SlideShare a Scribd company logo

Compliance as Code with terraform-compliance

Emre Erkunt
Emre Erkunt

terraform-compliance is a lightweight, security and compliance focused test framework against terraform to enable negative testing capability for your infrastructure-as-code.

Engineering
1 of 43
Download to read offline
Compliance as Code Emre Erkunt terraform-compliance
> cat who_is_this_person.tf resource “human_person” “me” { name = “Emre Erkunt” interests { professional = [“DevOps”, “DevSecOps”, “Security”, “Automation”] personal = [“Astrophotography”, “Aikido”, “Guitar”, “Apnea Diving”, “Gaming”] } recent_focus = [ “terraform”, “terraform-compliance”, “aws”, “tons of aws”, “serverless”, “pipelines”, “cultural change”, “new ways of working”, “agile”, “#nobuzzwords” ] twitter = “@3rkunt” linkedin = “only person with this name and surname” } Compliance as Code terraform-compliance.com
> prediction Compliance as Code terraform-compliance.com Your main problem is not about testing terraform.
Infrastructure as Code : What is was ; A codified way of defining tasks that is required to perform CRUD operations in an IT Environment. What it is now ; A codified way of defining the latest state on target IT environment. Mostly used in for Cloud Environments. Critical Requirement for both is IDEMPOTENCY and ideally IMMUTABILITY. > terraform init Compliance as Code terraform-compliance.com “ “ “ “
Brilliant API Client that focus on desired state and has its own configuration language, HCL/HCL2. Lots of providers actively maintained. Tons of modules that can be used from the registry. Solid state management .. and most importantly ; > terraform init Compliance as Code terraform-compliance.com
What is Compliance as Code ? A codified way of defining compliance policies. > terraform-compliance -h Compliance as Code terraform-compliance.com “ “
What is Compliance as Code ? A codified way of defining compliance policies. Requirements : . A common language that defines the policy . A language that defines the tests ( might be same with the policy ) . Ability to answer: What are we testing here ? . Ability to answer: Why are we testing this ? > terraform-compliance -h Compliance as Code terraform-compliance.com “ “
What is Compliance as Code ? A codified way of defining compliance policies. Requirements : . A common language that defines the policy . A language that defines the tests ( might be same with the policy ) . Ability to answer: What are we testing here ? . Ability to answer: Why are we testing this ? > terraform-compliance -h Compliance as Code terraform-compliance.com “ “
> terraform plan -out plan.out Compliance as Code terraform-compliance.com Implementation terraform plan terraform-compliance terraform apply terraform plan -detailed-exitcode
> terraform-compliance ? Compliance as Code terraform-compliance.com . Based on Behaviour Driven Development. Why ? . All interpolations and modules are supported. Why is this important ? . Drilling down, just like another BDD step. . Resource mounting are supported. Why is this important ? . Can perform complex Security Group calculations. . Mostly focused on negative testing. What is negative testing ? . Filtering. . Can be assumed as a free version of HashiCorp Sentinel. Really ? . Runs in everywhere that can run Python or Docker. . Needs PRs, Feature Requests, Bug Reporting and love just like every Open Source Project.
> Behaviour Driven Development Compliance as Code terraform-compliance.com . A branch of Test Driven Development/TDD . Focus on end-to-end results, functional tests . Features > Scenarios > Steps, Gherkin/Cucumber language . Simple sentences with shared vocabulary while every step has a test code under the hood . GIVEN, WHEN, THEN and AND . Possible to translate the same tests as UAT, since every Scenario/Feature can be a Story/Task . Usually takes longer time to run compared with Unit Tests
> terraform-compliance tests Compliance as Code terraform-compliance.com . Not an integration test, but still a functional test . Runs against plan, and runs super-fast . Same language structure like other BDD tests . Can live in a separate git repository (strongly recommended!) . Has its own - but quite universal - vocabulary for steps, e.g. ; Scenario: Ensure all resources have tags Given I have resource that supports tags defined Then it must contain tags And its value must not be null
> terraform-compliance tests Compliance as Code terraform-compliance.com
> terraform-compliance tests: GIVEN Compliance as Code terraform-compliance.com . Defines the initial picture . Every scenario has a GIVEN step . Works as a filtering function . Will SKIP the next steps if there is no match, so no failure if nothing is found . Recommended to use terraform references instead of templated entities . You can use it against resource(s), provider(s), data(s), variable(s) or output(s) Scenario: Ensure all resources have tags Given I have aws_s3_bucket defined Then it must contain tags And its value must not be null
> terraform-compliance tests: GIVEN Compliance as Code terraform-compliance.com . Defines the initial picture . Every scenario has a GIVEN step . Works as a filtering function . Will SKIP the next steps if there is no match, so no failure if nothing is found . Recommended to use terraform references instead of templated entities . You can use it against resource(s), provider(s), data(s), variable(s) or output(s) Scenario: Ensure all resources have tags Given I have aws_s3_bucket defined Then it must contain tags And its value must not be null resource “aws_s3_bucket” “some_bucket” { bucket = “my-super-unique-bucket-name” tags = { cost_center = “0135134” environment = “dev” } }
> terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0
> terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0 resource “aws_security_group” “some_group” { name = “allow_ssh_publicly_because_we_are_just_crazy” ingress { from_port = 22 to_port = 22 protocol = “tcp” cidr_blocks = [“0.0.0.0/0”] } }
> terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0 resource “aws_security_group_rule” “port_22_to_public” { type = “ingress” from_port = 22 to_port = 22 protocol = “tcp” cidr_blocks = [“0.0.0.0/0”] security_group_id = aws_security_group.some_group.id }
> terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure there is always 2 network_interfaces attached to instances Given I have aws_instance defined When it contains network_interface And I count them Then I expect the result is equal to 1
> terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure there is always 2 network_interfaces attached to instances Given I have aws_instance defined When it contains network_interface And I count them Then I expect the result is equal to 1 resource “aws_instance” “monero_miner” { ami = “ami-6d1c2007” instance_type = “t2.micro” network_interface { device_index = “1” network_interface_id = “eth0” } }
> terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we are using encryption on ALBs via ACM Given I have aws_elb defined When it contains listener Then it must contain ssl_certificate_id And its value must match the “.*acm.*” regex
> terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we are using encryption on ALBs via ACM Given I have aws_elb defined When it contains listener Then it must contain ssl_certificate_id And its value must match the “.*acm.*” regex resource “aws_elb” “bar” { name = “foo” ... listener { ... } }
> terraform-compliance tests: THEN Compliance as Code terraform-compliance.com . Defines the matching criteria. Decision making step. . FAILS if it not pass. Scenario: Ensure we are using encryption on ALBs via ACM Given I have aws_elb defined When it contains listener Then it must contain ssl_certificate_id And its value must match the “.*acm.*” regex
> terraform-compliance tests: THEN Compliance as Code terraform-compliance.com . Defines the matching criteria. Decision making step. . FAILS if it not pass. Scenario: Ensure we are using encryption on ALBs via ACM Given I have aws_elb defined When it contains listener Then it must contain ssl_certificate_id And its value must match the “.*acm.*” regex resource “aws_elb” “bar” { name = “foo” listener { instance_port = 8000 ... ssl_certificate_id = “arn:aws:iam::123456789012:server-certificate/certName” } }
> terraform-compliance tests: THEN Compliance as Code terraform-compliance.com . Defines the matching criteria. Decision making step. . FAILS if it not pass. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0
> terraform-compliance tests: THEN Compliance as Code terraform-compliance.com . Defines the matching criteria. Decision making step. . FAILS if it not pass. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0 resource “aws_security_group_rule” “port_22_to_public” { type = “ingress” from_port = 22 to_port = 22 protocol = “tcp” cidr_blocks = [“0.0.0.0/0”] security_group_id = aws_security_group.some_group.id }
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com ... Scenario: Image scan to be enabled on push. Given I have aws_ecr_repository defined Then it must contain image_scanning_configuration And scan_on_push must be enabled Failure: Resource aws_ecr_repository.repo does not have scan_on_push property enabled (scan_on_push=None) [Container] 2020/02/13 11:48:40 Phase complete: BUILD State: FAILED
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com
> Workflow Examples Compliance as Code terraform-compliance.com Created a PR Get peer review approvals CI failed due to compliance test failures Security Team already introduced new compliance checks Read the logs, understand what failed Fix compliance problems CI Pass Merge to masterCD runs without a failureGet final notification Δt = ~15 minutes
> Workflow Examples Compliance as Code terraform-compliance.com Why it was important ? . No retrospective checks. . Feedback loop is near-instant while keeping segregation of duties. . No complicated troubleshooting, problem was described in plain language. . The PR was not about the failure, it was due to something created before. . Nothing was deployed till it is fixed. . Keep it green.
> Workflow Examples Compliance as Code terraform-compliance.com What do you need to achieve this workflow ? . Trunk Based Development, please do not use GitFlow. . Small incremental changes, instead of huge PRs. ( or worse having a release branch ... ) . Everybody is hands-on. Engineers (including Security) is the Governance. . Engineers are the decision makers. . Keep It Simple Stupid. . VERY IMPORTANT: Good repositories structure. . You build it, you run it . #nobuzzwords
> prediction Compliance as Code terraform-compliance.com Your main problem is not about testing terraform, right ?
> terraform apply Compliance as Code terraform-compliance.com
> cat who_is_this_person.tf resource “human_person” “me” { name = “Emre Erkunt” interests { professional = [“DevOps”, “DevSecOps”, “Security”, “Automation”] personal = [“Astrophotography”, “Aikido”, “Guitar”, “Apnea Diving”, “Gaming”] } recent_focus = [ “terraform”, “terraform-compliance”, “aws”, “tons of aws”, “serverless”, “pipelines”, “cultural change”, “new ways of working”, “agile”, “#nobuzzwords” ] twitter = “@3rkunt” linkedin = “only person with this name and surname” } Compliance as Code terraform-compliance.com

Recommended

Resilience testing with Wiremock and Spock
Resilience testing with Wiremock and SpockResilience testing with Wiremock and Spock
Resilience testing with Wiremock and SpockDavid Schmitz
 
Custom DevOps Monitoring System in MelOn (with InfluxDB + Telegraf + Grafana)
Custom DevOps Monitoring System in MelOn (with InfluxDB + Telegraf + Grafana)Custom DevOps Monitoring System in MelOn (with InfluxDB + Telegraf + Grafana)
Custom DevOps Monitoring System in MelOn (with InfluxDB + Telegraf + Grafana)Seungmin Yu
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingGareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingYury Chemerkin
 
Terraform -- Infrastructure as Code
Terraform -- Infrastructure as CodeTerraform -- Infrastructure as Code
Terraform -- Infrastructure as CodeMartin Schütte
 

Recommended

Resilience testing with Wiremock and Spock
Resilience testing with Wiremock and SpockResilience testing with Wiremock and Spock
Resilience testing with Wiremock and SpockDavid Schmitz
 
Custom DevOps Monitoring System in MelOn (with InfluxDB + Telegraf + Grafana)
Custom DevOps Monitoring System in MelOn (with InfluxDB + Telegraf + Grafana)Custom DevOps Monitoring System in MelOn (with InfluxDB + Telegraf + Grafana)
Custom DevOps Monitoring System in MelOn (with InfluxDB + Telegraf + Grafana)Seungmin Yu
 
K8s security best practices
K8s security best practicesK8s security best practices
K8s security best practicesSharon Vendrov
 
Container Runtime Security with Falco
Container Runtime Security with FalcoContainer Runtime Security with Falco
Container Runtime Security with FalcoMichael Ducy
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Practical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectivePractical Application of the API Security Top Ten: A Tester's Perspective
Practical Application of the API Security Top Ten: A Tester's PerspectiveRajniHatti
 
Gareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingGareth hayes. non alphanumeric javascript-php and shared fuzzing
Gareth hayes. non alphanumeric javascript-php and shared fuzzingYury Chemerkin
 
Terraform -- Infrastructure as Code
Terraform -- Infrastructure as CodeTerraform -- Infrastructure as Code
Terraform -- Infrastructure as CodeMartin Schütte
 
Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOpsAmazon Web Services
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
Terraform: An Overview & Introduction
Terraform: An Overview & IntroductionTerraform: An Overview & Introduction
Terraform: An Overview & IntroductionLee Trout
 
Terraform AWS modules and some best practices - September 2019
Terraform AWS modules and some best practices - September 2019Terraform AWS modules and some best practices - September 2019
Terraform AWS modules and some best practices - September 2019Anton Babenko
 
Terraform
TerraformTerraform
TerraformPathum Fernando ☁
 
Building infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps KrakowBuilding infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps KrakowAnton Babenko
 
Terraform
TerraformTerraform
TerraformAdam Vincze
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Terraform
TerraformTerraform
TerraformPhil Wilkins
 
DevOps: Infrastructure as Code
DevOps: Infrastructure as CodeDevOps: Infrastructure as Code
DevOps: Infrastructure as CodeJulio Aziz Flores Casab
 
Terraform
TerraformTerraform
TerraformAn Nguyen
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructuredAmi Mahloof
 
ReST API Security
ReST API SecurityReST API Security
ReST API SecurityYounes Jaaidi
 
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...Mitchell Pronschinske
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Introduction to Spring WebFlux #jsug #sf_a1
Introduction to Spring WebFlux #jsug #sf_a1Introduction to Spring WebFlux #jsug #sf_a1
Introduction to Spring WebFlux #jsug #sf_a1Toshiaki Maki
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Ansible
AnsibleAnsible
AnsibleKamil Lelonek
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Amazon Web Services
 
The Need for Async @ ScalaWorld
The Need for Async @ ScalaWorldThe Need for Async @ ScalaWorld
The Need for Async @ ScalaWorldKonrad Malawski
 

More Related Content

What's hot

Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
Terraform: An Overview & Introduction
Terraform: An Overview & IntroductionTerraform: An Overview & Introduction
Terraform: An Overview & IntroductionLee Trout
 
Terraform AWS modules and some best practices - September 2019
Terraform AWS modules and some best practices - September 2019Terraform AWS modules and some best practices - September 2019
Terraform AWS modules and some best practices - September 2019Anton Babenko
 
Building infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps KrakowBuilding infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps KrakowAnton Babenko
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsSuman Sourav
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructuredAmi Mahloof
 
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...Mitchell Pronschinske
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityMatt Tesauro
 
Introduction to Spring WebFlux #jsug #sf_a1
Introduction to Spring WebFlux #jsug #sf_a1Introduction to Spring WebFlux #jsug #sf_a1
Introduction to Spring WebFlux #jsug #sf_a1Toshiaki Maki
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyAditya Gupta
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsPriyanka Aash
 

What's hot (20)

Introduction to DevSecOps
Introduction to DevSecOpsIntroduction to DevSecOps
Introduction to DevSecOps
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
Terraform: An Overview & Introduction
Terraform: An Overview & IntroductionTerraform: An Overview & Introduction
Terraform: An Overview & Introduction
 
Terraform AWS modules and some best practices - September 2019
Terraform AWS modules and some best practices - September 2019Terraform AWS modules and some best practices - September 2019
Terraform AWS modules and some best practices - September 2019
 
Terraform
TerraformTerraform
Terraform
 
Building infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps KrakowBuilding infrastructure as code using Terraform - DevOps Krakow
Building infrastructure as code using Terraform - DevOps Krakow
 
Terraform
TerraformTerraform
Terraform
 
Implementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in JenkinsImplementing an Application Security Pipeline in Jenkins
Implementing an Application Security Pipeline in Jenkins
 
Terraform
TerraformTerraform
Terraform
 
DevOps: Infrastructure as Code
DevOps: Infrastructure as CodeDevOps: Infrastructure as Code
DevOps: Infrastructure as Code
 
Terraform
TerraformTerraform
Terraform
 
Terraform modules restructured
Terraform modules restructuredTerraform modules restructured
Terraform modules restructured
 
ReST API Security
ReST API SecurityReST API Security
ReST API Security
 
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
Terraform 0.12 Deep Dive: HCL 2.0 for Infrastructure as Code, Remote Plan & A...
 
OWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security SanityOWASP DefectDojo - Open Source Security Sanity
OWASP DefectDojo - Open Source Security Sanity
 
Introduction to Spring WebFlux #jsug #sf_a1
Introduction to Spring WebFlux #jsug #sf_a1Introduction to Spring WebFlux #jsug #sf_a1
Introduction to Spring WebFlux #jsug #sf_a1
 
The OWASP Zed Attack Proxy
The OWASP Zed Attack ProxyThe OWASP Zed Attack Proxy
The OWASP Zed Attack Proxy
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Ansible
AnsibleAnsible
Ansible
 
Dos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOpsDos and Don'ts of DevSecOps
Dos and Don'ts of DevSecOps
 

Similar to Compliance as Code with terraform-compliance

Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Amazon Web Services
 
The Need for Async @ ScalaWorld
The Need for Async @ ScalaWorldThe Need for Async @ ScalaWorld
The Need for Async @ ScalaWorldKonrad Malawski
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...Yevgeniy Brikman
 
Who pulls the strings?
Who pulls the strings?Who pulls the strings?
Who pulls the strings?Ronny
 
Terraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerTerraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerCalvin French-Owen
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenchesYan Cui
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security LLC
 
Sumo Logic Cert Jam - Security & Compliance
Sumo Logic Cert Jam - Security & ComplianceSumo Logic Cert Jam - Security & Compliance
Sumo Logic Cert Jam - Security & ComplianceSumo Logic
 
Serverless in production, an experience report (linuxing in london)
Serverless in production, an experience report (linuxing in london)Serverless in production, an experience report (linuxing in london)
Serverless in production, an experience report (linuxing in london)Yan Cui
 
Serverless in production, an experience report (JeffConf)
Serverless in production, an experience report (JeffConf)Serverless in production, an experience report (JeffConf)
Serverless in production, an experience report (JeffConf)Yan Cui
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Jeffrey Holden
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programmingalpha0
 
Js fwdays unit tesing javascript(by Anna Khabibullina)
Js fwdays unit tesing javascript(by Anna Khabibullina)Js fwdays unit tesing javascript(by Anna Khabibullina)
Js fwdays unit tesing javascript(by Anna Khabibullina)Anna Khabibullina
 
JS Frameworks Day April,26 of 2014
JS Frameworks Day April,26 of 2014JS Frameworks Day April,26 of 2014
JS Frameworks Day April,26 of 2014DA-14
 
Grails unit testing
Grails unit testingGrails unit testing
Grails unit testingpleeps
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps_Fest
 

Similar to Compliance as Code with terraform-compliance (20)

Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
Monitoring as Code: Getting to Monitoring-Driven Development - DEV314 - re:In...
 
The Need for Async @ ScalaWorld
The Need for Async @ ScalaWorldThe Need for Async @ ScalaWorld
The Need for Async @ ScalaWorld
 
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...How to test infrastructure code: automated testing for Terraform, Kubernetes,...
How to test infrastructure code: automated testing for Terraform, Kubernetes,...
 
Who pulls the strings?
Who pulls the strings?Who pulls the strings?
Who pulls the strings?
 
Terraform Abstractions for Safety and Power
Terraform Abstractions for Safety and PowerTerraform Abstractions for Safety and Power
Terraform Abstractions for Safety and Power
 
Coding standard
Coding standardCoding standard
Coding standard
 
Introduzione al TDD
Introduzione al TDDIntroduzione al TDD
Introduzione al TDD
 
AWS Lambda from the trenches
AWS Lambda from the trenchesAWS Lambda from the trenches
AWS Lambda from the trenches
 
Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠Integris Security - Hacking With Glue ℠
Integris Security - Hacking With Glue ℠
 
Sumo Logic Cert Jam - Security & Compliance
Sumo Logic Cert Jam - Security & ComplianceSumo Logic Cert Jam - Security & Compliance
Sumo Logic Cert Jam - Security & Compliance
 
Terraform training 🎒 - Basic
Terraform training 🎒 - BasicTerraform training 🎒 - Basic
Terraform training 🎒 - Basic
 
Serverless in production, an experience report (linuxing in london)
Serverless in production, an experience report (linuxing in london)Serverless in production, an experience report (linuxing in london)
Serverless in production, an experience report (linuxing in london)
 
Serverless in production, an experience report (JeffConf)
Serverless in production, an experience report (JeffConf)Serverless in production, an experience report (JeffConf)
Serverless in production, an experience report (JeffConf)
 
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
Deploying Cloud Native Red Team Infrastructure with Kubernetes, Istio and Envoy
 
Secure Programming
Secure ProgrammingSecure Programming
Secure Programming
 
Js fwdays unit tesing javascript(by Anna Khabibullina)
Js fwdays unit tesing javascript(by Anna Khabibullina)Js fwdays unit tesing javascript(by Anna Khabibullina)
Js fwdays unit tesing javascript(by Anna Khabibullina)
 
JS Frameworks Day April,26 of 2014
JS Frameworks Day April,26 of 2014JS Frameworks Day April,26 of 2014
JS Frameworks Day April,26 of 2014
 
Grails unit testing
Grails unit testingGrails unit testing
Grails unit testing
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
DevOps Fest 2019. Сергей Марченко. Terraform: a novel about modules, provider...
 

Recently uploaded

Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringmulugeta48
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...tanu pandey
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptMsecMca
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)simmis5
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01KreezheaRecto
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Christo Ananth
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptDineshKumar4165
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...SUHANI PANDEY
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 

Recently uploaded (20)

Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01Double rodded leveling 1 pdf activity 01
Double rodded leveling 1 pdf activity 01
 
Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...Call for Papers - International Journal of Intelligent Systems and Applicatio...
Call for Papers - International Journal of Intelligent Systems and Applicatio...
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 

Compliance as Code with terraform-compliance

  • 1. Compliance as Code Emre Erkunt terraform-compliance
  • 2. > cat who_is_this_person.tf resource “human_person” “me” { name = “Emre Erkunt” interests { professional = [“DevOps”, “DevSecOps”, “Security”, “Automation”] personal = [“Astrophotography”, “Aikido”, “Guitar”, “Apnea Diving”, “Gaming”] } recent_focus = [ “terraform”, “terraform-compliance”, “aws”, “tons of aws”, “serverless”, “pipelines”, “cultural change”, “new ways of working”, “agile”, “#nobuzzwords” ] twitter = “@3rkunt” linkedin = “only person with this name and surname” } Compliance as Code terraform-compliance.com
  • 3. > prediction Compliance as Code terraform-compliance.com Your main problem is not about testing terraform.
  • 4. Infrastructure as Code : What is was ; A codified way of defining tasks that is required to perform CRUD operations in an IT Environment. What it is now ; A codified way of defining the latest state on target IT environment. Mostly used in for Cloud Environments. Critical Requirement for both is IDEMPOTENCY and ideally IMMUTABILITY. > terraform init Compliance as Code terraform-compliance.com “ “ “ “
  • 5. Brilliant API Client that focus on desired state and has its own configuration language, HCL/HCL2. Lots of providers actively maintained. Tons of modules that can be used from the registry. Solid state management .. and most importantly ; > terraform init Compliance as Code terraform-compliance.com
  • 6. What is Compliance as Code ? A codified way of defining compliance policies. > terraform-compliance -h Compliance as Code terraform-compliance.com “ “
  • 7. What is Compliance as Code ? A codified way of defining compliance policies. Requirements : . A common language that defines the policy . A language that defines the tests ( might be same with the policy ) . Ability to answer: What are we testing here ? . Ability to answer: Why are we testing this ? > terraform-compliance -h Compliance as Code terraform-compliance.com “ “
  • 8. What is Compliance as Code ? A codified way of defining compliance policies. Requirements : . A common language that defines the policy . A language that defines the tests ( might be same with the policy ) . Ability to answer: What are we testing here ? . Ability to answer: Why are we testing this ? > terraform-compliance -h Compliance as Code terraform-compliance.com “ “
  • 9. > terraform plan -out plan.out Compliance as Code terraform-compliance.com Implementation terraform plan terraform-compliance terraform apply terraform plan -detailed-exitcode
  • 10. > terraform-compliance ? Compliance as Code terraform-compliance.com . Based on Behaviour Driven Development. Why ? . All interpolations and modules are supported. Why is this important ? . Drilling down, just like another BDD step. . Resource mounting are supported. Why is this important ? . Can perform complex Security Group calculations. . Mostly focused on negative testing. What is negative testing ? . Filtering. . Can be assumed as a free version of HashiCorp Sentinel. Really ? . Runs in everywhere that can run Python or Docker. . Needs PRs, Feature Requests, Bug Reporting and love just like every Open Source Project.
  • 11. > Behaviour Driven Development Compliance as Code terraform-compliance.com . A branch of Test Driven Development/TDD . Focus on end-to-end results, functional tests . Features > Scenarios > Steps, Gherkin/Cucumber language . Simple sentences with shared vocabulary while every step has a test code under the hood . GIVEN, WHEN, THEN and AND . Possible to translate the same tests as UAT, since every Scenario/Feature can be a Story/Task . Usually takes longer time to run compared with Unit Tests
  • 12. > terraform-compliance tests Compliance as Code terraform-compliance.com . Not an integration test, but still a functional test . Runs against plan, and runs super-fast . Same language structure like other BDD tests . Can live in a separate git repository (strongly recommended!) . Has its own - but quite universal - vocabulary for steps, e.g. ; Scenario: Ensure all resources have tags Given I have resource that supports tags defined Then it must contain tags And its value must not be null
  • 13. > terraform-compliance tests Compliance as Code terraform-compliance.com
  • 14. > terraform-compliance tests: GIVEN Compliance as Code terraform-compliance.com . Defines the initial picture . Every scenario has a GIVEN step . Works as a filtering function . Will SKIP the next steps if there is no match, so no failure if nothing is found . Recommended to use terraform references instead of templated entities . You can use it against resource(s), provider(s), data(s), variable(s) or output(s) Scenario: Ensure all resources have tags Given I have aws_s3_bucket defined Then it must contain tags And its value must not be null
  • 15. > terraform-compliance tests: GIVEN Compliance as Code terraform-compliance.com . Defines the initial picture . Every scenario has a GIVEN step . Works as a filtering function . Will SKIP the next steps if there is no match, so no failure if nothing is found . Recommended to use terraform references instead of templated entities . You can use it against resource(s), provider(s), data(s), variable(s) or output(s) Scenario: Ensure all resources have tags Given I have aws_s3_bucket defined Then it must contain tags And its value must not be null resource “aws_s3_bucket” “some_bucket” { bucket = “my-super-unique-bucket-name” tags = { cost_center = “0135134” environment = “dev” } }
  • 16. > terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0
  • 17. > terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0 resource “aws_security_group” “some_group” { name = “allow_ssh_publicly_because_we_are_just_crazy” ingress { from_port = 22 to_port = 22 protocol = “tcp” cidr_blocks = [“0.0.0.0/0”] } }
  • 18. > terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0 resource “aws_security_group_rule” “port_22_to_public” { type = “ingress” from_port = 22 to_port = 22 protocol = “tcp” cidr_blocks = [“0.0.0.0/0”] security_group_id = aws_security_group.some_group.id }
  • 19. > terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure there is always 2 network_interfaces attached to instances Given I have aws_instance defined When it contains network_interface And I count them Then I expect the result is equal to 1
  • 20. > terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure there is always 2 network_interfaces attached to instances Given I have aws_instance defined When it contains network_interface And I count them Then I expect the result is equal to 1 resource “aws_instance” “monero_miner” { ami = “ami-6d1c2007” instance_type = “t2.micro” network_interface { device_index = “1” network_interface_id = “eth0” } }
  • 21. > terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we are using encryption on ALBs via ACM Given I have aws_elb defined When it contains listener Then it must contain ssl_certificate_id And its value must match the “.*acm.*” regex
  • 22. > terraform-compliance tests: WHEN Compliance as Code terraform-compliance.com . Works as a filtering function (mostly), defines the condition that you are searching for. . Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN . Filtered data is used as the INPUT data for the next steps. Scenario: Ensure we are using encryption on ALBs via ACM Given I have aws_elb defined When it contains listener Then it must contain ssl_certificate_id And its value must match the “.*acm.*” regex resource “aws_elb” “bar” { name = “foo” ... listener { ... } }
  • 23. > terraform-compliance tests: THEN Compliance as Code terraform-compliance.com . Defines the matching criteria. Decision making step. . FAILS if it not pass. Scenario: Ensure we are using encryption on ALBs via ACM Given I have aws_elb defined When it contains listener Then it must contain ssl_certificate_id And its value must match the “.*acm.*” regex
  • 24. > terraform-compliance tests: THEN Compliance as Code terraform-compliance.com . Defines the matching criteria. Decision making step. . FAILS if it not pass. Scenario: Ensure we are using encryption on ALBs via ACM Given I have aws_elb defined When it contains listener Then it must contain ssl_certificate_id And its value must match the “.*acm.*” regex resource “aws_elb” “bar” { name = “foo” listener { instance_port = 8000 ... ssl_certificate_id = “arn:aws:iam::123456789012:server-certificate/certName” } }
  • 25. > terraform-compliance tests: THEN Compliance as Code terraform-compliance.com . Defines the matching criteria. Decision making step. . FAILS if it not pass. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0
  • 26. > terraform-compliance tests: THEN Compliance as Code terraform-compliance.com . Defines the matching criteria. Decision making step. . FAILS if it not pass. Scenario: Ensure we only allow a port range for ingress rule Given I have aws_security_group defined When it contains ingress Then it must only have tcp protocol and port 22 for 0.0.0.0/0 resource “aws_security_group_rule” “port_22_to_public” { type = “ingress” from_port = 22 to_port = 22 protocol = “tcp” cidr_blocks = [“0.0.0.0/0”] security_group_id = aws_security_group.some_group.id }
  • 27. > Workflow Examples Compliance as Code terraform-compliance.com
  • 28. > Workflow Examples Compliance as Code terraform-compliance.com
  • 29. > Workflow Examples Compliance as Code terraform-compliance.com
  • 30. > Workflow Examples Compliance as Code terraform-compliance.com ... Scenario: Image scan to be enabled on push. Given I have aws_ecr_repository defined Then it must contain image_scanning_configuration And scan_on_push must be enabled Failure: Resource aws_ecr_repository.repo does not have scan_on_push property enabled (scan_on_push=None) [Container] 2020/02/13 11:48:40 Phase complete: BUILD State: FAILED
  • 31. > Workflow Examples Compliance as Code terraform-compliance.com
  • 32. > Workflow Examples Compliance as Code terraform-compliance.com
  • 33. > Workflow Examples Compliance as Code terraform-compliance.com
  • 34. > Workflow Examples Compliance as Code terraform-compliance.com
  • 35. > Workflow Examples Compliance as Code terraform-compliance.com
  • 36. > Workflow Examples Compliance as Code terraform-compliance.com
  • 37. > Workflow Examples Compliance as Code terraform-compliance.com
  • 38. > Workflow Examples Compliance as Code terraform-compliance.com Created a PR Get peer review approvals CI failed due to compliance test failures Security Team already introduced new compliance checks Read the logs, understand what failed Fix compliance problems CI Pass Merge to masterCD runs without a failureGet final notification Δt = ~15 minutes
  • 39. > Workflow Examples Compliance as Code terraform-compliance.com Why it was important ? . No retrospective checks. . Feedback loop is near-instant while keeping segregation of duties. . No complicated troubleshooting, problem was described in plain language. . The PR was not about the failure, it was due to something created before. . Nothing was deployed till it is fixed. . Keep it green.
  • 40. > Workflow Examples Compliance as Code terraform-compliance.com What do you need to achieve this workflow ? . Trunk Based Development, please do not use GitFlow. . Small incremental changes, instead of huge PRs. ( or worse having a release branch ... ) . Everybody is hands-on. Engineers (including Security) is the Governance. . Engineers are the decision makers. . Keep It Simple Stupid. . VERY IMPORTANT: Good repositories structure. . You build it, you run it . #nobuzzwords
  • 41. > prediction Compliance as Code terraform-compliance.com Your main problem is not about testing terraform, right ?
  • 42. > terraform apply Compliance as Code terraform-compliance.com
  • 43. > cat who_is_this_person.tf resource “human_person” “me” { name = “Emre Erkunt” interests { professional = [“DevOps”, “DevSecOps”, “Security”, “Automation”] personal = [“Astrophotography”, “Aikido”, “Guitar”, “Apnea Diving”, “Gaming”] } recent_focus = [ “terraform”, “terraform-compliance”, “aws”, “tons of aws”, “serverless”, “pipelines”, “cultural change”, “new ways of working”, “agile”, “#nobuzzwords” ] twitter = “@3rkunt” linkedin = “only person with this name and surname” } Compliance as Code terraform-compliance.com