OPA AWS Terraform Policy Example (And, Or, Not)
This example demonstrates how to use and, or, and not operators in Rego v1 syntax for AWS Terraform plans.
1. Mock Terraform Plan JSON (aws-plan.json)
{
"resource_changes": [
{
"address": "aws_s3_bucket.demo",
"type": "aws_s3_bucket",
"change": {
"after": {
"acl": "public-read",
"versioning": { "enabled": false },
"server_side_encryption_configuration": null
}
}
},
{
"address": "aws_instance.demo",
"type": "aws_instance",
"change": {
"after": {
"instance_type": "t2.micro",
"associate_public_ip_address": true,
"ebs_optimized": false,
"ebs_block_device": [
{ "device_name": "/dev/sda1", "encrypted": false }
]
}
}
},
{
"address": "aws_security_group.demo",
"type": "aws_security_group",
"change": {
"after": {
"ingress": [
{ "from_port": 22, "to_port": 22, "protocol": "tcp", "cidr_blocks": ["0.0.0.0/0"] }
]
}
}
}
]
}
2. S3 Policy (policy/s3.rego)
package terraform.s3
default deny = []
# Deny if ACL is public OR versioning not enabled
deny[msg] if {
rc := input.resource_changes[_]
rc.type == "aws_s3_bucket"
rc.change.after.acl == "public-read" or not rc.change.after.versioning.enabled
msg := sprintf("S3 bucket %s is public OR lacks versioning", [rc.address])
}
# Deny if server-side encryption is missing AND bucket is public
deny[msg] if {
rc := input.resource_changes[_]
rc.type == "aws_s3_bucket"
rc.change.after.acl == "public-read" and not rc.change.after.server_side_encryption_configuration
msg := sprintf("S3 bucket %s is public AND unencrypted", [rc.address])
}
3. EC2 Policy (policy/ec2.rego)
package terraform.ec2
default deny = []
# Deny if instance type is t2.micro OR has a public IP
deny[msg] if {
rc := input.resource_changes[_]
rc.type == "aws_instance"
rc.change.after.instance_type == "t2.micro" or rc.change.after.associate_public_ip_address
msg := sprintf("EC2 %s is t2.micro OR has public IP", [rc.address])
}
# Deny if instance is NOT EBS optimized
deny[msg] if {
rc := input.resource_changes[_]
rc.type == "aws_instance"
not rc.change.after.ebs_optimized
msg := sprintf("EC2 %s is not EBS optimized", [rc.address])
}
# Deny if any EBS volume is NOT encrypted
deny[msg] if {
rc := input.resource_changes[_]
rc.type == "aws_instance"
vol := rc.change.after.ebs_block_device[_]
not vol.encrypted
msg := sprintf("EC2 %s has unencrypted volume %s", [rc.address, vol.device_name])
}
4. Security Group Policy (policy/sg.rego)
package terraform.sg
default deny = []
# Deny if SG allows SSH OR RDP from world
deny[msg] if {
rc := input.resource_changes[_]
rc.type == "aws_security_group"
ing := rc.change.after.ingress[_]
(ing.from_port == 22 or ing.from_port == 3389)
ing.cidr_blocks[_] == "0.0.0.0/0"
msg := sprintf("Security Group %s allows SSH or RDP from world", [rc.address])
}
5. Run OPA Evaluation
opa eval -i aws-plan.json \
-d policy/s3.rego \
-d policy/ec2.rego \
-d policy/sg.rego \
"data.terraform"Expected violations:
- S3 bucket is public OR lacks versioning
- S3 bucket is public AND unencrypted
- EC2 is t2.micro OR has public IP
- EC2 is not EBS optimized
- EC2 has unencrypted volume
- Security Group allows SSH or RDP from world
No comments:
Post a Comment