# Terraform Security as Code

This directory contains Terraform configurations for creating a Kubernetes cluster on Proxmox VMs. Security is implemented as code through policy checks.

## Security Policies

Security policies are defined as Open Policy Agent (OPA) Rego files in the `policy/` directory:

- **main.rego**: Combined security policy file that includes:
  - VM security (password auth, root login, qemu-agent)
  - Network security (bridge configuration, IPv6, DNS)
  - Provider security (TLS verification, version pinning)

## Running Security Checks

### Prerequisites

1. Install OPA CLI and Conftest:
   ```bash
   # Install OPA
   curl -L -o opa https://openpolicy.io/downloads/latest/opa_linux_amd64
   chmod 755 opa
   sudo mv opa /usr/local/bin
   
   # Install Conftest
   wget https://github.com/open-policy-agent/conftest/releases/download/v0.42.1/conftest_0.42.1_Linux_x86_64.tar.gz
   tar xzf conftest_0.42.1_Linux_x86_64.tar.gz
   sudo mv conftest /usr/local/bin
   ```

2. Install tfsec:
   ```bash
   curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
   ```

3. Install Checkov:
   ```bash
   pip install checkov
   ```

### Running Policy Checks

1. Generate a Terraform plan and convert to JSON:
   ```bash
   cd terraform
   terraform init
   terraform plan -out=tfplan
   terraform show -json tfplan > tfplan.json
   ```

2. Run Conftest with OPA policies:
   ```bash
   conftest test tfplan.json -p policy/
   ```

3. Run tfsec static analysis:
   ```bash
   tfsec .
   ```

4. Run Checkov:
   ```bash
   checkov -d .
   ```

## Security Rules

The following security rules are enforced:

### VM Security
- No password authentication allowed (use SSH keys)
- No root user login allowed
- qemu-agent must be enabled

### Network Security
- Only secure network bridge (vmbr2) allowed
- IPv6 must be disabled
- Only approved DNS servers allowed

### Provider Security
- TLS verification must be enabled
- Provider version must be pinned
- Timeout values must be reasonable

## Security Best Practices

1. Use environment variables for sensitive values:
   ```bash
   export TF_VAR_pm_password="your-password"
   ```

2. Keep provider versions pinned in `.terraform.lock.hcl`:
   ```bash
   # Pre-populate hashes for multiple platforms
   terraform providers lock \
     -platform=linux_amd64 \
     -platform=darwin_amd64 \
     -platform=windows_amd64
   ```

3. Never commit plain-text secrets (use a vault solution)

4. Always verify TLS certificates (`pm_tls_insecure = false`)

5. Use Terraform workspaces for better environment separation

## Policy Testing

The policy tests verify:
1. Policy evaluation is working
2. Terraform plan data is loaded correctly
3. Security rules are being checked

Run tests with:
```bash
conftest test tfplan.json -p policy/
```

A successful test run will show passed tests and any security violations found in your configuration.