Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/pulumi/pulumi-policy-opa
A bridge enabling Pulumi CrossGuard to run OPA rules
https://github.com/pulumi/pulumi-policy-opa
Last synced: 3 months ago
JSON representation
A bridge enabling Pulumi CrossGuard to run OPA rules
- Host: GitHub
- URL: https://github.com/pulumi/pulumi-policy-opa
- Owner: pulumi
- Created: 2019-11-28T00:28:48.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2024-06-20T02:45:23.000Z (5 months ago)
- Last Synced: 2024-07-25T12:51:52.270Z (4 months ago)
- Language: Go
- Size: 270 KB
- Stars: 12
- Watchers: 21
- Forks: 3
- Open Issues: 6
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-opa - Pulumi OPA Bridge for CrossGuard - This project allows OPA rules to be run in the context of Pulumi's policy system, CrossGuard (Infrastructure as Code / Datasource Integrations Blogs and Articles)
README
# Pulumi Open Policy Agent (OPA) Bridge for CrossGuard
This project allows Open Policy Agent (OPA) rules to be run in the context of Pulumi's policy system, CrossGuard.
## How it works
Pulumi can enforce policies during a deployment. This includes during a "preview" -- before a deployment is attempted --
in addition to afterwards -- when certain other properties are known.The OPA integration implements the Pulumi plugin interface for policies. Unlike Pulumi's standard approach to
implementing policy rules using [an SDK in a general purpose language](https://github.com/pulumi/pulumi-policy)
this bridge lets you author Pulumi Crossguard policies using OPA and `.rego` syntax.## How to use OPA with Pulumi CrossGuard
First, install the OPA policy analyzer plugin.
```
$ pulumi plugin install analyzer policy-opa v0.0.2
[analyzer plugin policy-opa-0.0.2] installing
Downloading plugin: 6.11 MiB / 6.11 MiB [===========================] 100.00% 0s
Moving plugin... done.
```You can now use OPA policy packs. Create a folder that contains two files - a `PulumiPolicy.yaml` and one or more `.rego` files.
```
$ cat PulumiPolicy.yaml
description: A minimal Policy Pack for Kubernetes using OPA.
runtime: opa$ cat labels.rego
package kubernetesname = input.metadata.name
labels {
input.metadata.labels["app.kubernetes.io/name"]
input.metadata.labels["app.kubernetes.io/instance"]
input.metadata.labels["app.kubernetes.io/version"]
input.metadata.labels["app.kubernetes.io/component"]
input.metadata.labels["app.kubernetes.io/part-of"]
input.metadata.labels["app.kubernetes.io/managed-by"]
}deny[msg] {
input.kind = "Deployment"
not labels
msg = sprintf("%s must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels ", [name])
}
```You can now run an update on a Pulumi program locally using `pulumi up --policy-pack ` passing the path to the folder you created in the previous step.
```
$ pulumi up --policy-pack ../policy-kubernetes
Previewing update (dev):
Type Name Plan Info
+ pulumi:pulumi:Stack simple-kubernetes-dev create 1 error
+ └─ kubernetes:apps:Deployment nginx create
Diagnostics:
pulumi:pulumi:Stack (simple-kubernetes-dev):
error: preview failed
Policy Violations:
[mandatory] kubernetes v0.0.1 deny (nginx: kubernetes:apps/v1:Deployment)
nginx-me0llhgr must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels
```Note that the policy above was implemented in `labels.rego` using the Rego language, but applied to the deployment of a Pulumi program written in TypeScript. Note also that the policy was run *before* the resource was deployed, and failed the preview stage. This allows OPA policies to be enforced very early in the development and deployment process - close to the developers creating the infrastructure - allowing for a quicker security and policy feedback loop for the cloud engineering team.
This policy pack can also be [published to the Pulumi Service](https://www.pulumi.com/docs/get-started/crossguard/enforcing-a-policy-pack/) so that it will be enforced across your Organization.
```
$ pulumi policy publish
Obtaining policy metadata from policy plugin
Compressing policy pack
Uploading policy pack to Pulumi service
Publishing "kubernetes" to "myorg"
Published as version 1Permalink: https://app.pulumi.com/myorg/policypacks/kubernetes/1
```For more details on working with Policy as Code in Pulumi, see the CrossGuard documentation at https://www.pulumi.com/docs/guides/crossguard/.