66 lines
1.7 KiB
Markdown
66 lines
1.7 KiB
Markdown
# Terraform Security as Code
|
|
|
|
This directory contains Terraform configurations for creating a Kubernetes cluster on Proxmox VMs. Security is implemented as code through policy checks.
|
|
|
|
## Security Policies
|
|
|
|
Security policies are defined as Open Policy Agent (OPA) Rego files in the `policy/` directory:
|
|
|
|
- **main.rego**: Combined security policy file that includes:
|
|
- VM security (password auth, root login, qemu-agent)
|
|
- Network security (bridge configuration, IPv6, DNS)
|
|
- Provider security (TLS verification, version pinning)
|
|
|
|
## Running Security Checks
|
|
|
|
### Prerequisites
|
|
|
|
1. Install OPA CLI and Conftest:
|
|
```bash
|
|
# Install OPA
|
|
curl -L -o opa https://openpolicy.io/downloads/latest/opa_linux_amd64
|
|
chmod 755 opa
|
|
sudo mv opa /usr/local/bin
|
|
|
|
# Install Conftest
|
|
wget https://github.com/open-policy-agent/conftest/releases/download/v0.42.1/conftest_0.42.1_Linux_x86_64.tar.gz
|
|
tar xzf conftest_0.42.1_Linux_x86_64.tar.gz
|
|
sudo mv conftest /usr/local/bin
|
|
```
|
|
|
|
2. Install Trivy:
|
|
```bash
|
|
# For Debian/Ubuntu
|
|
sudo apt-get install trivy
|
|
|
|
# For other systems, see: https://aquasecurity.github.io/trivy/latest/getting-started/installation/
|
|
```
|
|
|
|
3. Install Checkov:
|
|
```bash
|
|
pip install checkov
|
|
```
|
|
|
|
### Running Policy Checks
|
|
|
|
1. Generate a Terraform plan and convert to JSON:
|
|
```bash
|
|
cd terraform
|
|
terraform init
|
|
terraform plan -out=tfplan
|
|
terraform show -json tfplan > tfplan.json
|
|
```
|
|
|
|
2. Run Conftest with OPA policies:
|
|
```bash
|
|
conftest test tfplan.json -p policy/
|
|
```
|
|
|
|
3. Run Trivy IaC security scan:
|
|
```bash
|
|
# Skip AWS policies and use variables file
|
|
trivy config --severity HIGH,CRITICAL --skip-policy "aws.*" --tf-vars="variables.tfvars" .
|
|
```
|
|
|
|
4. Run Checkov:
|
|
``` |