'How to validate AWS Service belonging to an arn during terraform plan using Open Policy Agent?
resource "aws_cloudwatch_event_target" "sns" {
rule = aws_cloudwatch_event_rule.console.name
target_id = "SendToSNS"
arn = aws_sns_topic.aws_logins.arn
}
I would like to use Open Policy Agent to ensure the arn of the target above belongs to an allowed list of AWS services (like Lambda, SQS, SNS etc).
How can i verify this using OPA?
I can check if arn starts with aws::sns:: but the arn would be generated only at runtime during terraform apply and at plan time during terraform plan.
So how can i verify the arn during plan?
amazon-web-servicesSolution 1:[1]
The common way of working with OPA and Terraform is to write policy that is run against the JSON represenation of terraform plan (and not the .tf files themselves), so that should not be a problem:
terraform plan -out tfplan.binary
terraform show -json tfplan.binary > tfplan.json
You'll now have a tfplan.json that will represent the planned changes in JSON format, and will include any values resolved at the time the plan was made. You can now run e.g.
opa eval --input tfplan.json --data policy.rego data.policy.allow
To run the policy stored in the policy.rego file against the input provided in the Terraform plan, querying the allow rule in the policy package (as a simple example).
I wrote an introduction to using OPA for Terraform policy some time back, covering this topic and a few others useful for getting started.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Devoops |