# Terraform Security as Code

This directory contains Terraform configurations for creating a Kubernetes cluster on Proxmox VMs. Security is implemented as code through policy checks.

## Security Policies

Security policies are defined as Open Policy Agent (OPA) Rego files in the `policy/` directory:

- **main.rego**: Combined security policy file that includes:
  - VM security (password auth, root login, qemu-agent)
  - Network security (bridge configuration, IPv6, DNS)
  - Provider security (TLS verification, version pinning)

## Running Security Checks

### Prerequisites

1. Install OPA CLI and Conftest:
   ```bash
   # Install OPA
   curl -L -o opa https://openpolicy.io/downloads/latest/opa_linux_amd64
   chmod 755 opa
   sudo mv opa /usr/local/bin
   
   # Install Conftest
   wget https://github.com/open-policy-agent/conftest/releases/download/v0.42.1/conftest_0.42.1_Linux_x86_64.tar.gz
   tar xzf conftest_0.42.1_Linux_x86_64.tar.gz
   sudo mv conftest /usr/local/bin
   ```

2. Install Trivy:
   ```bash
   # For Debian/Ubuntu
   sudo apt-get install trivy

   # For other systems, see: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
   ```

3. Install Checkov:
   ```bash
   pip install checkov
   ```

### Running Policy Checks

1. Generate a Terraform plan and convert to JSON:
   ```bash
   cd terraform
   terraform init
   terraform plan -out=tfplan
   terraform show -json tfplan > tfplan.json
   ```

2. Run Conftest with OPA policies:
   ```bash
   conftest test tfplan.json -p policy/
   ```

3. Run Trivy IaC security scan:
   ```bash
   # Skip AWS policies and use variables file
   trivy config --severity HIGH,CRITICAL --skip-policy "aws.*" --tf-vars="variables.tfvars" .
   ```

4. Run Checkov:
   ```