opa-policies v1.0.1
opa-policies
Rego policies for use with Open Policy Agent (OPA) / Regula.
Using these policies
Sparse-clone into your project folder locally
cd into your project folder and issue:
git clone --depth 1 --filter=blob:none --sparse https://github.com/jupiterone/opa-policies && \
cd opa-policies && \
git sparse-checkout policy-terraformThe git clone command ensures that minimal commit history and blob data is
downloaded, and the sparse-checkout command ensures that only the files in the
policy-terraform directory are checked out and present locally.
Install via NPM
These policies are also distributed as a private NPM module: npm install @jupiterone/opa-policies.
Running Regula locally
To test our custom Regula policies against your local project, you'll first need to install regula or use their Docker image.
Next, perform a manual plan with jupiterone-manual-deploy -a plan -t
jupiterone-dev. This will create a work/terraform dir with your built TF HCL
files, as well as a full JSON-format plan at work/tfplan.json. Both of these
inputs can be scanned with Regula, though the full plan is definitive. From the
root of your project, issue:
regula run --no-built-ins --include opa-policies workRegula runs against most structured inputs and will recurse through directories,
applying appropriate rulesets to them. The --no-built-ins flag disables
Regula's default policy set, which will test for CIS benchmarks.
Developing Regula policy rules
Each unique policy bundle that needs to be capable of being evaluated alone at
any one time should be in a top-level directory of this project, prefixed with
policy-. To be evaluated with Regula, each policy must be uniquely namespaced
in the rules package, e.g.: package rules.<identifier>.
Policy bundles should have Rego unit tests that pass via regula test.
Additional Resources
2 years ago