Working tests of policy and policies
This commit is contained in:
@@ -28,9 +28,12 @@ Security policies are defined as Open Policy Agent (OPA) Rego files in the `poli
|
||||
sudo mv conftest /usr/local/bin
|
||||
```
|
||||
|
||||
2. Install tfsec:
|
||||
2. Install Trivy:
|
||||
```bash
|
||||
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
|
||||
# For Debian/Ubuntu
|
||||
sudo apt-get install trivy
|
||||
|
||||
# For other systems, see: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
|
||||
```
|
||||
|
||||
3. Install Checkov:
|
||||
@@ -53,67 +56,11 @@ Security policies are defined as Open Policy Agent (OPA) Rego files in the `poli
|
||||
conftest test tfplan.json -p policy/
|
||||
```
|
||||
|
||||
3. Run tfsec static analysis:
|
||||
3. Run Trivy IaC security scan:
|
||||
```bash
|
||||
tfsec .
|
||||
# Skip AWS policies and use variables file
|
||||
trivy config --severity HIGH,CRITICAL --skip-policy "aws.*" --tf-vars="variables.tfvars" .
|
||||
```
|
||||
|
||||
4. Run Checkov:
|
||||
```bash
|
||||
checkov -d .
|
||||
```
|
||||
|
||||
## Security Rules
|
||||
|
||||
The following security rules are enforced:
|
||||
|
||||
### VM Security
|
||||
- No password authentication allowed (use SSH keys)
|
||||
- No root user login allowed
|
||||
- qemu-agent must be enabled
|
||||
|
||||
### Network Security
|
||||
- Only secure network bridge (vmbr2) allowed
|
||||
- IPv6 must be disabled
|
||||
- Only approved DNS servers allowed
|
||||
|
||||
### Provider Security
|
||||
- TLS verification must be enabled
|
||||
- Provider version must be pinned
|
||||
- Timeout values must be reasonable
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
1. Use environment variables for sensitive values:
|
||||
```bash
|
||||
export TF_VAR_pm_password="your-password"
|
||||
```
|
||||
|
||||
2. Keep provider versions pinned in `.terraform.lock.hcl`:
|
||||
```bash
|
||||
# Pre-populate hashes for multiple platforms
|
||||
terraform providers lock \
|
||||
-platform=linux_amd64 \
|
||||
-platform=darwin_amd64 \
|
||||
-platform=windows_amd64
|
||||
```
|
||||
|
||||
3. Never commit plain-text secrets (use a vault solution)
|
||||
|
||||
4. Always verify TLS certificates (`pm_tls_insecure = false`)
|
||||
|
||||
5. Use Terraform workspaces for better environment separation
|
||||
|
||||
## Policy Testing
|
||||
|
||||
The policy tests verify:
|
||||
1. Policy evaluation is working
|
||||
2. Terraform plan data is loaded correctly
|
||||
3. Security rules are being checked
|
||||
|
||||
Run tests with:
|
||||
```bash
|
||||
conftest test tfplan.json -p policy/
|
||||
```
|
||||
|
||||
A successful test run will show passed tests and any security violations found in your configuration.
|
||||
```
|
||||
Reference in New Issue
Block a user