/cloud-platform-terraform-gatekeeper

Terraform module that deploys cloud-platform's OPA (Open Policy Agent) gatekeeper; supersedes https://github.com/ministryofjustice/cloud-platform-terraform-opa

Primary LanguageHCLMIT LicenseMIT

cloud-platform-terraform-gatekeeper

Kubernetes native security policy enforcement, an upgrade of https://github.com/ministryofjustice/cloud-platform-terraform-opa

Usage

See the example/ subdir for invocation syntax

CAVEATS:

  • to generate the audit report, it seems advisable to query a cache of filtered K8s objects, rather than hit the API each time (60 sec intervals default); because of that any kind used by a constraint template must also be added to the sync config at the end of constraints.tf
  • deleting a ConstraintTemplate that still has Constraints breaks things badly; only deleting the CRDs (which in turn removes all the constraints) unblocks again
  • no colons (:) in the description field

Requirements

Name Version
terraform >= 0.14
kubectl 1.10.0

Providers

Name Version
helm n/a
kubectl 1.10.0
kubernetes n/a

Modules

No modules.

Resources

Name Type
helm_release.gatekeeper resource
kubectl_manifest.config-sync resource
kubectl_manifest.unique-ingress-constraint resource
kubectl_manifest.unique-ingress-template resource
kubernetes_namespace.gatekeeper resource

Inputs

Name Description Type Default Required
cluster_domain_name The cluster domain used for externalDNS annotations and certmanager any n/a yes
define_constraints if false, only the app is deployed, no constraints bool true no
enable_invalid_hostname_policy Enable wheter to have the OPA policy of invalid hostname enabled bool false no

Outputs

No outputs.

Tags

Some of the inputs are tags. All infrastructure resources need to be tagged according to the MOJ techincal guidance. The tags are stored as variables that you will need to fill out as part of your module.

Name Description Type Default Required
application string - yes
business-unit Area of the MOJ responsible for the service string mojdigital yes
environment-name string - yes
infrastructure-support The team responsible for managing the infrastructure. Should be of the form team-email string - yes
is-production string false yes
team_name string - yes
sqs_name string - yes

Reading Material

What is OPA Gatekeeper? OPA Gatekeeper Library