{"id":50938462,"url":"https://github.com/thothforge/org-iac-policies","last_synced_at":"2026-06-17T11:32:27.484Z","repository":{"id":364917200,"uuid":"1268909096","full_name":"thothforge/org-iac-policies","owner":"thothforge","description":"Organization IaC Policy Repository - Governance rules for ThothCTL Framework (OPA/Rego)","archived":false,"fork":false,"pushed_at":"2026-06-15T04:44:30.000Z","size":9,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-15T05:21:46.531Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Open Policy Agent","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/thothforge.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-14T04:36:49.000Z","updated_at":"2026-06-15T04:44:33.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/thothforge/org-iac-policies","commit_stats":null,"previous_names":["thothforge/org-iac-policies"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/thothforge/org-iac-policies","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thothforge%2Forg-iac-policies","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thothforge%2Forg-iac-policies/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thothforge%2Forg-iac-policies/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thothforge%2Forg-iac-policies/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/thothforge","download_url":"https://codeload.github.com/thothforge/org-iac-policies/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/thothforge%2Forg-iac-policies/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34447264,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-17T02:00:05.408Z","response_time":127,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-06-17T11:32:26.587Z","updated_at":"2026-06-17T11:32:27.478Z","avatar_url":"https://github.com/thothforge.png","language":"Open Policy Agent","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Organization IaC Policies\n\n[![ThothCTL Compatible](https://img.shields.io/badge/ThothCTL-Policy%20Repository-blue)](https://github.com/thothforge/thothctl)\n\nOrganization-level policy repository for Infrastructure as Code governance. This repository defines the security, compliance, naming, and architectural rules enforced across all IaC projects via [ThothCTL](https://github.com/thothforge/thothctl).\n\n## Structure\n\n```\norg-iac-policies/\n├── rules/ # ThothCTL project structure rules\n│ ├── base.toml # All project types (mandatory)\n│ ├── terraform-terragrunt.toml # Terraform+Terragrunt projects\n│ ├── terraform_module.toml # Terraform modules\n│ └── cdkv2.toml # CDK v2 projects\n├── shared/policy/ # OPA/Rego policies (all projects)\n│ ├── naming.rego\n│ ├── tagging.rego\n│ └── regions.rego\n├── compliance/\n│ ├── features/ # Terraform-compliance BDD scenarios\n│ │ ├── encryption.feature\n│ │ ├── tagging.feature\n│ │ └── networking.feature\n│ └── soc2/policy/ # SOC2-specific OPA policies\n├── domains/ # Business domain policies\n├── workloads/ # Workload-type policies\n├── layers/ # Infrastructure layer policies\n└── README.md\n```\n\n## Quick Start\n\n### Set the Environment Variable\n\n```bash\nexport THOTH_ORG_POLICY=https://github.com/thothforge/org-iac-policies.git\n```\n\n### Run All Governance Checks\n\n```bash\n# Project structure enforcement (mandatory rules cannot be overridden)\nthothctl check project iac --enforcement hard\n\n# OPA/Rego policy scan (shared + domain policies)\nthothctl scan iac -t opa\n\n# BDD compliance scenarios against terraform plans\nthothctl scan iac -t terraform-compliance\n\n# All security scanners + org policies\nthothctl scan iac -t checkov -t trivy -t opa -t terraform-compliance --enforcement hard\n```\n\n## What Each Folder Does\n\n| Folder | Tool | Purpose |\n|--------|------|---------|\n| `rules/` | `thothctl check project iac` | Enforce project structure (files, folders, naming) |\n| `shared/policy/` | `thothctl scan iac -t opa` | OPA/Rego security policies for all projects |\n| `compliance/features/` | `thothctl scan iac -t terraform-compliance` | BDD scenarios against tfplan.json |\n| `domains/*/policy/` | `thothctl scan iac -t opa` | Domain-specific Rego policies |\n| `layers/*/policy/` | `thothctl scan iac -t opa` | Layer-specific Rego policies |\n| `workloads/*/policy/` | `thothctl scan iac -t opa` | Workload-specific Rego policies |\n\n## Project Structure Rules (`rules/`)\n\nRules enforce that projects follow organizational standards. Projects **cannot override** mandatory rules.\n\n### `rules/base.toml` — All Projects\n\n```toml\n[metadata]\nname = \"ThothForge Infrastructure Standards\"\nversion = \"1.0.0\"\nenforcement = \"mandatory\"\n\n[project_structure]\nroot_files = [\".gitignore\", \"README.md\", \".thothcf.toml\", \".pre-commit-config.yaml\"]\n\n[[project_structure.folders]]\nname = \"docs\"\nmandatory = true\nenforcement = \"mandatory\"\n\n[rules.naming]\npattern = \"^[a-z][a-z0-9-]*$\"\nenforcement = \"mandatory\"\n\n[rules.tagging]\nrequired_tags = [\"Environment\", \"Owner\", \"Project\"]\nenforcement = \"mandatory\"\n```\n\n### Enforcement Levels\n\n| Level | Behavior | Can Project Override? |\n|-------|----------|---------------------|\n| `mandatory` | Fails pipeline with `--enforcement hard` | ❌ No |\n| `recommended` | Warning | ⚠️ Can opt-out |\n| `informational` | Report only | ✅ Yes |\n\n## Terraform-compliance Features (`compliance/features/`)\n\nBDD scenarios evaluated against `tfplan.json`:\n\n```gherkin\nFeature: Ensure encryption is enabled for all storage resources\n\n Scenario: S3 buckets must have encryption\n Given I have aws_s3_bucket defined\n Then it must have server_side_encryption_configuration\n```\n\n### Usage\n\n```bash\n# Direct reference with //subpath\nthothctl scan iac -t terraform-compliance -o \"features_dir=https://github.com/thothforge/org-iac-policies.git//compliance/features\"\n\n# Or via THOTH_ORG_POLICY (auto-discovers compliance/features/)\nexport THOTH_ORG_POLICY=https://github.com/thothforge/org-iac-policies.git\nthothctl scan iac -t terraform-compliance\n```\n\n## OPA/Rego Policies (`shared/policy/`)\n\nPolicies use [OPA Rego](https://www.openpolicyagent.org/docs/latest/policy-language/):\n\n```rego\n# shared/policy/tagging.rego\npackage main\n\nrequired_tags := {\"Environment\", \"Owner\", \"Project\"}\n\ndeny[msg] {\n resource := input.resource[type][name]\n tags := object.get(resource, \"tags\", {})\n missing := required_tags - {key | tags[key]}\n count(missing) \u003e 0\n msg := sprintf(\"%s.%s is missing required tags: %v\", [type, name, missing])\n}\n```\n\n### Usage\n\n```bash\n# Auto-discovers shared/policy/ from THOTH_ORG_POLICY\nexport THOTH_ORG_POLICY=https://github.com/thothforge/org-iac-policies.git\nthothctl scan iac -t opa\n\n# Or explicit\nthothctl scan iac -t opa -o \"policy_dir=https://github.com/thothforge/org-iac-policies.git\"\n```\n\n## CI/CD Integration\n\n```yaml\n# GitHub Actions\nname: IaC Governance\n\non: [pull_request]\n\njobs:\n compliance:\n runs-on: ubuntu-latest\n env:\n THOTH_ORG_POLICY: https://github.com/thothforge/org-iac-policies.git@v1.0\n steps:\n - uses: actions/checkout@v4\n - run: pip install thothctl terraform-compliance\n \n - name: Project structure check\n run: thothctl check project iac --enforcement hard\n \n - name: Security scan\n run: thothctl scan iac -t checkov -t trivy -t opa -t terraform-compliance --enforcement hard --post-to-pr\n```\n\n## Policy Resolution Order (OPA)\n\n1. `shared/policy/*.rego` — Always applied\n2. `layers/\u003clayer\u003e/policy/*.rego` — Matches project layer\n3. `workloads/\u003cworkload\u003e/policy/*.rego` — Matches workload type\n4. `domains/\u003cdomain\u003e/policy/*.rego` — Matches business domain\n5. `compliance/\u003cframework\u003e/policy/*.rego` — Per compliance framework\n\n## Related\n\n- [ThothCTL](https://github.com/thothforge/thothctl)\n- [ThothCTL Scan Docs](https://thothforge.github.io/thothctl/framework/commands/scan/scan_iac/)\n- [OPA/Rego Reference](https://www.openpolicyagent.org/docs/latest/policy-reference/)\n- [Terraform-compliance](https://terraform-compliance.com/)\n- [Conftest](https://www.conftest.dev/)\n\n## License\n\nMIT\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthothforge%2Forg-iac-policies","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthothforge%2Forg-iac-policies","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthothforge%2Forg-iac-policies/lists"}