Name | Description | Severity |
---|---|---|
API gateway integration URI | Checks if the URI is in the correct format if the API gateway integration has a type of: AWS , AWS_PROXY , HTTP , or HTTP_PROXY |
DENY |
Cloudwatch log metric pattern | Checks if the Cloudwatch log metric pattern is valid | WARN |
Container name spaces | Checks if ECS container definitions have a name with spaces in it | DENY |
Container definition trailing commas | Checks if ECS container definitions have trailing commas in it | DENY |
Invalid effect | IAM Policy Effect is only Approve or Deny |
DENY |
Lambda VPC ENI permission | A lambda attached to a VPC is missing the permissions to mange an ENI | DENY |
Postgres DB password | Postgres DB password is:
|
DENY |
Postgres DB username | Postgres DB username is:
|
DENY |
Postgres DB name | Postgres DB name is:
|
DENY |
Security group invalid ports | Deny if protocol is set to -1 but the port range is not set to 0 |
DENY |
Tagging | All resources that allow tags have a CostCentre and Terraform tag |
WARN |
Unscoped IAM Service Roles | All IAM policies that have a service user as the Principal should have a condition limiting access to the account. (sts:AssumeRole actions are excepted) |
WARN |
Unsupported Lambda runtime | Checks if the lambda runtime is unsupported | DENY |
WAF duplicate priorities | Checks if the WAF rule has duplicate priorities | DENY |
Run the following command to run opa tests:
make test
Run the following command to generate tf.plan to run against the test environment:
make generate-plan
Run the following command to run conftest against an example tf.plan:
make test-plan