Compliance as Code with terraform-compliance

Compliance as Code
Emre Erkunt
terraform-compliance

> cat who_is_this_person.tf
resource “human_person” “me” {
name = “Emre Erkunt”
interests {
professional = [“DevOps”, “DevSecOps”, “Security”, “Automation”]
personal = [“Astrophotography”, “Aikido”, “Guitar”, “Apnea Diving”, “Gaming”]
}
recent_focus = [
“terraform”, “terraform-compliance”, “aws”, “tons of aws”, “serverless”,
“pipelines”, “cultural change”, “new ways of working”, “agile”, “#nobuzzwords”
]
twitter = “@3rkunt”
linkedin = “only person with this name and surname”
}
Compliance as Code terraform-compliance.com

> prediction
Your main problem is not about testing terraform.

Infrastructure as Code :
What is was ;
A codified way of defining tasks that is required to perform CRUD operations in an IT Environment.
What it is now ;
A codified way of defining the latest state on target IT environment. Mostly used in for Cloud Environments.
Critical Requirement for both is IDEMPOTENCY and ideally IMMUTABILITY.
> terraform init
“ “
“ “

Brilliant API Client that focus on desired state and has its own conﬁguration language, HCL/HCL2.
Lots of providers actively maintained. Tons of modules that can be used from the registry.
Solid state management
.. and most importantly ;
> terraform init

What is Compliance as Code ?
A codiﬁed way of deﬁning compliance policies.
> terraform-compliance -h
“ “

What is Compliance as Code ?
A codified way of defining compliance policies.
Requirements :
. A common language that defines the policy
. A language that defines the tests ( might be same with the policy )
. Ability to answer: What are we testing here ?
. Ability to answer: Why are we testing this ?
> terraform-compliance -h
“ “

> terraform plan -out plan.out
Implementation terraform plan terraform-compliance terraform apply
terraform plan -detailed-exitcode

> terraform-compliance ?
. Based on Behaviour Driven Development. Why ?
. All interpolations and modules are supported. Why is this important ?
. Drilling down, just like another BDD step.
. Resource mounting are supported. Why is this important ?
. Can perform complex Security Group calculations.
. Mostly focused on negative testing. What is negative testing ?
. Filtering.
. Can be assumed as a free version of HashiCorp Sentinel. Really ?
. Runs in everywhere that can run Python or Docker.
. Needs PRs, Feature Requests, Bug Reporting and love just like every Open Source Project.

> Behaviour Driven Development
. A branch of Test Driven Development/TDD
. Focus on end-to-end results, functional tests
. Features > Scenarios > Steps, Gherkin/Cucumber language
. Simple sentences with shared vocabulary while every step has a test code under the hood
. GIVEN, WHEN, THEN and AND
. Possible to translate the same tests as UAT, since every Scenario/Feature can be a Story/Task
. Usually takes longer time to run compared with Unit Tests

> terraform-compliance tests
. Not an integration test, but still a functional test
. Runs against plan, and runs super-fast
. Same language structure like other BDD tests
. Can live in a separate git repository (strongly recommended!)
. Has its own - but quite universal - vocabulary for steps, e.g. ;
Scenario: Ensure all resources have tags
Given I have resource that supports tags defined
Then it must contain tags
And its value must not be null

> terraform-compliance tests

> terraform-compliance tests: GIVEN
. Deﬁnes the initial picture
. Every scenario has a GIVEN step
. Works as a ﬁltering function
. Will SKIP the next steps if there is no match, so no failure if nothing is found
. Recommended to use terraform references instead of templated entities
. You can use it against resource(s), provider(s), data(s), variable(s) or output(s)
Given I have aws_s3_bucket defined

> terraform-compliance tests: GIVEN
. Deﬁnes the initial picture
. Every scenario has a GIVEN step
. Works as a ﬁltering function
. Will SKIP the next steps if there is no match, so no failure if nothing is found
. Recommended to use terraform references instead of templated entities
. You can use it against resource(s), provider(s), data(s), variable(s) or output(s)
Given I have aws_s3_bucket defined
resource “aws_s3_bucket” “some_bucket” {
bucket = “my-super-unique-bucket-name”
tags = {
cost_center = “0135134”
environment = “dev”
}
}

> terraform-compliance tests: WHEN
. Works as a ﬁltering function (mostly), deﬁnes the condition that you are searching for.
. Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN
. Filtered data is used as the INPUT data for the next steps.
Scenario: Ensure we only allow a port range for ingress rule
Given I have aws_security_group defined
When it contains ingress
Then it must only have tcp protocol and port 22 for 0.0.0.0/0

resource “aws_security_group” “some_group” {
name = “allow_ssh_publicly_because_we_are_just_crazy”
ingress {
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [“0.0.0.0/0”]
}
}

resource “aws_security_group_rule” “port_22_to_public” {
type = “ingress”
from_port = 22
to_port = 22
cidr_blocks = [“0.0.0.0/0”]
security_group_id = aws_security_group.some_group.id
}

Scenario: Ensure there is always 2 network_interfaces attached to instances
Given I have aws_instance defined
When it contains network_interface
And I count them
Then I expect the result is equal to 1

Scenario: Ensure there is always 2 network_interfaces attached to instances
Given I have aws_instance defined
When it contains network_interface
And I count them
Then I expect the result is equal to 1
resource “aws_instance” “monero_miner” {
ami = “ami-6d1c2007”
instance_type = “t2.micro”
network_interface {
device_index = “1”
network_interface_id = “eth0”
}
}

Scenario: Ensure we are using encryption on ALBs via ACM
Given I have aws_elb defined
When it contains listener
Then it must contain ssl_certificate_id
And its value must match the “.*acm.*” regex

resource “aws_elb” “bar” {
name = “foo”
...
listener {
...
}
}

> terraform-compliance tests: THEN
. Deﬁnes the matching criteria. Decision making step.
. FAILS if it not pass.

resource “aws_elb” “bar” {
name = “foo”
listener {
instance_port = 8000
...
ssl_certificate_id = “arn:aws:iam::123456789012:server-certificate/certName”
}
}

resource “aws_security_group_rule” “port_22_to_public” {
type = “ingress”
from_port = 22
to_port = 22
cidr_blocks = [“0.0.0.0/0”]
security_group_id = aws_security_group.some_group.id
}

> Workﬂow Examples

...
Scenario: Image scan to be enabled on push.
Given I have aws_ecr_repository defined
Then it must contain image_scanning_configuration
And scan_on_push must be enabled
Failure: Resource aws_ecr_repository.repo does not have scan_on_push property enabled
(scan_on_push=None)
[Container] 2020/02/13 11:48:40 Phase complete: BUILD State: FAILED

Created a PR
Get peer review
approvals
CI failed due to
compliance test failures
Security Team already introduced
new compliance checks
Read the logs, understand
what failed
Fix compliance problems
CI Pass
Merge to masterCD runs without a failureGet ﬁnal notiﬁcation
Δt = ~15 minutes

Why it was important ?
. No retrospective checks.
. Feedback loop is near-instant while keeping segregation of duties.
. No complicated troubleshooting, problem was described in plain language.
. The PR was not about the failure, it was due to something created before.
. Nothing was deployed till it is ﬁxed.
. Keep it green.

What do you need to achieve this workﬂow ?
. Trunk Based Development, please do not use GitFlow.
. Small incremental changes, instead of huge PRs. ( or worse having a release branch ... )
. Everybody is hands-on. Engineers (including Security) is the Governance.
. Engineers are the decision makers.
. Keep It Simple Stupid.
. VERY IMPORTANT: Good repositories structure.
. You build it, you run it
. #nobuzzwords

> prediction
Your main problem is not about testing terraform, right ?

> terraform apply

Compliance as Code with terraform-compliance

More Related Content

Similar to Compliance as Code with terraform-compliance (20)

Recently uploaded (20)

Compliance as Code with terraform-compliance