Brainboard's documentation
Go to the app ↗
  • Welcome
  • Getting started
    • Fast track
    • Start with a template
    • Start with AI
    • Use cases videos
    • Brainboard philosophy
  • Cloud design
    • Left bar
      • Cloud resources
      • Input & output
    • Design area
      • Node
      • ID card
      • Connectors
      • Versioning
      • Graphical options
    • One action
    • Code Edition
  • Data
    • Data structure
      • Project
      • Environment
      • Cloud architecture
        • Terraform files
        • Readme file
        • Architecture Synchronization
        • Remote backend
      • Template
    • Cloud providers
      • Supported cloud providers
      • Customize provider configuration
      • Unsupported cloud providers
    • Terraform / OpenTofu
      • Modules
        • Module
        • Import modules
        • Manage module
        • Terraform registry credentials
        • Use modules
    • Disaster recovery
  • Automation
    • CI/CD engine
    • Supported plugins
      • Terraform
      • Security
        • Trivy
        • Tfsec
        • Terrascan
        • OPA
        • Checkov
      • Infracost
      • Notifications
        • Email
        • Slack
        • Microsoft Teams
      • Webhooks
    • Pipelines
    • Workflow templates
    • Drift detection
      • Types of drift
      • Remediation
    • Self-Hosted Runner
      • Deploy runner with Kubernetes
      • Deploy runner with docker-compose
  • Settings
    • Overview
    • Authentication
      • Login into Brainboard
      • Single sign-on (SSO)
    • Account management
    • Organization
    • Members
    • Teams
    • Roles & Permissions (RBAC)
      • Level of access
      • Organization RBAC
      • Project RBAC
    • Integrations
      • Git configuration
        • GitHub
        • Azure DevOps (ADO)
        • Bitbucket
        • GitLab
        • How to use
      • Cloud providers
        • AWS
        • Azure
        • GCP
        • OCI
  • Security
    • Data managed by Brainboard
    • SOC 2 Type II
    • Role Based Access Control
  • Help & FAQ
    • Shortcuts
    • FAQ
    • Migration
      • Import from cloud provider
    • Support
    • Glossary
  • Changelog
Powered by GitBook
On this page
  • Configuration options
  • Sample output
  • Examples

Was this helpful?

Edit on GitHub
  1. Automation
  2. Supported plugins
  3. Security

OPA

PreviousTerrascanNextCheckov

Last updated 4 months ago

Was this helpful?

This plugin allows you to check your Terraform code against security policies that you define.

OPA is a policy-based control for cloud native environments.

  • .

  • .

Configuration options

  1. Policy: the content of rego file that contains your policy.

  2. Version: always points to the latest version.

  3. Decision.

  4. Ignore failure: if enabled, the execution of the following stage will be triggered even if the task fails.

  5. Require approval: means that this task will not be executed until approved by people added in the approvers' list.

    • The task remains blocked until all approvers added in the list approve it.

Sample output

Examples

Naming convention

package brainboard

deny contains msg if {
    r := input.resource_changes[_]
    r.type == "azurerm_storage_account"
    not startswith(r.change.after.name, "bb")
    
    msg := sprintf("%v must start with bb", [r.address])
}


deny contains msg if {
    r := input.resource_changes[_]
    r.type == "azurerm_resource_group"
    not startswith(r.change.after.name, "bb-")
    
    msg := sprintf("%v must start with bb-", [r.address])
}

Decision: brainboard/deny

Mandatory tags

package brainboard

required_tags := ["Environment", "Owner"]

deny contains msg if {
	r := input.resource_changes[_]
	missing_tags := {tag | tag := required_tags[_]; not r.change.after.tags[tag]}

	msg = sprintf("Resource is missing required tags: %v (%v)", [r.address, missing_tags[_]])
}

Decision: brainboard/deny

Unrestricted ingress for AWS Security Group

package brainboard 

deny contains msg if {
  r := input.resource_changes[_]
  r.change.after.ingress[_].cidr_blocks[_] == "0.0.0.0/0"
  msg := sprintf("%v has 0.0.0.0/0 as allowed ingress", [r.address])
}

Decision: brainboard/deny

Home page
Source code on Github
OPA plugin