Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/Cigna/confectionery
A library of rules for Conftest used to detect misconfigurations within Terraform configuration files
https://github.com/Cigna/confectionery
Last synced: 3 months ago
JSON representation
A library of rules for Conftest used to detect misconfigurations within Terraform configuration files
- Host: GitHub
- URL: https://github.com/Cigna/confectionery
- Owner: Cigna
- License: apache-2.0
- Created: 2021-03-12T14:20:03.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2022-09-20T16:47:55.000Z (about 2 years ago)
- Last Synced: 2024-07-25T05:34:14.319Z (4 months ago)
- Language: Open Policy Agent
- Homepage:
- Size: 234 KB
- Stars: 191
- Watchers: 6
- Forks: 13
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Code of conduct: CODE_OF_CONDUCT.md
Awesome Lists containing this project
- awesome-opa - Confectionary - A library of rules for Conftest used to detect Terraform misconfigurations. (Policy Packages / Blogs and Articles)
README
Confectionery
A library of rules for Conftest used to detect misconfigurations within Terraform configuration files
Report Bug
·
Request a New Feature
Table of Contents
# Confectionery
## What is Confectionery?
Confectionery is a library of rules for the [Conftest](https://www.conftest.dev/) tool. These rules can be used to detect misconfigurations in Terraform plans and other configuration file formats. The terraform rules also leverage the [Regula](https://github.com/fugue/regula) library to assist with the parsing of Terraform plans.
By creating rules for the Conftest tool, misconfigurations can be caught earlier in the development cycle by being rule-locally or as part of a CI/CD pipeline. This helps prevent the introduction of the misconfiguration into the runtime environment. For example, you can ensure any resource deployed is on the allowed list of services.
Confectionery helps enforce governance expectations and provides a fast feedback loop for developers.
## Getting Started
To use Confectionery you must first [install Conftest](https://www.conftest.dev/install/)
### Generating the terraform plan json
``terraform init``
``terraform plan -out tf-plan.binary ``
``terraform show -json tf-plan.binary > tf-plan.json``
The following command will place the rego rules into a directory called ``policy`` in the directory it is run from. It will then validate the plan. It will only download if the files have changed
``conftest test --update "git::https://github.com/cigna/confectionery.git//rules/terraform?ref=" tf-plan.json``
You can override the location the rules are stored with path option below. This should be useful for caching
``conftest test -p test/ --update "git::https://github.com/cigna/confectionery.git//rules/terraform?ref=" tf-plan.json``
To see available tags please click on [Releases](https://github.com/cigna/confectionery/releases).
### How to Use Exceptions
If it is necessary to temporarily suppress a rule while waiting for a fix to be added to the library, or a non-fixable false-positive exists then exceptions can be used. We have adopted Regula's feature for exceptions which is detailed [here](https://regula.dev/configuration.html#waiving-rule-results).
When using exceptions with Conftest, the `test` command can be modified to the following format
``conftest test -p policy -p exceptions --update "git::https://github.com/cigna/confectionery.git//rules/terraform?ref=" tf-plan.json``
The additional ``-p`` argument would be used to specify the path to an additional directory which houses the necessary file
A sample ``config.rego`` can be seen below. Multiple rules can be specified, and the waiver/exception can be limited to certain resources. Please refer to the regula link above for the the full list of supported filters. Rule names can be found on the first line of the relevant rule rego file after ``rules.`` in the package name.
```
package fugue.regula.configwaivers[waiver] {
waiver := {
"rule_name": "",
}
} {
waiver := {
"rule_name": "",
}
}
```## Creating Rules
To get started creating rules follow along with this [rules overview](rules/README.md).
## Writing Tests
Please visit our [testing](test-files/README.md) page to learn more about how to get started writing Conftest rules.
## Contributing
If you would like to contribute please refer to our [contributing guide](CONTRIBUTING.md). Any additions will be much appreciated, please follow these steps:1. Fork the Project
2. Create your Feature Branch (`git checkout -b feature/AmazingFeature`)
3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`)
4. Push to the Branch (`git push origin feature/AmazingFeature`)
5. Open a Pull Request## Original Contributors
Confectionery started as an internal project at Cigna. We would like to recognize the following people for their initial contributions to the project:- Anthony Barbieri
- Kory Sansom
- Luke Newman
- Kristie Cunha
- Jason Wai
- Matthew Bradley
- Omer Farooq
- Nikiyah Beulah
- Timothy Gorecki
- Gavilan Steinman
- Gabrielle Hempel
- Timothy Morris