Simplified Infrastructure Audit: Terrateam with OPA Policies

Simplified Infrastructure Audit: Terrateam with OPA Policies

In the realm of Terraform, creating infrastructure was a breeze, but challenges loomed. How could teams ensure rule adherence? Were the right tags and naming conventions followed? Many organizations grappled with these questions. Terraform, though efficient, lacked built-in policy enforcement, especially in sprawling infrastructures.

Then came Open Policy Agent (OPA), a guardian of cloud-native landscapes. Traditional tools sometimes stumbled in upholding security and compliance, particularly at scale.

This story is about solutions. It reveals how OPA and Policy as Code automate security and compliance. Meet the dynamic duo: Terrateam and OPA. Together, they ensure each Pull Request adheres to custom policies.

Join us on this journey to see how OPA and Policy as Code redefine infrastructure management, enhancing security, compliance, and efficiency. It's a transformation in just one Pull Request—making everything safer and rule-compliant.

Overview

Greetings Geeks, today we will demonstrate how to run OPA (Open Policy Agent) along with Terrateam in a single Pull Request each time you raise.

  • The policy will be written customarily and can be improved later as needed.

  • The policy will be written inside the policy directory that will later be called when we run OPA with the pipeline of Terrateam.

  • If the OPA policy fails the Terrateam plan fails along with it.

Steps involved:

  1. Installing Terrateam on a GitHub account.

  2. Writing Terrateam configuration file for AWS S3 bucket.

  3. Initializing OPA on Terrateam pipeline using .terrateam/config.yml file.

  4. Writing OPA policies (Rego Language).

  5. Running the pipeline on Pull Request.

  6. Verifying the S3 bucket creation on the AWS account.

Workflow

Before we enter the tutorial, let’s understand the workflow when using Terrateam and OPA to deploy the Terraform configuration.

How does OPA fit in the eco-system?

Open Policy Agent (OPA) can be integrated into the Terraform ecosystem to enhance policy enforcement, security, and compliance within your infrastructure provisioning process.

  • Policy Enforcement

  • Custom Policies

  • Policy Validation

  • Continuous Compliance

  • Policy as Code

  • Policy Testing

  • Multi-Cloud and Multi-Service Support

OPA serves as a valuable addition to the Terraform ecosystem, helping organizations maintain policy compliance, and security, and follow best practices within their infrastructure provisioning processes.

  • We will write a Terraform configuration file along with the Rego policy.

  • We push all configurations on the GitHub repository.

  • GitHub actions will trigger

    • Terrateam plan will trigger along with OPA(Open Policy Agent)

    • If successful, the Terrateam plan will succeed

    • Comment terrateam apply to apply the configuration.

  • AWS S3 will be created on your AWS account.

Pre-Requisites

  • Terraform is installed on the local system.

  • Terrateam is installed on the GitHub account.

  • AWS freemium account.

What is OPA (Open Policy Agent)?

You can use Open Policy Agent (OPA) with Terraform to make sure your infrastructure follows the rules you set. Here's how it helps:

Note: Running an OPA policy is the PERFECT step to take after the Terraform plan. This is EXACTLY what Terrateam does for every Pull Request, along with running a Terrateam plan.

  1. Rule Checker: OPA acts like a rule checker for your Terraform configurations. You can make rules about security, naming, and other important things.

  2. Your Own Rules: You can make your own rules using OPA's language. For example, you can say that no one should access your resources from the internet.

  3. Checking Before Changes: OPA checks your Terraform plans before you make any changes. It helps catch mistakes before they become problems.

  4. Always Compliant: By using OPA, you can be sure that your infrastructure always follows the rules. It checks every time you make changes.

  5. Rules Like Code: Rules are written like code, so you can keep track of them just like your infrastructure code.

  6. Works Everywhere: OPA can be used with different cloud services, making sure your rules work across all your infrastructure.

  7. Require Rego language: OPA depends on Rego policies to enforce rules, make determinations, and guarantee compliance within your system.

In short, OPA for Terraform makes it easier to follow the rules, keeps your infrastructure safe, and helps you fix issues before they cause trouble.

Examples are:

  • Tags checks: OPA policy for certain tags in the plan output of Terraform.

  • Network CIDR: OPA policy to avoid accidentally opening all network IPs with 0.0.0.0/0.

  • Name: OPA policy for a particular naming convention for each resource you make on your cloud platform, for example, Deployment VM name must start with deployment… The production VM name must start with production… and so on.

  • And many more, such as null resources check policy, etc.

Let’s get started with hands-on the tutorial.

For complete code click here.

  • The above configuration will use the pre-defined wrapper of Terrateam for OPA that is conftest-wrapper, now this workflow file will find the policy file at the location AWS-S3/policy/this is the location where we add our rego policy file.

To understand more about Terrateam + OPA visit here.

What is the Rego Policy?

  • In simple terms, a Rego policy for Terraform is like a set of rules that you create to make sure your Terraform infrastructure code follows certain guidelines. It's a way to check if your infrastructure code is doing things the way you want it to.

  • For example, you can make a Rego policy that states, "Whenever you make something that needs certain tags," you can include a check that doesn't pass if those particular tags are missing. Sometimes, when building infrastructure, we might forget to set the correct network rules and accidentally make everything accessible with 0.0.0.0/0. Rego policies can help catch these kinds of mistakes. These policies can be applied using a Rego policy file and will activate whenever someone creates a Pull Request in Terrateam with GitHub Actions.

  • Rego policies help you keep your Terraform projects organized, secure, and compliant with your company's standards. They act like a helpful assistant that ensures your infrastructure code meets your requirements and doesn't accidentally break any rules you've set.

To learn more about Rego visit here

Next, add the rego policy for Terrateam to run the OPA policy check with.

  • Add the below code in AWS/policy/main.rego file.

For complete code visit here.

  • The above Rego file checks for the aws_s3_bucket resources and counts the number of AWS S3 buckets that are being made in the Terraform configuration files if the total count is greater than one it will return with an error and the whole Terrateam plan will fail the process.

  • Next, push all the configurations to the main branch.

  • Create a branch named terrateam-opa

    • git checkout -b terrateam-opa
  • And add the configurations.

  • Now, let’s trigger the OPA policy.

Case 1: Trigger and Fail the policy

  • Add the below configurations in your AWS-S3/main.tf file.

  • Here, we are creating two S3 buckets that will fail the OPA policy that we have written in the main.rego file.

  • Now, push the changes to the GitHub repository.

    • git add .

    • git commit -m “two S3”

    • git push origin terrateam-opa

  • Now create a pull request, you can do this using GitHub UI. Or you can install GitHub CLI in your local, and run the following command.

    • gh pr create --fill

  • Now click on the URL in the command result to see the pipeline run.

  • The pipeline is running, wait for a few minutes.

  • Error!! As expected we got an error, says “more then 1 Resource 'aws_s3_bucket' detected in Terraform plan file

  • This implies that our OPA (Open Policy Agent) is being triggered with the Terrateam pipeline and we have written the right rego policy file, let’s fix all the errors and run the pipeline again.

Case 2: Fixing and running the pipeline.

  • To fix the error we need to fix our main.tf configuration file.

  • Update the main.tf file with the given configuration.

For complete code visit here.

  • The above configuration is making one AWS S3 bucket only and this is perfect for our rego policy.

  • Now update and push the configuration to the repo.

    • git add .

    • git commit -m “OPA runner”

    • git push origin terrateam-opa

  • Wait for a few minutes and let the pipeline go green for success.

  • Comment terrateam apply on the PR and see the magic of Terrateam.

  • On commenting terrateam apply you will find Terrateam has started its magic work.

Checking for S3 on the AWS console

  • Go to your AWS console and search for “S3”

  • Click on “S3”, and you will see a bucket named “infrasity” in the list of buckets.

Congratulations! We have created a S3 bucket with the OPA rego policy applied.

Cleanup (Optional)

  • To avoid the rise in billing amount cleanup is mandatory.

  • Run the below command if you have configured the backend on the cloud (S3 bucket), in your IDE to destroy all the infrastructure we built in the tutorial.

    • terraform init

    • terraform destroy

Conclusion

  1. We’ve learned about OPA (Open Policy Agent) and Rego files.

  2. We have configured OPA with Terrateam in the single pipeline, using a few commands in .terrateam/config.yml .

  3. We’ve raised the PR and implemented two cases.

    1. First, to check if the OPA is running perfectly by failing the pipeline.

    2. Second, run the pipeline perfectly by passing all the OPA rego policies written by us.

  4. We have verified that S3 is made on AWS.

  5. We have also applied a Cleanup process to avoid unwanted rises in bills.

For the complete code visit here.

To learn more about Terrateam visit here.

To learn more about OPA with Terrateam visit here.

Also, check out our blogs available on Hashnode.

Did you find this article valuable?

Support Infrasity Blog by becoming a sponsor. Any amount is appreciated!