OPA - For Terraform

 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 All Credits to this video creator : https://www.youtube.com/watch?v=deu-BpE1L98

 https://github.com/open-policy-agent/opa    -- Github library for OPA

 List of Adobters : https://github.com/open-policy-agent/opa/blob/main/ADOPTERS.md

 

Github repo for Regula : https://github.com/fugue/regula

 You may have the question if there already have OPA why did you make regula. Well Regula adds to OPA  loads of capabilities , convenience features for doing infrastructure as code security assessment

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

OPA


 

 


 Sample of Rego Code : 

 


If you are doing Policy as a Code what you are really doing is testing configurations and this really comes down to looking what a configuration is and deciding if this all fair game or possible errors with it.  And in order to express these policy rules you need a language

Other alternatives to Rego is sequel , may be Graph database for JSON support or just using a regular Java Script or Python. But I think OPA Rego has so many things that makes it ideal for this use case.

Another query language is JQueue

OPA  has this build in testing frame-work

OPA  uses packages so that you can group code together

package simple  --You can call this defining a package or opening a package

If I open up an interpreter 

> opa run simple

> data.simple.allow 

false


You declare a package and put in a bunch of declarations.

If we go to an example of a IaC , we have a terraform file here


We cannot use this HCL file directly as an input document to rego . So what usually happens is we use terraform to first convert this to a Plan file.

 > terraform plan -out tmp.plan

Then convert this to JSON.

> terraform show -json tmp.plan 

 This is how a terraform plan looks like 



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 Lets say we want all the departments to have a department tag.


If I want to run something with plan rego . we can always use opa eval .


There are two ways that we can write the rule. instead of planned_values we can also use "resource_changes"


Do you really look at planned changes or resource change -- It is really a mix of the both . You really want to take the union of the both . 

There are complexities to work with the JSON file for we need to get into the JSON plan.

If we use regula we can remove loads of complexity

Below is the same rule written in Regula.


rule.department_tag -- rule is the namespace. And that's the way it picks up all that rules it wants to run.

Here we care about a single resource type . We have a default allow = false







 

 

 

 

 

 

 

 

 

 

 

 

Comments

Post a Comment

Popular posts from this blog

OPA : Introduction to OPA

Image
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  OPA :  https://www.youtube.com/watch?v=Vdy26oA3py8    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  How OPA works ?  Alice is the customer support rep and she has access to all the service such as (payments / Accounts / Promotions / Notification ) etc . And if she get access to all the system that is not all right . If she decides to bring down all the services she can do which can lead to failure of service. Also if she wants to look up where Bob lives she can do that and find out all his personally identifiable information again this is not Ideal. So what we want to do is put some guard rails into the system to prevent these kinds of things from happening .  In order to get alice do all her job and yet does not hamper the security of the system we are going to put but she cannot do anything that is harmful to the system . In order to do th...
Read more

IP Cutover

Image
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IP Cutover is needed when the Base machine is CentOS-6 and the VM is CentOS-7 Lets consider this server running in CentOS 6 ,and now the application team is asking to cut-over , they will come to us for the cut over when we have the new and the old server ready . netutils02-eq This IP is reachable from our work station. We will need to disable the IP address in this server and enable the IP address in another server new server . We need to shutdown the interface first . $ /sbin/ifdown ens192 Before that we need to go to checkMK and make sure this server is configured for downtime . The two servers will have different IP addresses though they might be running in the same network. once the interface is down we will not be able to ping this IP address from our workstation.  Once after checking the checkMK if the server CentOS is ...
Read more

FIRST-SUCCESSFUL SCRIPT -- NEEDED EDITION -- FIRST SUCCESSFUL ONE

#!/bin/bash # Server Tested : compute90-cc : 8.25.218.59 10.170.16.186 : compute90-cc.packet8-pilot.net #####   --  Author of Script  - Sreejith Balakrishnan    #####       Purpose : 1. This script capture failed logins for root users whoever fails to connect successfully in their first 5 attempts  #####                 2. And only if those 5 failed attempts happens within 15 min timeline -- In such cases logs are generated #set -x ###----------------- ##### Declarations : ###----------------- #####   --  Put in the number of Failed Login Attempts you want to capture attempted_counts=5 #####   --  Time in minutes within which the count of login attempts to be captured seconds=900 ###------------------------ ##### End of Declations : ###------------------------ root_login(){ #rm -Rf /tmp/logins_1.log #rm -Rf /tmp/logins_2.log #rm -Rf /tmp/logins_11.log #rm -Rf...
Read more