# Security as Code Infrastructure on Proxmox

This repository contains the Infrastructure as Code (IaC) for deploying a secure Kubernetes cluster on Proxmox using Terraform and Ansible with security policies embedded as code.

## Security Features

### Terraform Security

- **Secure VM Configuration**: Virtual machines are created with security best practices:
  - Non-root SSH users
  - Memory limits to prevent resource exhaustion
  - Only approved template images are used
  - Disk encryption available (currently commented)
  - All VMs properly tagged for inventory management
  - EFI disks with secure boot capability

- **Policy as Code**: Security policies are enforced through:
  - **OPA/Conftest**: Rego policies that enforce security rules during Terraform plan/apply
  - **Trivy**: Comprehensive security scanner for Infrastructure as Code, container images, and dependencies
  - **checkov**: Plan analysis that detects security issues in the final configuration

### Ansible Security

- **SSH Hardening**:
  - Disables password authentication
  - Disables root login
  - Configures secure ciphers and key exchange algorithms
  - Limits user access

- **System Hardening**:
  - Configures audit rules for comprehensive logging (auditd)
  - Implements fail2ban for brute force protection
  - Configures UFW firewall with restrictive rules
  - Sets up unattended security updates (excluding Kubernetes components)
  - Persistent journald logging
  - Secure sysctl parameters

- **Kubernetes Security**:
  - RBAC for access control
  - Network Policies for cluster network security
  - Pod Security Standards/Admission for container security

## CI/CD Security Pipeline

The `.gitlab-ci.yml` file defines a complete security pipeline:

1. **Validation Stage**: 
   - Terraform validation and formatting check
   - Trivy security scanning for IaC misconfigurations and secrets
   - checkov security scanning 
   - Conftest OPA policy validation

2. **Lint Stage**:
   - Ansible-lint for playbook security issues
   - Conftest checks for Ansible

3. **Plan/Apply Stage**:
   - Terraform plan reviewed before application
   - Ansible playbook syntax checking

4. **Test Stage**:
   - Verifies that all nodes are properly configured

## Usage

1. Update Terraform variables in `terraform/terraform.tfvars`
2. Run security checks:
   ```
   cd terraform
   terraform init
   terraform plan -out=tfplan
   terraform show -json tfplan > tfplan.json
   conftest test tfplan.json -p policies/
   ```
3. Deploy infrastructure:
   ```
   terraform apply tfplan
   ```
4. Configure nodes with Ansible:
   ```
   cd ../ansible
   ansible-playbook -i inventory/hosts.ini site.yml
   ```

## Policy Enforcement

- All infrastructure changes must pass the security pipeline
- Policy violations halt the deployment process
- Security configuration is maintained by Ansible on a regular schedule

## Monitoring and Maintenance

- Centralized logging configuration
- Audit logs setup for security events
- Automatic security updates
- Network security monitoring

For more details, see the [README.md](README.md) file for general infrastructure information.