Overview
Terraform open source version became very popular reaching more than one billion of downloads, thousands of contributors and widely adopted.
In the last years security vision was evolving from product based solutions to became pervasive and also present on pipelines, code review branches make relevant steps from consolidate asset inspections to closer conception phases.
Now entering in infrastructure as code maturity stages where organizations can now inspect the IAC code based on policy enforcement.
Implementation
To illustrate this concept we will share aspects from Hashicorp Sentinel and BridgeCrew.
Sentinel has a build-in integration with Hashicorp products one of them Terraform.
Characteristics:
- Extensible Policy language
- Custom data sources
- Wide integration with Hashicorp products
Sentinel protection policies must be created. Hashicorp shares the guides on how to create per provider:
Bridge Crew has also an set of capabilities and one of them is control security posture based on policies definition for Infrastructure as Code from Terraform HCL langage.
Characteristics:
- simple to deploy, seems an regular terraform resource and authorization configuration deploy around 26 polices objects in GCP case.
- has two modes:
- static: analyse terraform json
- dynamic: you can connect IDE tool like Visual Studio and observe security violations once you write the code prior plan or apply.
- easy way to deploy custom polices.
Pre-build Policies:
Summary
Both implementations of IAC code security posture are good choice. However depending on requirements one trends to be more attractive:
If you have HashiCorp products Sentinel can be an alternative;
If you use Hashicorp Terraform Enterprise Sentinel can be an alternative
If you look for pre build policies, custom policies based on YAML Bridge Crew can be an alternative.
Here a sample code to to play to better understand. SampleGit code.
Bellow he have an example in Visual Code Studio providing an very easy form to enforce control in a more proactive in early stages prior creating the resource using checkcov plugin. Link for plugin install.
