vadzik/sac_project
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9b34cd9199ab3f91e41c3559b4662271ed0e9b8e
sac_project/terraform/README.md
vadzik f4d28d47a9 Terraform rules working
2025-05-16 14:00:50 +03:00

2.9 KiB
Raw Blame History

Terraform Security as Code

This directory contains Terraform configurations for creating a Kubernetes cluster on Proxmox VMs. Security is implemented as code through policy checks.

Security Policies

Security policies are defined as Open Policy Agent (OPA) Rego files in the policy/ directory:

  • main.rego: Combined security policy file that includes:
    • VM security (password auth, root login, qemu-agent)
    • Network security (bridge configuration, IPv6, DNS)
    • Provider security (TLS verification, version pinning)

Running Security Checks

Prerequisites

  1. Install OPA CLI and Conftest:

    # Install OPA
curl -L -o opa https://openpolicy.io/downloads/latest/opa_linux_amd64
chmod 755 opa
sudo mv opa /usr/local/bin

# Install Conftest
wget https://github.com/open-policy-agent/conftest/releases/download/v0.42.1/conftest_0.42.1_Linux_x86_64.tar.gz
tar xzf conftest_0.42.1_Linux_x86_64.tar.gz
sudo mv conftest /usr/local/bin

  2. Install tfsec:

    curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash

  3. Install Checkov:

    pip install checkov

Running Policy Checks

  1. Generate a Terraform plan and convert to JSON:

    cd terraform
terraform init
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json

  2. Run Conftest with OPA policies:

    conftest test tfplan.json -p policy/

  3. Run tfsec static analysis:

    tfsec .

  4. Run Checkov:

    checkov -d .

Security Rules

The following security rules are enforced:

VM Security

  • No password authentication allowed (use SSH keys)
  • No root user login allowed
  • qemu-agent must be enabled

Network Security

  • Only secure network bridge (vmbr2) allowed
  • IPv6 must be disabled
  • Only approved DNS servers allowed

Provider Security

  • TLS verification must be enabled
  • Provider version must be pinned
  • Timeout values must be reasonable

Security Best Practices

  1. Use environment variables for sensitive values:

    export TF_VAR_pm_password="your-password"

  2. Keep provider versions pinned in .terraform.lock.hcl:

    # Pre-populate hashes for multiple platforms
terraform providers lock \
  -platform=linux_amd64 \
  -platform=darwin_amd64 \
  -platform=windows_amd64

  3. Never commit plain-text secrets (use a vault solution)

  4. Always verify TLS certificates (pm_tls_insecure = false)

  5. Use Terraform workspaces for better environment separation

Policy Testing

The policy tests verify:

  1. Policy evaluation is working
  2. Terraform plan data is loaded correctly
  3. Security rules are being checked

Run tests with:

conftest test tfplan.json -p policy/

A successful test run will show passed tests and any security violations found in your configuration.

Reference in New Issue View Git Blame Copy Permalink