Terraform rules working
This commit is contained in:
119
terraform/README.md
Normal file
119
terraform/README.md
Normal file
@@ -0,0 +1,119 @@
|
||||
# Terraform Security as Code
|
||||
|
||||
This directory contains Terraform configurations for creating a Kubernetes cluster on Proxmox VMs. Security is implemented as code through policy checks.
|
||||
|
||||
## Security Policies
|
||||
|
||||
Security policies are defined as Open Policy Agent (OPA) Rego files in the `policy/` directory:
|
||||
|
||||
- **main.rego**: Combined security policy file that includes:
|
||||
- VM security (password auth, root login, qemu-agent)
|
||||
- Network security (bridge configuration, IPv6, DNS)
|
||||
- Provider security (TLS verification, version pinning)
|
||||
|
||||
## Running Security Checks
|
||||
|
||||
### Prerequisites
|
||||
|
||||
1. Install OPA CLI and Conftest:
|
||||
```bash
|
||||
# Install OPA
|
||||
curl -L -o opa https://openpolicy.io/downloads/latest/opa_linux_amd64
|
||||
chmod 755 opa
|
||||
sudo mv opa /usr/local/bin
|
||||
|
||||
# Install Conftest
|
||||
wget https://github.com/open-policy-agent/conftest/releases/download/v0.42.1/conftest_0.42.1_Linux_x86_64.tar.gz
|
||||
tar xzf conftest_0.42.1_Linux_x86_64.tar.gz
|
||||
sudo mv conftest /usr/local/bin
|
||||
```
|
||||
|
||||
2. Install tfsec:
|
||||
```bash
|
||||
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
|
||||
```
|
||||
|
||||
3. Install Checkov:
|
||||
```bash
|
||||
pip install checkov
|
||||
```
|
||||
|
||||
### Running Policy Checks
|
||||
|
||||
1. Generate a Terraform plan and convert to JSON:
|
||||
```bash
|
||||
cd terraform
|
||||
terraform init
|
||||
terraform plan -out=tfplan
|
||||
terraform show -json tfplan > tfplan.json
|
||||
```
|
||||
|
||||
2. Run Conftest with OPA policies:
|
||||
```bash
|
||||
conftest test tfplan.json -p policy/
|
||||
```
|
||||
|
||||
3. Run tfsec static analysis:
|
||||
```bash
|
||||
tfsec .
|
||||
```
|
||||
|
||||
4. Run Checkov:
|
||||
```bash
|
||||
checkov -d .
|
||||
```
|
||||
|
||||
## Security Rules
|
||||
|
||||
The following security rules are enforced:
|
||||
|
||||
### VM Security
|
||||
- No password authentication allowed (use SSH keys)
|
||||
- No root user login allowed
|
||||
- qemu-agent must be enabled
|
||||
|
||||
### Network Security
|
||||
- Only secure network bridge (vmbr2) allowed
|
||||
- IPv6 must be disabled
|
||||
- Only approved DNS servers allowed
|
||||
|
||||
### Provider Security
|
||||
- TLS verification must be enabled
|
||||
- Provider version must be pinned
|
||||
- Timeout values must be reasonable
|
||||
|
||||
## Security Best Practices
|
||||
|
||||
1. Use environment variables for sensitive values:
|
||||
```bash
|
||||
export TF_VAR_pm_password="your-password"
|
||||
```
|
||||
|
||||
2. Keep provider versions pinned in `.terraform.lock.hcl`:
|
||||
```bash
|
||||
# Pre-populate hashes for multiple platforms
|
||||
terraform providers lock \
|
||||
-platform=linux_amd64 \
|
||||
-platform=darwin_amd64 \
|
||||
-platform=windows_amd64
|
||||
```
|
||||
|
||||
3. Never commit plain-text secrets (use a vault solution)
|
||||
|
||||
4. Always verify TLS certificates (`pm_tls_insecure = false`)
|
||||
|
||||
5. Use Terraform workspaces for better environment separation
|
||||
|
||||
## Policy Testing
|
||||
|
||||
The policy tests verify:
|
||||
1. Policy evaluation is working
|
||||
2. Terraform plan data is loaded correctly
|
||||
3. Security rules are being checked
|
||||
|
||||
Run tests with:
|
||||
```bash
|
||||
conftest test tfplan.json -p policy/
|
||||
```
|
||||
|
||||
A successful test run will show passed tests and any security violations found in your configuration.
|
||||
Reference in New Issue
Block a user