Home

Awesome

terraform-opa-ibm

Introduction

This is a Rego based policy library, the policy language used by the Open Policy Agent (OPA), for the IBM Cloud Provider plugin for Terraform. It is designed to be a helper, for your own OPA Policy repository. This Rego library provides a simple abstractions to read the policy-information generated by Terraform, in a common and consistent manner. For example, the terraform generated plan json file and the state file. It also include a set of generic and customizable Rego rules for IBM Cloud resources, provisioned using IBM Cloud Provider plugin for Terraform. It can be used in your DevOps pipelines, to assess for potential mis-configurations or compliance violations in IBM Cloud, prior to the infrastructure deployment. Use this library to develop the following types of IT Controls policies:

Framework structure

The directory structure for the framework is as shown below.

terraform-opa-ibm
├── README.md
├── lib
│   ├── plan
│   │   └── base_tfplan.rego
│   └── state
│       └── state.rego
└── resources
    ├── ibm_container_vpc_cluster
    │   └── ibm_container_vpc_cluster.rego
    ├── ibm_is_public_gateway
    │   └── ibm_is_public_gateway.rego
    ├── ibm_is_subnet
    │   └── ibm_is_subnet.rego
    └── ibm_is_vpc
        └── ibm_is_vpc.rego
    .
    .
    .

Evaluating terraform-plan locally

Install the prerequisites:

How does terraform-opa-ibm work?

terraform-opa-ibm provides a Rego based function to read the IBM Cloud 'resource' information, provisioned using IBM Cloud Provider plugin for Terraform. The functions available to read:

How to use terraform-opa-ibm in the users policy repo:

Run the following command:

git-vendor https://github.com/IBM-Cloud/terraform-opa-ibm.git

Use the the directory where terraform-opa-ibm is vendored and Rego code defined while evaluating the policy.

Some example: