vadzik/sac_project
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9b34cd9199ab3f91e41c3559b4662271ed0e9b8e
sac_project/terraform/README.md
vadzik f4d28d47a9 Terraform rules working
2025-05-16 14:00:50 +03:00

119 lines
2.9 KiB
Markdown
Raw Blame History

# Terraform Security as Code
This directory contains Terraform configurations for creating a Kubernetes cluster on Proxmox VMs. Security is implemented as code through policy checks.
## Security Policies
Security policies are defined as Open Policy Agent (OPA) Rego files in the `policy/` directory:
- **main.rego**: Combined security policy file that includes:
- VM security (password auth, root login, qemu-agent)
- Network security (bridge configuration, IPv6, DNS)
- Provider security (TLS verification, version pinning)
## Running Security Checks
### Prerequisites
1. Install OPA CLI and Conftest:
```bash
# Install OPA
curl -L -o opa https://openpolicy.io/downloads/latest/opa_linux_amd64
chmod 755 opa
sudo mv opa /usr/local/bin
# Install Conftest
wget https://github.com/open-policy-agent/conftest/releases/download/v0.42.1/conftest_0.42.1_Linux_x86_64.tar.gz
tar xzf conftest_0.42.1_Linux_x86_64.tar.gz
sudo mv conftest /usr/local/bin
```
2. Install tfsec:
```bash
curl -s https://raw.githubusercontent.com/aquasecurity/tfsec/master/scripts/install_linux.sh | bash
```
3. Install Checkov:
```bash
pip install checkov
```
### Running Policy Checks
1. Generate a Terraform plan and convert to JSON:
```bash
cd terraform
terraform init
terraform plan -out=tfplan
terraform show -json tfplan > tfplan.json
```
2. Run Conftest with OPA policies:
```bash
conftest test tfplan.json -p policy/
```
3. Run tfsec static analysis:
```bash
tfsec .
```
4. Run Checkov:
```bash
checkov -d .
```
## Security Rules
The following security rules are enforced:
### VM Security
- No password authentication allowed (use SSH keys)
- No root user login allowed
- qemu-agent must be enabled
### Network Security
- Only secure network bridge (vmbr2) allowed
- IPv6 must be disabled
- Only approved DNS servers allowed
### Provider Security
- TLS verification must be enabled
- Provider version must be pinned
- Timeout values must be reasonable
## Security Best Practices
1. Use environment variables for sensitive values:
```bash
export TF_VAR_pm_password="your-password"
```
2. Keep provider versions pinned in `.terraform.lock.hcl`:
```bash
# Pre-populate hashes for multiple platforms
terraform providers lock \
-platform=linux_amd64 \
-platform=darwin_amd64 \
-platform=windows_amd64
```
3. Never commit plain-text secrets (use a vault solution)
4. Always verify TLS certificates (`pm_tls_insecure = false`)
5. Use Terraform workspaces for better environment separation
## Policy Testing
The policy tests verify:
1. Policy evaluation is working
2. Terraform plan data is loaded correctly
3. Security rules are being checked
Run tests with:
```bash
conftest test tfplan.json -p policy/
```
A successful test run will show passed tests and any security violations found in your configuration.
Reference in New Issue View Git Blame Copy Permalink