Skip to content

Latest commit

 

History

History
89 lines (46 loc) · 3.72 KB

README.md

File metadata and controls

89 lines (46 loc) · 3.72 KB

HashiTalks: Secure 2023

This repository contains code used during my presentation for HashiTalks: Secure 2023 titled "Building end-to-end secure workflows for Terraform deployments from code to runtime". The code in this repo is for demonstration purposes only. If you have any questions about how to use this code, or if you run into any issues, feel free to contact me directly on LinkedIn.

You can find the recording of the talk on YouTube:

Building End-To-End Secure Workflows for Terraform from Code to Runtime

Prerequsites

To use try the code in this repository, you will need the following:

Setup Okta Dev Account

If you do not already have an Okta development environment, sign-up for a free account at developer.okta.com.

Okta HealthInsights

Okta HealthInsights

Okta HealthInsights provides recommended security tasks to improve security for an Okta org. The Terraform code in this repository configures all of the recommended tasks and recommendations.

Create an Okta API token

To manage Okta with Terraform and scan Okta with cnspec, you will need an Okta API token. Visit Create an API token to learn how to create an API token.

Fork and clone this repository

If you want to try this code, first thing you should do is Fork it, then clone it locally.

Configure Okta Provider for Terraform

Okta builds and maintains the Terraform Provider for Okta to manage Okta Organizations using infrastructure as code. To configure the provider, create a terraform.tfvars file with the following values:

api_token = "<YOUR_TOKE>"

org_name = "<YOUR_ORG>"

base_url = "<YOUR_BASE_URL>"

About Terraform Backend

This repository is configured to use my own GCP GCS bucket for the Terraform backend to store the state file. If you are unfamiliar with how to setup a Terraform backend, see Backend Configuration on the Terraform site. If you are still stuck, reach out to me...I am a pretty nice guy (most of the time) and would be happy to help! 🙌🏻

Terraform Init

Once the backend is configured, cd into the terraform directory in this repo and run terraform init to download the modules and initialize the backend.

Security scan Terraform HCL with cnspec (pre-plan)

Run the following command from the root directory of this repository to scan the Terraform code in this repository before you apply any changes to your Okta environment:

cnspec scan terraform ./terraform -f policies/okta-security.mql.yaml

Security scan Terraform Plan with cnspec (post-plan)

The policy in this repository also supports scanning of Terraform plan files which provides a deeper level of understanding of the configuration changes to be applied.

Generate a Terraform plan.json to scan

cd terraform
terraform plan -out tfplan
terraform show -json tfplan > tfplan.json

Scan the Terraform tfplan.json

cnspec scan terraform plan tfplan.json -f policies/okta-security.mql.yaml