HOME/Articles/OPA Use Cases for Terraform

OPA Use Cases for Terraform

2024/2/19 14:202024/9/20 8:56

Media Headquarters Service Reliability Group (SRG)@ishikawa_kumo)is.

#SRG(Service Reliability Group) mainly provides cross-sectional support for the infrastructure of our media services, improving existing services, launching new ones, contributing to OSS, etc.

This article is a reprint of a previous Qiita post titled "OPA Use Cases for Terraform" This is an expanded version of the article.

overview About OPA and Rego Existing Rego policies and related tools Rego Notes Selecting Input Policy Evaluation Engine Selection tfsec・trivy tflint conftest Terraform OPA integration use cases Defining and enforcing organization-specific policies Consistency check Part of the automation flow Conclusion

overview

Open Policy Agent (OPA) has become popular in recent years for JSON and YAML-based Infrastructure as Code (IaC) management, and in particular the implementation of OPA and GateKeeper for Kubernetes manifests is becoming standard.

On the other hand, integration with tools that excel at describing complex cloud infrastructure, such as Terraform, is still challenging, and there are few examples of actual integration. Although there are use cases in combination with Terraform Cloud and Styra, there are not many uses of OPA in pure Terraform environments (for example, when the backend is S3).

In this article, we will focus on the use cases of OPA in a Terraform environment and how to put it to practical use.

About OPA and Rego

OPA is a centralized engine for managing Rego policies. It allows consistent policy enforcement across multiple systems on input data in JSON format. Rego is a domain-specific language for OPA and is used to express policies over data.

As a declarative programming language, Rego is difficult to process complex logical operations and dynamic JSON structures. In addition, Rego policy development is significantly different from procedural programming languages, and sometimes it is necessary to write policies from the perspective of mathematical logic.

Existing Rego policies and related tools

If you start developing Rego without a solid development structure, you may end up with a heavy burden in terms of maintenance. We recommend that you use Rego that has already been created by the community as much as possible.

Kubernetes shared policies A set of policies for Kubernetes security

Rego Library Examples of policies shared by the OPA community

For best practices on Rego, check out what the OPA development company has to offer.

StyleGuide

Common Rego bugs

It is also an excellent linter.regalis also available, so please try using it.

Rego Notes

Below we have summarized some common issues and recommendations for developing Rego policies.

You can't reassign a variable

name

sample

Safety Principles

Safety: every variable appearing in the head or in a builtin or inside a negation must appear in a non-negated, non-builtin expression in the body of the rule.

In short, all variables appearing in the red box below must have a clear, "non-negative" definition.

not p[x] == 0

sample

true

x

rego_unsafe_var_error: var x is unsafe

x

Setting default values

Undefined

Selecting Input

OPA validation is JSON-based, so for each Terraform validation target, the output must be JSON.

Terraform generally validates the following types of things:

state JSON

tfstate

plan JSON

terraform plan

For details, please refer to the following document.

resource_changes

configuration

terraform HCL

hcl2json

Policy Evaluation Engine Selection

tfsec・trivy

The tfsec cli has the ability to deploy custom policies written in Rego.

For example, if we apply a simple rego to the S3 below, we get the following results:

Terraform

Rego

tfsec --print-rego-input | jq '.google'

From February 2023 onwards,tfsec is now part of the trivy projectTherefore, it is better to use trivy directly in the future. According to the documentation, trivy also supports custom policies.A more streamlined formatThis can be defined in the metadata.

v0.49.1

tflint

tflint has a Custom Plugin feature. It requires development in the Go language. The following repository is a plugin for evaluating OPA Rego via the Go plugin.

GitHub - terraform-linters/tflint-ruleset-opa: Experimental: TFLint ruleset plugin for writing custom rules in Rego.

Experimental: TFLint ruleset plugin for writing custom rules in Rego. - terraform-linters/tflint-ruleset-opa

https://github.com/terraform-linters/tflint-ruleset-opa

0.5.0

Advance preparation

.tflint.hcl

Preparing the policy

.tflint.d/policies/bucket.rego

policies

Overall directory structure

execution

When executing, please pay attention to the following environment variables.

TFLINT_OPA_POLICY_DIR

Policy File

TFLINT_OPA_TRACE

OPA Tracing

TFLINT_OPA_TEST

OPA Test Mode

TFLINT_LOG=debug

TFLINT's own log and OPA Print debug are also available.

conftest

conftest has some advantages, such as being able to load the HCL directly, and is easier to set up and configure than tfsec or tflint.

conftest test *.tf -p policies/

In addition, conftest can directly use policies published on Github.

Sharing policies - Conftest

Policies are often reusable between different projects, and Conftest supports a mechanism to specify dependent policies as well as download them. The format reuses the Bundle defined by Open Policy Agent.

https://www.conftest.dev/sharing/

However, Conftest currently only supports rego trace mode, which can make developing OPA policies difficult.

Terraform OPA integration use cases

Defining and enforcing organization-specific policies

Organization-specific policies, such as tagging for statistics, formatting for multiple environments, IAM assignment to specific resources, etc., can be flexibly configured using OPA. These policies should be carefully considered according to the actual requirements of the organization.

For example, there are the following examples:

All variables are organized in a map that can be distinguished by Terraform Workspace.

sample

Consistency check

Validation

Of course, in most cases, you can solve the problem by redesigning the variable configuration and combining it with validation blocks, pre/postcondition blocks, etc. Rego is a good way to write complex conditional controls.

Here are some examples:

Setting conditions that affect two variables

sample

In addition, you can also use Rego to write the logic that you have been checking visually.

Are the Subnet and RouteTable settings of the AWS Network Firewall correct?

Do AWS WAF rules implement the required rules?

Part of the automation flow

Using it as a JSON parser may be a terrible idea, but in addition to enforcing company-specific policies, leveraging OPA as a JSON parser is effective.

However, at this time OPA has limited use of its output for anything other than debugging and error messages, so we recommend evaluating specific compliance policies and rules within your CI flows and using only the boolean (True/False) results.

Here are some examples:

sample

If a resource is scheduled to be deleted, this policy will generate an appropriate warning message to prompt the user to double-check if the action is intentional.

Conclusion

The integration of OPA and the Rego language has great potential to make cloud infrastructure management with Terraform more efficient. However, the development of Rego requires a considerable amount of effort, which is one of the barriers to the adoption of OPA in Terraform environments. Through this article, we hope you have understood the importance of integrating Terraform and OPA and the best practices for doing so. Currently, there are still few actual examples of Terraform and OPA integration, but future developments in this field are very promising.

SRG is looking for people to work with us. If you are interested, please contact us here.

Recruitment information - CyberAgent SRG #ca_srg

About SRG SRG (Service Reliability Group) is working to improve reliability by promoting the introduction of SREs to the media business as a cross-sectional SRE under the vision of "improving reliability across the media business." The work is centered around the following three pillars: Consolidating and deploying the technical know-how of each business

https://ca-srg.dev/careers

SRG runs a podcast where we chat about the latest hot topics in IT and books. We hope you will enjoy listening to it while you work.

Tech-Talk with SRG #1 by Tech-Talk with SRG

Tech-Talk with SRG is a podcast where members of CyberAgent's horizontal SRE organization, the Service Reliability Group (SRG), chat and introduce the latest hot IT technologies and books. If you have any questions or comments, we would appreciate it if you would tweet them with the hashtag #ca_srg. ■ Links SRG Portal Site https://ca-srg.dev Recruitment Information https://ca-srg.dev/careers Music generated by Mubert https://mubert.com/render

https://podcasters.spotify.com/pod/show/cyberagent-srg/episodes/Tech-Talk-with-SRG-1-e26fugj