Skip to content
/ terraform-opa-ibm Public

An OPA library to develop IT Control policies, for the IBM Cloud

18 stars 9 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

IBM-Cloud/terraform-opa-ibm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

39 Commits
examples
examples
 
 
lib
lib
 
 
resources
resources
 
 
README.md
README.md
 
 

Repository files navigation

terraform-opa-ibm

Introduction

This is a Rego based policy library, the policy language used by the Open Policy Agent (OPA), for the IBM Cloud Provider plugin for Terraform. It is designed to be a helper, for your own OPA Policy repository. This Rego library provides a simple abstractions to read the policy-information generated by Terraform, in a common and consistent manner. For example, the terraform generated plan json file and the state file. It also include a set of generic and customizable Rego rules for IBM Cloud resources, provisioned using IBM Cloud Provider plugin for Terraform. It can be used in your DevOps pipelines, to assess for potential mis-configurations or compliance violations in IBM Cloud, prior to the infrastructure deployment. Use this library to develop the following types of IT Controls policies:

  • Naming & tagging policy
  • Configuration threshold policy
  • Resource sizing policy
  • IAM Security policy
  • Network Security policy
  • Data Security policy
  • Change management policy
  • and more..

Framework structure

The directory structure for the framework is as shown below.

terraform-opa-ibm
├── README.md
├── lib
│   ├── plan
│   │   └── base_tfplan.rego
│   └── state
│       └── state.rego
└── resources
    ├── ibm_container_vpc_cluster
    │   └── ibm_container_vpc_cluster.rego
    ├── ibm_is_public_gateway
    │   └── ibm_is_public_gateway.rego
    ├── ibm_is_subnet
    │   └── ibm_is_subnet.rego
    └── ibm_is_vpc
        └── ibm_is_vpc.rego
    .
    .
    .
  • lib directory has Rego functions for terraform plan and generic rules.
  • resources directory has the rules-evaluation logic for individual ibmcloud resource.

Evaluating terraform-plan locally

Install the prerequisites:

How does terraform-opa-ibm work?

terraform-opa-ibm provides a Rego based function to read the IBM Cloud 'resource' information, provisioned using IBM Cloud Provider plugin for Terraform. The functions available to read:

  • Resource information from Terraform plan file.
  • Resource information from Terraform state file.

How to use terraform-opa-ibm in the users policy repo:

Run the following command:

git-vendor https://github.com/IBM-Cloud/terraform-opa-ibm.git

Use the the directory where terraform-opa-ibm is vendored and Rego code defined while evaluating the policy.

Some example:

  • To check Terraform plan file against terraform-op-ibm based rules:

    opa eval --format pretty -d <path_to_terraform-opa-ibm based rule> -d <path-to-plan-json-file> "data.terraform.analysis.ibm.cos"

  • To check Terraform state file against terraform-op-ibm based rules:

    opa eval --format pretty -d <path_to_terraform-opa-ibm based rule> -d <path-to-state-json-file> "data.terraform.analysis.ibm.cos"

About

An OPA library to develop IT Control policies, for the IBM Cloud

Topics

terraform ibm-cloud open-policy-agent rego

Resources

Readme
Activity
Custom properties

Stars

18 stars

Watchers

11 watching

Forks

9 forks
Report repository

Releases 27

terraform-opa-ibmv1.45.0 Latest
Sep 26, 2022
+ 26 releases

Packages

No packages published

Contributors 5

Languages