analysis.ibm.cos"