{"id":13719217,"url":"https://github.com/StyraInc/opa-aws-cloudformation-hook","last_synced_at":"2025-05-07T11:31:22.512Z","repository":{"id":41992258,"uuid":"467527969","full_name":"StyraInc/opa-aws-cloudformation-hook","owner":"StyraInc","description":"AWS Cloudformation Hook for OPA-powered infrastructure policy enforcement","archived":false,"fork":false,"pushed_at":"2024-03-06T10:34:26.000Z","size":210,"stargazers_count":36,"open_issues_count":6,"forks_count":5,"subscribers_count":14,"default_branch":"main","last_synced_at":"2025-05-06T06:49:29.312Z","etag":null,"topics":["authorization","aws","aws-cloudformation","aws-cloudformation-hooks","cloudformation","opa","open-policy-agent","policy-as-code","rego"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/StyraInc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-03-08T13:41:40.000Z","updated_at":"2024-09-02T11:58:20.000Z","dependencies_parsed_at":"2024-03-06T11:43:04.185Z","dependency_job_id":null,"html_url":"https://github.com/StyraInc/opa-aws-cloudformation-hook","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StyraInc%2Fopa-aws-cloudformation-hook","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StyraInc%2Fopa-aws-cloudformation-hook/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StyraInc%2Fopa-aws-cloudformation-hook/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/StyraInc%2Fopa-aws-cloudformation-hook/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/StyraInc","download_url":"https://codeload.github.com/StyraInc/opa-aws-cloudformation-hook/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":252868778,"owners_count":21816919,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authorization","aws","aws-cloudformation","aws-cloudformation-hooks","cloudformation","opa","open-policy-agent","policy-as-code","rego"],"created_at":"2024-08-03T01:00:44.513Z","updated_at":"2025-05-07T11:31:22.191Z","avatar_url":"https://github.com/StyraInc.png","language":"Python","funding_links":[],"categories":["Infrastructure as Code","Third Party Hooks"],"sub_categories":["Datasource Integrations Blogs and Articles","Hooks"],"readme":"# OPA AWS CloudFormation Hook\n\n\u003cp align=\"center\"\u003e\n    \u003cimg alt=\"OPA AWS CloudFormation Hook Diagram\" src=\"docs/assets/opa-aws-cloudformation.svg\"\u003e\n\u003c/p\u003e\n\nThis repository integrates AWS CloudFormation (CFN) with OPA using\n[AWS Cloud Formation Hooks](https://aws.amazon.com/about-aws/whats-new/2022/02/aws-announces-general-availability-aws-cloudformation-hooks/).\nUse this integration if you want to enforce policies over AWS resources (e.g., EC2 instances, S3 buckets, etc.)\nprovisioned with CloudFormation. For example, using this integration you can enforce policy across resources like:\n\n* [EC2 Security Groups](https://github.com/StyraInc/opa-aws-cloudformation-hook/blob/main/examples/policy/ec2/security_group/security_group.rego)\n* [IAM Admin Rules](https://github.com/StyraInc/opa-aws-cloudformation-hook/blob/main/examples/policy/iam/user/no_admin_test.rego)\n* [S3 Public Access](https://github.com/StyraInc/opa-aws-cloudformation-hook/blob/main/examples/policy/s3/bucket/public_access_test.rego)\n\n\u003e AWS Cloud Formation Hooks were added in February 2022. The feature is still relatively new for AWS Cloud Formation.\n\u003e If you run into any issues please report them [here](https://github.com/StyraInc/opa-aws-cloudformation-hook/issues).\n\n## How it Works\n\nThe OPA hook works by installing an\n[AWS CloudFormation Hook](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/hooks-structure.html)\nto your environment.\n\nWhen creating, updating, or deleting a CloudFormation Stack, the hook is triggered to validate the configuration.\nWhen used in conjunction with OPA, the hook will send the property information from each resource in a Stack to your\nOPA server. When this information is received, OPA will validate the request against your defined policies and send\nback any violations it may have found, which will stop the stack creation and log the violations to AWS CloudWatch.\nIf no violations are reported, the resources contained in the stack are created, updated or deleted accordingly.\n\n**NOTE:** Installing OPA into your AWS environment is currently out of scope for this documentation. For local\ndevelopment, a tool like [ngrok](https://ngrok.com/) could be used to point at an OPA running on your machine.\n\nWant to try out this integration yourself? See the AWS Cloud Formation Hooks tutorial in the\n[OPA documentation](https://www.openpolicyagent.org/docs/latest/aws-cloudformation-hooks/).\n\n## Repository Contents\n\nProvided in this repository, you'll find the code for the hook you'll deploy in your AWS account to enable OPA policy\nenforcement for your CloudFormation resources under the `hooks` directory. See the\n[OPA tutorial](https://www.openpolicyagent.org/docs/latest/aws-cloudformation-hooks/) on the topic for instructions on\nhow to quickly get started, or the\n[development guide](https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/hooks.html)\nin AWS the documentation if you'd like to learn more about how it works.\n\nTo give you an idea about what policy for AWS CloudFormation Hooks might look like, this repository provides a number\nof example resources and policies:\n\n* The `examples/templates` directory contains example templates used for testing\n* The `examples/policy` directory contains example policies\n\n### Policy Development\n\nIn order to quickly iterate on changes in your Rego policies, you may use the `validate.py` tool provided under the\n`test` directory. The tool allows you to test your policies against provided CloudFormation template files, without\nactually submitting them to a hook installed in your environment. With an OPA server started with your policy\nfiles loaded (e.g. `opa run --server --watch examples/policy`), you may use the tool like:\n\n```shell\ntest/validate.py my-cloudformation-template.yaml\n```\n\nThe tool will extract all resources found in the template and submit them to OPA one by one, in the same manner\nthe hook operates once installed. Should any violation be encountered, the tool will print them to the console.\n\n### Deregistering the Hook\n\nDeregistering a hook requires removal of not just the hook type, but also any versions of the hook deployed. In order\nto help with that, you may use the `deregister-hook.sh` script provided in this repo, with the ARN of the hook provided\nas the only argument:\n\n```script\n./deregister-hook.sh \u003cARN of your hook here\u003e\n```\n\n## Community\n\nFor questions, discussions and announcements related to Styra products, services and open source projects, please join the Styra community on [Slack](https://communityinviter.com/apps/styracommunity/signup)!","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FStyraInc%2Fopa-aws-cloudformation-hook","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FStyraInc%2Fopa-aws-cloudformation-hook","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FStyraInc%2Fopa-aws-cloudformation-hook/lists"}