| Name | Description | Severity |
|---|---|---|
| API gateway integration URI | Checks if the URI is in the correct format if the API gateway integration has a type of: AWS, AWS_PROXY, HTTP, or HTTP_PROXY |
DENY |
| Cloudwatch log metric pattern | Checks if the Cloudwatch log metric pattern is valid | WARN |
| Container name spaces | Checks if ECS container definitions have a name with spaces in it | DENY |
| Container definition trailing commas | Checks if ECS container definitions have trailing commas in it | DENY |
| Invalid effect | IAM Policy Effect is only Approve or Deny |
DENY |
| Lambda VPC ENI permission | A lambda attached to a VPC is missing the permissions to mange an ENI | DENY |
| Postgres DB password | Postgres DB password is:
|
DENY |
| Postgres DB username | Postgres DB username is:
|
DENY |
| Postgres DB name | Postgres DB name is:
|
DENY |
| Security group invalid ports | Deny if protocol is set to -1 but the port range is not set to 0 |
DENY |
| Tagging | All resources that allow tags have a CostCentre and Terraform tag |
WARN |
| Unscoped IAM Service Roles | All IAM policies that have a service user as the Principal should have a condition limiting access to the account. (sts:AssumeRole actions are excepted) |
WARN |
| Unsupported Lambda runtime | Checks if the lambda runtime is unsupported | DENY |
| WAF duplicate priorities | Checks if the WAF rule has duplicate priorities | DENY |
Run the following command to run opa tests:
make testRun the following command to generate tf.plan to run against the test environment:
make generate-planRun the following command to run conftest against an example tf.plan:
make test-plan