terraform-opa-simple-example is a project that show people how to create an always compliance infrastructure as code.
Before you begin, ensure you have met the following requirements:
- You have installed the latest version of Terraform
- You have installed the latest version of Conftest
- You have read about Open Policy Agent and Rego.
Clone this repo into new project folder (e.g., my-proj).
git clone https://github.com/macuartin/terraform-opa-simple-example.git my-proj
cd my-proj
Discard the .git folder.
rm -rf .git
Edit variables.tf with your aws account_id, aws profile, aws region and a stack_id for your infrastructure
stack_id = ""
account_id = ""
profile = ""
region = ""
Initialize Terraform and ask it to calculate what changes it will make and store the output in plan.binary
terraform init
terraform plan --out tfplan.binary
Use the command terraform show to convert the Terraform plan into JSON so that OPA can read the plan.
terraform show -json tfplan.binary > tfplan.json
To evaluate the policy against that plan, you hand OPA the policy, the Terraform plan as input, and ask conftest to evaluate.
Policies by default should be placed in a directory called policy, but this can be overridden with the --policy flag.
conftest test tfplan.json
conftest test tfplan.json --policy policy/main.rego
To contribute to <project_name>, follow these steps:
- Fork this repository.
- Create a branch:
git checkout -b <branch_name>
. - Make your changes and commit them:
git commit -m '<commit_message>'
- Push to the original branch:
git push origin <project_name>/<location>
- Create the pull request.
Alternatively see the GitHub documentation on creating a pull request.
If you want to contact me you can reach me at macuartin@gmail.com.