-
Notifications
You must be signed in to change notification settings - Fork 17
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #172 from nirmata/add-tf-plan-policies
feat: add `ec2`, `lambda` and `rds` best practices terraform plan policies
- Loading branch information
Showing
216 changed files
with
25,438 additions
and
0 deletions.
There are no files selected for viewing
81 changes: 81 additions & 0 deletions
81
terraform/plan/ec2-best-practices/check-ec2-auto-scaling-groups/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,81 @@ | ||
| # Check EC2 Auto Scaling Groups | ||
|
|
||
| Launch Templates is a capability that enables to templatize your launch requests. Launch Templates can help simplify and streamline the launch process for Auto Scaling. Launch Templates reduce the number of steps required to create an instance by capturing all launch parameters within one resource. This makes the process easy to reproduce. Launch Templates make it easier to implement standards and best practices, helping you to better manage costs, improve your security posture, and minimize the risk of deployment errors. | ||
|
|
||
| A launch template is similar to a launch configuration, in that it specifies instance configuration information. It includes the ID of the Amazon Machine Image (AMI), the instance type, a key pair, security groups, and other parameters used to launch EC2 instances. However, defining a launch template instead of a launch configuration allows you to have multiple versions of a launch template. | ||
|
|
||
| It is recommended that you use migrate to launch templates to ensure that you're accessing the latest features and improvements. Not all Amazon EC2 Auto Scaling features are available when you use launch configurations. | ||
|
|
||
| You can read more about it from the following links: | ||
| [Auto Scaling launch templates](https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-templates.html) | ||
| [Auto Scaling launch configurations](https://docs.aws.amazon.com/autoscaling/ec2/userguide/launch-configurations.html) | ||
|
|
||
| ## Policy Details: | ||
|
|
||
| - **Policy Name:** check-ec2-auto-scaling-groups | ||
| - **Check Description:** This policy ensures that EC2 Auto Scaling Groups use launch templates instead of launch configurations | ||
| - **Policy Category:** AWS EC2 Best Practices | ||
|
|
||
| ### Policy Validation Testing Instructions | ||
|
|
||
| For testing this policy you will need to: | ||
| - Make sure you have `kyverno-json` installed on the machine | ||
| - Properly authenticate with AWS | ||
|
|
||
| 1. **Initialize Terraform:** | ||
| ```bash | ||
| terraform init | ||
| ``` | ||
|
|
||
| 2. **Create Binary Terraform Plan:** | ||
| ```bash | ||
| terraform plan -out tfplan.binary | ||
| ``` | ||
|
|
||
| 3. **Convert Binary to JSON Payload:** | ||
| ```bash | ||
| terraform show -json tfplan.binary | jq > payload.json | ||
| ``` | ||
|
|
||
| 4. **Test the Policy with Kyverno:** | ||
| ``` | ||
| kyverno-json scan --payload payload.json --policy policy.yaml | ||
| ``` | ||
|
|
||
| a. **Test Policy Against Valid Payload:** | ||
| ``` | ||
| kyverno-json scan --payload test/good-test/good-payload-01.json --policy check-ec2-auto-scaling-groups.yaml --bindings test/binding.yaml | ||
| ``` | ||
|
|
||
| This produces the output: | ||
| ``` | ||
| Loading policies ... | ||
| Loading bindings ... | ||
| - analyzer -> map[resource:map[type:terraform-plan]] | ||
| Loading payload ... | ||
| Pre processing ... | ||
| Running ( evaluating 1 resource against 1 policy ) ... | ||
| - PASSED (POLICY=check-ec2-auto-scaling-groups, RULE=check-ec2-auto-scaling-groups) | ||
| Done | ||
| ``` | ||
| b. **Test Against Invalid Payload:** | ||
| ``` | ||
| kyverno-json scan --payload test/bad-test/bad-payload-01.json --policy check-ec2-auto-scaling-groups.yaml --bindings test/binding.yaml | ||
| ``` | ||
| This produces the output: | ||
| ``` | ||
| Loading policies ... | ||
| Loading bindings ... | ||
| - analyzer -> map[resource:map[type:terraform-plan]] | ||
| Loading payload ... | ||
| Pre processing ... | ||
| Running ( evaluating 1 resource against 1 policy ) ... | ||
| - FAILED (POLICY=check-ec2-auto-scaling-groups, RULE=check-ec2-auto-scaling-groups) | ||
| -> Auto Scaling Groups should use EC2 launch templates instead of launch configurations (CHECK=spec.rules[0].assert.all[0]) | ||
| -> Invalid value: true: Expected value: false (PATH=~.(planned_values.root_module.resources[?type=='aws_autoscaling_group'])[0].values.(!launch_template)) | ||
| Done | ||
| ``` | ||
| --- |
25 changes: 25 additions & 0 deletions
25
.../plan/ec2-best-practices/check-ec2-auto-scaling-groups/check-ec2-auto-scaling-groups.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| apiVersion: json.kyverno.io/v1alpha1 | ||
| kind: ValidatingPolicy | ||
| metadata: | ||
| name: check-ec2-auto-scaling-groups | ||
| annotations: | ||
| policies.kyverno.io/title: check-ec2-auto-scaling-groups | ||
| policies.kyverno.io/category: AWS EC2 Best Practices | ||
| policies.kyverno.io/severity: medium | ||
| policies.kyverno.io/description: >- | ||
| Using EC2 launch templates in EC2 Auto Scaling groups provides standardization, | ||
| simplified management, versioning, customization, integration with AWS services, enhanced security, and cost optimization benefits. | ||
| spec: | ||
| rules: | ||
| - name: check-ec2-auto-scaling-groups | ||
| match: | ||
| all: | ||
| - ($analyzer.resource.type): terraform-plan | ||
| - (planned_values.root_module.resources[?type=='aws_autoscaling_group'] | length(@) > `0`): true | ||
| assert: | ||
| all: | ||
| - message: Auto Scaling Groups should use EC2 launch templates instead of launch configurations | ||
| check: | ||
| ~.(planned_values.root_module.resources[?type=='aws_autoscaling_group']): | ||
| values: | ||
| (!launch_template): false |
27 changes: 27 additions & 0 deletions
27
terraform/plan/ec2-best-practices/check-ec2-auto-scaling-groups/test/bad-test/bad-01.tf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,27 @@ | ||
| terraform { | ||
| required_version = ">= 1.0" | ||
|
|
||
| required_providers { | ||
| aws = { | ||
| source = "hashicorp/aws" | ||
| version = ">= 5.32" | ||
| } | ||
| } | ||
| } | ||
|
|
||
| provider "aws" { | ||
| region = "us-west-2" | ||
| } | ||
|
|
||
| resource "aws_launch_configuration" "example" { | ||
| name = "test-launch-configuration" | ||
| image_id = "ami-12345678" | ||
| instance_type = "t2.micro" | ||
| } | ||
|
|
||
| resource "aws_autoscaling_group" "example" { | ||
| max_size = 3 | ||
| min_size = 1 | ||
|
|
||
| launch_configuration = aws_launch_configuration.example.name | ||
| } |
Oops, something went wrong.