GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → hashicorp → Terraform Foundational Policies Library

hashicorp / Terraform Foundational Policies Library

Licence: mpl-2.0
Sentinel is a language and framework for policy built to be embedded in existing software to enable fine-grained, logic-based policy decisions. This repository contains a library of Sentinel policies, developed by HashiCorp, that can be consumed directly within the Terraform Cloud platform.

Labels

hcl

Projects that are alternatives of or similar to Terraform Foundational Policies Library

Terraform Google Sql Db
Modular Cloud SQL database instance for Terraform.
Stars: ✭ 120 (-11.11%)
Mutual labels:  hcl
Vishwakarma
Terraform modules to create a self-hosting Kubernetes cluster on opinionated Cloud Platform.
Stars: ✭ 127 (-5.93%)
Mutual labels:  hcl
Terragrunt Atlantis Config
Generate Atlantis config for Terragrunt projects.
Stars: ✭ 131 (-2.96%)
Mutual labels:  hcl
Terraform Aws Key Pair
Terraform Module to Automatically Generate SSH Key Pairs (Public/Private Keys)
Stars: ✭ 121 (-10.37%)
Mutual labels:  hcl
Kubernetes Ops
Running Kubernetes in production
Stars: ✭ 127 (-5.93%)
Mutual labels:  hcl
Terraform Rolling Deploys
Rolling ASG deployments with Terraform on AWS
Stars: ✭ 127 (-5.93%)
Mutual labels:  hcl
Testnet
The --goerli and --kotti testnet configurations
Stars: ✭ 118 (-12.59%)
Mutual labels:  hcl
Aws Terraform
Code examples to create CoreOS cluster on AWS with Terraform
Stars: ✭ 132 (-2.22%)
Mutual labels:  hcl
Reference Architectures
[WIP] Get up and running quickly with one of our reference architecture using our fully automated cold-start process.
Stars: ✭ 127 (-5.93%)
Mutual labels:  hcl
Terraform Aws S3 Bucket
Terraform module which creates S3 bucket resources on AWS
Stars: ✭ 130 (-3.7%)
Mutual labels:  hcl
Purplecloud
An Infrastructure as Code (IaC) deployment of a small Active Directory pentest lab in the cloud. The deployment simulates a semi-realistic corporate enterprise Active Directory with a DC and endpoints. Purple team goals include blue team detection capabilities and R&D for detection engineering new approaches.
Stars: ✭ 122 (-9.63%)
Mutual labels:  hcl
Hybrid multicloud overlay
MutiCloud_Overlay demonstrates a use case of overlay over one or more clouds such as AWS, Azure, GCP, OCI, Alibaba and a vSphere private infrastructure in Hub and spoke topology, point to point topology and in a Single cloud. Overlay protocols IPv6 and IPv4 are independent of underlying infrastructure. This solution can be integrated with encryption and additional security features.
Stars: ✭ 127 (-5.93%)
Mutual labels:  hcl
Red Team Infrastructure Automation
Disposable and resilient red team infrastructure with Terraform
Stars: ✭ 129 (-4.44%)
Mutual labels:  hcl
Terraform
Terraform automation for Cloud
Stars: ✭ 121 (-10.37%)
Mutual labels:  hcl
Terraform Aws Vpc
Terraform Module that defines a VPC with public/private subnets across multiple AZs with Internet Gateways
Stars: ✭ 130 (-3.7%)
Mutual labels:  hcl
Terraform Aws Serverless
Infrastructure support for Serverless framework apps, done the right way
Stars: ✭ 120 (-11.11%)
Mutual labels:  hcl
Terraform Aws Spotgpu
Fully automated provisioning of AWS EC2 Spot Instances for Deep Learning workloads using Terraform.
Stars: ✭ 127 (-5.93%)
Mutual labels:  hcl
Terraform Google Gke Cluster
A Terraform module to create a best-practise Google Kubernetes Engine (GKE) cluster.
Stars: ✭ 133 (-1.48%)
Mutual labels:  hcl
Multi Env Deploy
Complete example of deploying complex web apps to AWS using Terraform, Ansible, and Packer
Stars: ✭ 132 (-2.22%)
Mutual labels:  hcl
Serverless Prey
Serverless Functions for establishing Reverse Shells to Lambda, Azure Functions, and Google Cloud Functions
Stars: ✭ 130 (-3.7%)
Mutual labels:  hcl
View All Similar Projects ➔

Terraform Foundational Policies Library

This repository contains a library of policies that can be used within Terraform Cloud to accelerate your adoption of policy as code. To learn more about the Sentinel language and framework, please review the Sentinel documentation.

Table of Contents

Prerequisites

back to top

Before you start adopting some of the policies within this library, it is recommended that you do the following:

  1. Install the Sentinel CLI. The CLI is an excellent tool for familiarizing yourself with the internals of Sentinel and allows you to apply and test policies outside of the Terraform platform. You can find more information related to the Sentinel CLI in the Enforce Policy with Sentinel learning track.

  2. Enable the Governance and Policy Plan in Terraform Cloud.

  3. Have access to a supported version control system (VCS) provider.

NOTE: The Governance and Policy Plan is a paid plan in Terraform Cloud. You can learn more about changing your payment plan by reviewing the Changing Your Payment Plan sections in the Terraform Cloud documentation.

Documentation

back to top

The file and directory structure within this repository has been designed to have a descriptive ROOT directory that contains all policies that are related to a given standard. As an example, all policies for the Center for Internet Security Benchmarks are all located within the cis directory. Policies are then broken down by cloud service provider (i.e. AWS, Azure and GCP) and then categorized by cloud service (i.e. Compute, Databases, Networking etc.)

.
└── ROOT
    └── CLOUD
       └── CATEGORY
           └── POLICY
               └── ...

All CATEGORY related directories contain a single README.md that details all information that is required to assess and enforce a policy in Terraform Cloud. This information includes:

  • Policy name
  • Description of the controls that are evaluated
  • The Policy Set configuration that needs to be added to the sentinel.hcl file.

Note: You can find a full list of all available policies in the Policy Guides section.

Setup & Integration

back to top

Before you can use any of the policies within this library, you will need to configure Terraform Cloud. The following sections detail the high-level steps required to deploy a policy from the foundational policies library. The Enforce Policy with Sentinel learning track covers the end-to-end process in greater detail. If this is the first time you are setting up a Sentinel policy, we encourage you to familiarize yourself with this track prior to continuing further.

Version Control System (VCS)

Terraform Cloud provides first-class support for VCS integration. This allows VCS repositories to contain all of the policies and configuration needed to manage Sentinel policy at scale. Integrating with VCS is as simple as:

  1. Connect a VCS Provider to Terraform Cloud
  2. Create a repository in your VCS provider that will be used as the source of your Policy Set configuration
  3. Clone the source repository to a local directory

Policy Set Configuration

Once the VCS is integrated with Terraform Cloud, start to configure your Terraform Policy Set as follows:

  1. Identifying a policy from the foundational policies library that should be enforced on a Terraform Workspace
  2. Review the policy documentation and copy the configuration snippet for the policy of choice.
  3. Create a sentinel.hcl configuration file within the local directory for your repository.
  4. Edit the contents of the sentinel.hcl by pasting the configuration snippet into the body of the configuration file.
  5. Commit your changes to your local repository content and then use the git push command to upload the changes to your remote repository.

Example Snippet

policy "gcp-cis-7.1-kubernetes-ensure-stackdriver-logging-is-set-to-enabled-on-kubernetes-engine-clusters" {
   source = "https://raw.githubusercontent.com/hashicorp/terraform-foundational-policies-library/master/cis/gcp/kubernetes/>gcp-cis-7.1-kubernetes-ensure-stackdriver-logging-is-set-to-enabled-on-kubernetes-engine-clusters/gcp-cis-7.>1-kubernetes-ensure-stackdriver-logging-is-set-to-enabled-on-kubernetes-engine-clusters.sentinel"
   enforcement_level = "advisory"
}

policy "gcp-cis-7.2-kubernetes-ensure-stackdriver-monitoring-is-set-to-enabled-on-kubernetes-engine-clusters" {
   source = "https://raw.githubusercontent.com/hashicorp/terraform-foundational-policies-library/master/cis/gcp/kubernetes/>gcp-cis-7.2-kubernetes-ensure-stackdriver-monitoring-is-set-to-enabled-on-kubernetes-engine-clusters/gcp-cis-7.>2-kubernetes-ensure-stackdriver-monitoring-is-set-to-enabled-on-kubernetes-engine-clusters.sentinel"
   enforcement_level = "advisory"
}

policy "gcp-cis-7.3-kubernetes-ensure-legacy-authorization-is-set-to-disabled-on-kubernetes-engine-clusters" {
   source = "https://raw.githubusercontent.com/hashicorp/terraform-foundational-policies-library/master/cis/gcp/kubernetes/>gcp-cis-7.3-kubernetes-ensure-legacy-authorization-is-set-to-disabled-on-kubernetes-engine-clusters/gcp-cis-7.>3-kubernetes-ensure-legacy-authorization-is-set-to-disabled-on-kubernetes-engine-clusters.sentinel"
   enforcement_level = "advisory"
}

...

Policy Set Management

Now that the Policy Set is configured, it is time to enforce this configuration on a Terraform Cloud workspace. This is achieved by:

  1. Browsing to your Terraform Cloud organization settings

policy-sets-navigate-1

  1. Browse to Policy Sets settings

policy-sets-navigate-2

  1. Connect a new Policy Set

policy-sets-navigate-3

  1. Configure the Policy Settings (i.e. name, source, path, branch & workspace scope) and apply the settings

policy-sets-create

To test the configuration, navigate to the target workspace and queue a new plan. The policy check phase should now appear in the run details, and see the newly created policy will execute and return the state of the policy evaluation (i.e. Pass or Fail).

The image below shows the output of an example policy evaluation:

policy-sets-run

Policy Guides

back to top

Center for Internet Security (CIS)

Useful Resources

back to top

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].