https://github.com/ibm-cloud/terraform-opa-ibm

An OPA library to develop IT Control policies, for the IBM Cloud
https://github.com/ibm-cloud/terraform-opa-ibm

ibm-cloud open-policy-agent rego terraform

Last synced: 3 days ago
JSON representation

An OPA library to develop IT Control policies, for the IBM Cloud

• Host: GitHub
• URL: https://github.com/ibm-cloud/terraform-opa-ibm
• Owner: IBM-Cloud
• Created: 2020-11-13T15:43:28.000Z (about 4 years ago)
• Default Branch: master
• Last Pushed: 2022-09-26T07:24:02.000Z (about 2 years ago)
• Last Synced: 2024-08-03T21:01:43.052Z (4 months ago)
• Topics: ibm-cloud, open-policy-agent, rego, terraform
• Language: Open Policy Agent
• Homepage:
• Size: 5.81 MB
• Stars: 18
• Watchers: 11
• Forks: 9
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        

# terraform-opa-ibm

-   [Introduction](#introduction)

-   [How does terraform-opa-ibm work?](#how-does-terraform-opa-ibm-work)

-   [Framework structure](#framework-structure)

-   [Evaluating terraform-plan locally](#running-terraform-opa-ibm-locally)

## Introduction

This is a Rego based policy library, the policy language used by the Open Policy Agent (OPA), for the `IBM Cloud Provider plugin for Terraform`.  It is designed to be a helper, for your own OPA Policy repository.  This Rego library provides a simple abstractions to read the policy-information generated by Terraform, in a common and consistent manner.  For example, the terraform generated `plan json` file and the `state` file.  It also include a set of generic and customizable Rego rules for IBM Cloud resources, provisioned using `IBM Cloud Provider plugin for Terraform`. It can be used in your DevOps pipelines, to assess for potential mis-configurations or compliance violations in IBM Cloud, prior to the infrastructure deployment.  Use this library to develop the following types of IT Controls policies:

- Naming & tagging policy

- Configuration threshold policy

- Resource sizing policy

- IAM Security policy

- Network Security policy

- Data Security policy

- Change management policy

- and more..

## Framework structure

The directory structure for the framework is as shown below.

```

terraform-opa-ibm

├── README.md

├── lib

│   ├── plan

│   │   └── base_tfplan.rego

│   └── state

│       └── state.rego

└── resources

    ├── ibm_container_vpc_cluster

    │   └── ibm_container_vpc_cluster.rego

    ├── ibm_is_public_gateway

    │   └── ibm_is_public_gateway.rego

    ├── ibm_is_subnet

    │   └── ibm_is_subnet.rego

    └── ibm_is_vpc

        └── ibm_is_vpc.rego

    .

    .

    .

```

- lib directory has Rego functions for terraform plan and generic rules.

- resources directory has the rules-evaluation logic for individual ibmcloud resource.

## Evaluating terraform-plan locally

Install the prerequisites:

- [Open Policy Agent](https://www.openpolicyagent.org/docs/latest/#1-download-opa)

- [Terraform 0.12+](https://www.terraform.io/downloads.html)

## How does terraform-opa-ibm work?

terraform-opa-ibm provides a Rego based function to read the IBM Cloud 'resource' information, provisioned using `IBM Cloud Provider plugin for Terraform`. The functions available to read:

* Resource information from Terraform plan file.

* Resource information from Terraform state file.

##  How to use terraform-opa-ibm in the users policy repo:

### Run the following command:

`git-vendor https://github.com/IBM-Cloud/terraform-opa-ibm.git`

Use the the directory where `terraform-opa-ibm` is vendored and Rego code defined while evaluating the policy. 

Some example:

* To check Terraform plan file against `terraform-op-ibm` based rules:

   

  ```opa eval --format pretty  -d  -d  "data.terraform.analysis.ibm.cos"```

   

* To check Terraform state file against `terraform-op-ibm` based rules:

   

  ```opa eval --format pretty  -d  -d  "data.terraform.analysis.ibm.cos"```