OPA
This plugin allows you to check your Terraform code against security policies that you define.
OPA
is a policy-based control for cloud native environments.

Configuration options
Name: This is Brainboard field to describe what this task is about.
Policy: the content of your policy in
rego
format.The content in this output is just an example. See examples below.
Extra environment variables: variables that you can define here that will be used as environment variables in the execution shell.
Ignore failure: if enabled, the execution of the following stage will be triggered even if the task fails.
Require approval: means that this task will not be executed until approved by people added in the approvers' list.
The task remains blocked until all approvers added in the list approve it.
When enabled, it allows you to add approvers to the list
The approver has to be Brainboard user
Decision: The decision you want the check to be evaluated against. In the format
package_name/decision
In this example, we want to fail the pipeline if the resources don't contain the tags in the list
The decision is
brainboard/deny
Sample output

Examples
Naming convention
package brainboard
deny contains msg if {
r := input.resource_changes[_]
r.type == "azurerm_storage_account"
not startswith(r.change.after.name, "bb")
msg := sprintf("%v must start with bb", [r.address])
}
deny contains msg if {
r := input.resource_changes[_]
r.type == "azurerm_resource_group"
not startswith(r.change.after.name, "bb-")
msg := sprintf("%v must start with bb-", [r.address])
}
Decision: brainboard/deny
Mandatory tags
package brainboard
required_tags := ["Environment", "Owner"]
deny contains msg if {
r := input.resource_changes[_]
missing_tags := {tag | tag := required_tags[_]; not r.change.after.tags[tag]}
msg = sprintf("Resource is missing required tags: %v (%v)", [r.address, missing_tags[_]])
}
Decision: brainboard/deny
Unrestricted ingress for AWS Security Group
package brainboard
deny contains msg if {
r := input.resource_changes[_]
r.change.after.ingress[_].cidr_blocks[_] == "0.0.0.0/0"
msg := sprintf("%v has 0.0.0.0/0 as allowed ingress", [r.address])
}
Decision: brainboard/deny
Last updated
Was this helpful?