Home

Awesome

Terraform OPA policies examples

OPA tests PRs Welcome Documentation Status

A sample collection of OPA policies to test against Terraform run in Scalr.

Resources

Policy Files

Each sample policy comprises 3 files.

Each folder also includes an example scalr-policy.hcl file. These files are used by Scalr to implement enforcement levels for each policy (hard-mandatory, soft-mandatory, advisory). See Enabling and Enforcing Policy for more details.

Policy Evaluation

You can evaluate a policy against your own terraform plans using the Terraform CLI and opa eval as follows.

$ terraform plan --out planfile
$ terraform show -json planfile > plan.json
$ opa eval --format pretty --data policy.rego -i plan.json data.terraform.deny

Policies

Summary descriptions of each policy. Detailed descriptions of each rule can be found as comments in the policy file. Many policies contain arrays of values that are checked against resources. The arrays and reason messages are of course customisable.

PolicyDescription
aws/enforce_aws_iam_and_workspace.regoChecks valid IAM roles for provider and workspace.
aws/enforce_aws_resource.regoCheck resource types against an allowed list.
aws/enforce_cidr.regoCheck security group CIDR blocks contain allowed CIDR's.
aws/enforce_ebs_del_on_term.regoCheck delete_on_termination = true is set for EBS volumes.
aws/enforce_iam_instance_profiles.regoCheck IAM instance profile is in allowed list.
aws/enforce_instance_subnets.regoCheck instances are using allowed subnets
aws/enforce_kms_key_names.regoCheck KMS keys (by name) against allowed list.
aws/enforce_lb_subnets.regoCheck Loadbalancers are using allowed subnets
aws/enforce_s3_buckets_encryption.regoCheck encryption is set for S3 buckets.
aws/enforce_s3_private.regoCheck S3 buckets are not public.
aws/enforce_sec_group.regoCheck security groups have been specified and are in allowed list.
aws/enforce_rds_subnets.regoCheck RDS clusters are using allowed subnets
cost/limit_monthly_cost.regoCheck estimated cost against an upper limit.
external_data/random_decision.regoExample of using external data (HTTP GET) in a policy.
gcp/enforce_gcs_private.regoCheck GCS buckets are not public.
management/denied_provisioners.regoChecks provisioner types against an allowed list.
management/enforce_ami_owners.regoChecks AMI's being used belong to allowed list of AMI owners.
management/enforce_var_desc.regoChecks variables have descriptions.
management/instance_types.regoChecks instance types/sizes against allowed list. AWS, Azure and GCP.
management/resource_tags.regoChecks required tags are configured for all clouds.
management/whitelist_ami.regoChecks AMI against allowed list or configured from data source.
management/workspace_name.regoSimple example of using tfrun data and validating a workspace name.
management/workspace_environment.regoChecks workspace environment type and enforces cost limits based on environment.
management/workspace_destroy.regoChecks workspace has an active state and denies its destroy, if active state is present.
management/workspace_tags.regoChecks workspace is tagged with provider name.
modules/pin_module_version.regoEnforces use of specific module versions.
modules/required_modules.regoChecks resources are only be created via specific modules.
placement/cloud_location.regoChecks resources are deployed to specific regions in each cloud.
providers/blacklist_provider.regoImplements a provider blacklist.
user/user.regoRestricts which users can trigger terraform runs. Works for CLI and VCS.

Contributions

We welcome contributions in many ways!

Report Bugs

Submit bug reports at https://github.com/Scalr/sample-tf-opa-policies/issues.

Be sure to include the following.

Feedback and Suggestions

Submit feed back and suggestions at https://github.com/Scalr/sample-tf-opa-policies/issues.

Be sure to include the following.

Pull Requests

Better still have a go at fixing bug or implementing new policy examples yourself and submit a Pull Request.

If you submit a new policy you must include the following files.

To submit a PR follow the standard process.

  1. Fork the repo
  2. Clone locally and create a new branch
  3. Commit and push
  4. Submit pull request

Before submitting the PR for the new policy or bug fix you should confirm it works using opa eval as shown above and validate the mock based tests work using opa test.

Example test

# opa test enforce_sec_group.* -v
data.terraform.test_valid: PASS (7.390418ms)
data.terraform.test_invalid: PASS (603.837µs)
data.terraform.test_missing: PASS (483.272µs)
--------------------------------------------------------------------------------
PASS: 3/3

License

The examples are licensed under the MIT License.