Compliance as Code
Emre Erkunt
terraform-compliance

> cat who_is_this_person.tf
resource “human_person” “me” {
name = “Emre Erkunt”
interests {
professional = [“DevOps”, “DevSecOps”, “Security”, “Automation”]
personal = [“Astrophotography”, “Aikido”, “Guitar”, “Apnea Diving”, “Gaming”]
}
recent_focus = [
“terraform”, “terraform-compliance”, “aws”, “tons of aws”, “serverless”,
“pipelines”, “cultural change”, “new ways of working”, “agile”, “#nobuzzwords”
]
twitter = “@3rkunt”
linkedin = “only person with this name and surname”
}
Compliance as Code terraform-compliance.com

> prediction
Compliance as Code terraform-compliance.com
Your main problem is not about testing terraform.

Infrastructure as Code :
What is was ;
A codified way of defining tasks that is required to perform CRUD operations in an IT Environment.
What it is now ;
A codified way of defining the latest state on target IT environment. Mostly used in for Cloud Environments.
Critical Requirement for both is IDEMPOTENCY and ideally IMMUTABILITY.
> terraform init
Compliance as Code terraform-compliance.com
“ “
“ “

Brilliant API Client that focus on desired state and has its own configuration language, HCL/HCL2.
Lots of providers actively maintained. Tons of modules that can be used from the registry.
Solid state management
.. and most importantly ;
> terraform init
Compliance as Code terraform-compliance.com

What is Compliance as Code ?
A codified way of defining compliance policies.
> terraform-compliance -h
Compliance as Code terraform-compliance.com
“ “

What is Compliance as Code ?
A codified way of defining compliance policies.
Requirements :
. A common language that defines the policy
. A language that defines the tests ( might be same with the policy )
. Ability to answer: What are we testing here ?
. Ability to answer: Why are we testing this ?
> terraform-compliance -h
Compliance as Code terraform-compliance.com
“ “

What is Compliance as Code ?
A codified way of defining compliance policies.
Requirements :
. A common language that defines the policy
. A language that defines the tests ( might be same with the policy )
. Ability to answer: What are we testing here ?
. Ability to answer: Why are we testing this ?
> terraform-compliance -h
Compliance as Code terraform-compliance.com
“ “

> terraform plan -out plan.out
Compliance as Code terraform-compliance.com
Implementation terraform plan terraform-compliance terraform apply
terraform plan -detailed-exitcode

> terraform-compliance ?
Compliance as Code terraform-compliance.com
. Based on Behaviour Driven Development. Why ?
. All interpolations and modules are supported. Why is this important ?
. Drilling down, just like another BDD step.
. Resource mounting are supported. Why is this important ?
. Can perform complex Security Group calculations.
. Mostly focused on negative testing. What is negative testing ?
. Filtering.
. Can be assumed as a free version of HashiCorp Sentinel. Really ?
. Runs in everywhere that can run Python or Docker.
. Needs PRs, Feature Requests, Bug Reporting and love just like every Open Source Project.

> Behaviour Driven Development
Compliance as Code terraform-compliance.com
. A branch of Test Driven Development/TDD
. Focus on end-to-end results, functional tests
. Features > Scenarios > Steps, Gherkin/Cucumber language
. Simple sentences with shared vocabulary while every step has a test code under the hood
. GIVEN, WHEN, THEN and AND
. Possible to translate the same tests as UAT, since every Scenario/Feature can be a Story/Task
. Usually takes longer time to run compared with Unit Tests

> terraform-compliance tests
Compliance as Code terraform-compliance.com
. Not an integration test, but still a functional test
. Runs against plan, and runs super-fast
. Same language structure like other BDD tests
. Can live in a separate git repository (strongly recommended!)
. Has its own - but quite universal - vocabulary for steps, e.g. ;
Scenario: Ensure all resources have tags
Given I have resource that supports tags defined
Then it must contain tags
And its value must not be null

> terraform-compliance tests
Compliance as Code terraform-compliance.com

> terraform-compliance tests: GIVEN
Compliance as Code terraform-compliance.com
. Defines the initial picture
. Every scenario has a GIVEN step
. Works as a filtering function
. Will SKIP the next steps if there is no match, so no failure if nothing is found
. Recommended to use terraform references instead of templated entities
. You can use it against resource(s), provider(s), data(s), variable(s) or output(s)
Scenario: Ensure all resources have tags
Given I have aws_s3_bucket defined
Then it must contain tags
And its value must not be null

> terraform-compliance tests: GIVEN
Compliance as Code terraform-compliance.com
. Defines the initial picture
. Every scenario has a GIVEN step
. Works as a filtering function
. Will SKIP the next steps if there is no match, so no failure if nothing is found
. Recommended to use terraform references instead of templated entities
. You can use it against resource(s), provider(s), data(s), variable(s) or output(s)
Scenario: Ensure all resources have tags
Given I have aws_s3_bucket defined
Then it must contain tags
And its value must not be null
resource “aws_s3_bucket” “some_bucket” {
bucket = “my-super-unique-bucket-name”
tags = {
cost_center = “0135134”
environment = “dev”
}
}

> terraform-compliance tests: WHEN
Compliance as Code terraform-compliance.com
. Works as a filtering function (mostly), defines the condition that you are searching for.
. Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN
. Filtered data is used as the INPUT data for the next steps.
Scenario: Ensure we only allow a port range for ingress rule
Given I have aws_security_group defined
When it contains ingress
Then it must only have tcp protocol and port 22 for 0.0.0.0/0

> terraform-compliance tests: WHEN
Compliance as Code terraform-compliance.com
. Works as a filtering function (mostly), defines the condition that you are searching for.
. Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN
. Filtered data is used as the INPUT data for the next steps.
Scenario: Ensure we only allow a port range for ingress rule
Given I have aws_security_group defined
When it contains ingress
Then it must only have tcp protocol and port 22 for 0.0.0.0/0
resource “aws_security_group” “some_group” {
name = “allow_ssh_publicly_because_we_are_just_crazy”
ingress {
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [“0.0.0.0/0”]
}
}

> terraform-compliance tests: WHEN
Compliance as Code terraform-compliance.com
. Works as a filtering function (mostly), defines the condition that you are searching for.
. Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN
. Filtered data is used as the INPUT data for the next steps.
Scenario: Ensure we only allow a port range for ingress rule
Given I have aws_security_group defined
When it contains ingress
Then it must only have tcp protocol and port 22 for 0.0.0.0/0
resource “aws_security_group_rule” “port_22_to_public” {
type = “ingress”
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [“0.0.0.0/0”]
security_group_id = aws_security_group.some_group.id
}

> terraform-compliance tests: WHEN
Compliance as Code terraform-compliance.com
. Works as a filtering function (mostly), defines the condition that you are searching for.
. Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN
. Filtered data is used as the INPUT data for the next steps.
Scenario: Ensure there is always 2 network_interfaces attached to instances
Given I have aws_instance defined
When it contains network_interface
And I count them
Then I expect the result is equal to 1

> terraform-compliance tests: WHEN
Compliance as Code terraform-compliance.com
. Works as a filtering function (mostly), defines the condition that you are searching for.
. Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN
. Filtered data is used as the INPUT data for the next steps.
Scenario: Ensure there is always 2 network_interfaces attached to instances
Given I have aws_instance defined
When it contains network_interface
And I count them
Then I expect the result is equal to 1
resource “aws_instance” “monero_miner” {
ami = “ami-6d1c2007”
instance_type = “t2.micro”
network_interface {
device_index = “1”
network_interface_id = “eth0”
}
}

> terraform-compliance tests: WHEN
Compliance as Code terraform-compliance.com
. Works as a filtering function (mostly), defines the condition that you are searching for.
. Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN
. Filtered data is used as the INPUT data for the next steps.
Scenario: Ensure we are using encryption on ALBs via ACM
Given I have aws_elb defined
When it contains listener
Then it must contain ssl_certificate_id
And its value must match the “.*acm.*” regex

> terraform-compliance tests: WHEN
Compliance as Code terraform-compliance.com
. Works as a filtering function (mostly), defines the condition that you are searching for.
. Will SKIP the next steps if there is no match, so no failure if nothing is found, just like GIVEN
. Filtered data is used as the INPUT data for the next steps.
Scenario: Ensure we are using encryption on ALBs via ACM
Given I have aws_elb defined
When it contains listener
Then it must contain ssl_certificate_id
And its value must match the “.*acm.*” regex
resource “aws_elb” “bar” {
name = “foo”
...
listener {
...
}
}

> terraform-compliance tests: THEN
Compliance as Code terraform-compliance.com
. Defines the matching criteria. Decision making step.
. FAILS if it not pass.
Scenario: Ensure we are using encryption on ALBs via ACM
Given I have aws_elb defined
When it contains listener
Then it must contain ssl_certificate_id
And its value must match the “.*acm.*” regex

> terraform-compliance tests: THEN
Compliance as Code terraform-compliance.com
. Defines the matching criteria. Decision making step.
. FAILS if it not pass.
Scenario: Ensure we are using encryption on ALBs via ACM
Given I have aws_elb defined
When it contains listener
Then it must contain ssl_certificate_id
And its value must match the “.*acm.*” regex
resource “aws_elb” “bar” {
name = “foo”
listener {
instance_port = 8000
...
ssl_certificate_id = “arn:aws:iam::123456789012:server-certificate/certName”
}
}

> terraform-compliance tests: THEN
Compliance as Code terraform-compliance.com
. Defines the matching criteria. Decision making step.
. FAILS if it not pass.
Scenario: Ensure we only allow a port range for ingress rule
Given I have aws_security_group defined
When it contains ingress
Then it must only have tcp protocol and port 22 for 0.0.0.0/0

> terraform-compliance tests: THEN
Compliance as Code terraform-compliance.com
. Defines the matching criteria. Decision making step.
. FAILS if it not pass.
Scenario: Ensure we only allow a port range for ingress rule
Given I have aws_security_group defined
When it contains ingress
Then it must only have tcp protocol and port 22 for 0.0.0.0/0
resource “aws_security_group_rule” “port_22_to_public” {
type = “ingress”
from_port = 22
to_port = 22
protocol = “tcp”
cidr_blocks = [“0.0.0.0/0”]
security_group_id = aws_security_group.some_group.id
}

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com
...
Scenario: Image scan to be enabled on push.
Given I have aws_ecr_repository defined
Then it must contain image_scanning_configuration
And scan_on_push must be enabled
Failure: Resource aws_ecr_repository.repo does not have scan_on_push property enabled
(scan_on_push=None)
[Container] 2020/02/13 11:48:40 Phase complete: BUILD State: FAILED

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com

> Workflow Examples
Compliance as Code terraform-compliance.com
Created a PR
Get peer review
approvals
CI failed due to
compliance test failures
Security Team already introduced
new compliance checks
Read the logs, understand
what failed
Fix compliance problems
CI Pass
Merge to masterCD runs without a failureGet final notification
Δt = ~15 minutes

> Workflow Examples
Compliance as Code terraform-compliance.com
Why it was important ?
. No retrospective checks.
. Feedback loop is near-instant while keeping segregation of duties.
. No complicated troubleshooting, problem was described in plain language.
. The PR was not about the failure, it was due to something created before.
. Nothing was deployed till it is fixed.
. Keep it green.

> Workflow Examples
Compliance as Code terraform-compliance.com
What do you need to achieve this workflow ?
. Trunk Based Development, please do not use GitFlow.
. Small incremental changes, instead of huge PRs. ( or worse having a release branch ... )
. Everybody is hands-on. Engineers (including Security) is the Governance.
. Engineers are the decision makers.
. Keep It Simple Stupid.
. VERY IMPORTANT: Good repositories structure.
. You build it, you run it
. #nobuzzwords

> prediction
Compliance as Code terraform-compliance.com
Your main problem is not about testing terraform, right ?

> terraform apply
Compliance as Code terraform-compliance.com

> cat who_is_this_person.tf
resource “human_person” “me” {
name = “Emre Erkunt”
interests {
professional = [“DevOps”, “DevSecOps”, “Security”, “Automation”]
personal = [“Astrophotography”, “Aikido”, “Guitar”, “Apnea Diving”, “Gaming”]
}
recent_focus = [
“terraform”, “terraform-compliance”, “aws”, “tons of aws”, “serverless”,
“pipelines”, “cultural change”, “new ways of working”, “agile”, “#nobuzzwords”
]
twitter = “@3rkunt”
linkedin = “only person with this name and surname”
}
Compliance as Code terraform-compliance.com