Terraform Security as Code
This directory contains Terraform configurations for creating a Kubernetes cluster on Proxmox VMs. Security is implemented as code through policy checks.
Security Policies
Security policies are defined as Open Policy Agent (OPA) Rego files in the policy/ directory:
- main.rego: Combined security policy file that includes:
- VM security (password auth, root login, qemu-agent)
- Network security (bridge configuration, IPv6, DNS)
- Provider security (TLS verification, version pinning)
Running Security Checks
Prerequisites
-
Install OPA CLI and Conftest:
# Install OPA curl -L -o opa https://openpolicy.io/downloads/latest/opa_linux_amd64 chmod 755 opa sudo mv opa /usr/local/bin # Install Conftest wget https://github.com/open-policy-agent/conftest/releases/download/v0.42.1/conftest_0.42.1_Linux_x86_64.tar.gz tar xzf conftest_0.42.1_Linux_x86_64.tar.gz sudo mv conftest /usr/local/bin -
Install Trivy:
# For Debian/Ubuntu sudo apt-get install trivy # For other systems, see: https://aquasecurity.github.io/trivy/latest/getting-started/installation/ -
Install Checkov:
pip install checkov
Running Policy Checks
-
Generate a Terraform plan and convert to JSON:
cd terraform terraform init terraform plan -out=tfplan terraform show -json tfplan > tfplan.json -
Run Conftest with OPA policies:
conftest test tfplan.json -p policy/ -
Run Trivy IaC security scan:
# Skip AWS policies and use variables file trivy config --severity HIGH,CRITICAL --skip-policy "aws.*" --tf-vars="variables.tfvars" . -
Run Checkov: