AI for DevOps Engineers - Part 1: The Building Blocks of DevOps AI
DevOps is a key success factor for modern software development and we have most definitely come across AI in one way or another. The intersection of AI and
In today's fast-paced DevOps environments, ensuring infrastructure compliance and security is paramount. Traditionally, HashiCorp Sentinel has been a go-to for policy as code within the HashiCorp ecosystem, particularly for Terraform users. However, Mondoo offers a compelling alternative, providing extensive security and compliance capabilities that can seamlessly integrate with Terraform. This article explores how to use Mondoo policies as a replacement for HashiCorp Sentinel with practical examples.
Mondoo is a security and compliance platform that offers robust capabilities for continuous security assessments and compliance checks across cloud, on-premises, and hybrid environments. Here are some key reasons to consider Mondoo:
Mondoo policies are written using Mondoo's policy language. Here’s an example of a simple Mondoo policy to check that no AWS S3 bucket is publicly accessible:
1policies:
2 - uid: terraform-aws-s3-public-access
3 name: "Ensure no S3 bucket is publicly accessible."
4 version: 1.0.0
5 scoring_system: highest impact
6 tags:
7 mondoo.com/category: security
8 groups:
9 - title: AWS S3 Bucket Policies
10 filters: asset.runtime == "terraform"
11 checks:
12 - uid: aws-s3-public-access
13
14queries:
15 - uid: aws-s3-public-access
16 title: AWS S3 Public Access
17 impact: 50
18 mql: |
19 terraform.plan.resourceChanges.where(r: r.type == "aws_s3_bucket_acl" ).all(i: i.change.after.acl.in( props.allowedACLs ) )
20
21 props:
22 - uid: allowedACLs
23 title: Allowed ACLs
24 mql: |
25 ["private", "authenticated-read"]
To ensure your policy definition is valid, you can use the Mondoo CLI to validate the policy file:
1cnspec policy lint aws_s3_bucket_policy.mql.yaml
Integrating Mondoo with Terraform involves running Mondoo checks as part of your Terraform workflow based on the terraform plan. So we need some terraform code that creates a plan and then we can scan it with Mondoo. In our example, we will use an AWS S3 bucket as a sample resource. We will also rely on the Mondoo CLI to scan the Terraform plan with local policy files. On a production system, you would typically use the Mondoo platform to manage policies, scan results and integrate with CI/CD pipelines.
1resource "aws_s3_bucket" "example" {
2 bucket = "my-tf-example-bucket"
3}
4
5resource "aws_s3_bucket_ownership_controls" "example" {
6 bucket = aws_s3_bucket.example.id
7 rule {
8 object_ownership = "BucketOwnerPreferred"
9 }
10}
11
12resource "aws_s3_bucket_acl" "example" {
13 depends_on = [aws_s3_bucket_ownership_controls.example]
14
15 bucket = aws_s3_bucket.example.id
16 acl = "private"
17}
1terraform plan -out=tfplan
1terraform show -json tfplan > tfplan.json
Use Mondoo to scan the Terraform plan:
1cnspec scan terraform plan tfplan.json -f aws_s3_bucket_policy.mql.yaml
2
3→ discover related assets for 1 asset(s)
4
5 Terraform Static Analysis tfplan ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: A
6
7Asset: Terraform Static Analysis tfplan
8---------------------------------------
9
10Checks:
11✓ Pass: 100 AWS S3 Public Access
12
13Scanned 1 asset
14
15Terraform Plan
16 [100/100] Terraform Static Analysis tfplan
Let's enforce a policy to ensure that no security group allows SSH access from anywhere.
1policies:
2 - uid: terraform-aws-sec-group-ssh-access
3 name: "Ensure No Security Group Allows SSH from 0.0.0.0/0"
4 version: 1.0.0
5 scoring_system: highest impact
6 tags:
7 mondoo.com/category: security
8 groups:
9 - title: AWS SSH Security Group Check
10 filters: asset.runtime == "terraform"
11 checks:
12 - uid: aws-ssh-security-group
13queries:
14 - uid: aws-ssh-security-group
15 title: AWS SSH Security Group Check
16 impact: 20
17 mql: |
18 terraform.plan.resourceChanges.where(r: r.type == "aws_security_group" || r.type == "aws_security_group_rule" ).all(i:
19 i.change.after.from_port == 22
20 && i.change.after.to_port == 22
21 && i.change.after.cidr_blocks.not_in( props.disAllowedCIDRs )
22 && i.change.after.ipv6_cidr_blocks.not_in( props.disAllowedCIDRs )
23 )
24
25 props:
26 - uid: disAllowedCIDRs
27 title: Disallowed CIDRs
28 mql: |
29 ["0.0.0.0/0", "::/0" ]
Here’s a sample Terraform configuration for an AWS security group:
1resource "aws_security_group" "example" {
2 name = "example-sg"
3 description = "Example security group"
4
5 ingress {
6 from_port = 22
7 to_port = 22
8 protocol = "tcp"
9 cidr_blocks = ["0.0.0.0/0"]
10 }
11}
12resource "aws_security_group_rule" "example" {
13 type = "ingress"
14 from_port = 22
15 to_port = 22
16 protocol = "tcp"
17 ipv6_cidr_blocks = [ "::/0" ]
18 security_group_id = aws_security_group.example.id
19}
1terraform plan -out=tfplan
2terraform show -json tfplan > tfplan.json
1cnspec scan terraform plan tfplan.json -f aws_security_group_policy.mql.yaml
The Mondoo scan will analyze the Terraform plan and enforce the policy, alerting you if any security group allows SSH access from 0.0.0.0/0.
Mondoo provides a powerful and flexible alternative to HashiCorp Sentinel for enforcing policies in your Terraform workflows. By integrating Mondoo, you can enhance your infrastructure's security and compliance posture with minimal effort. With its broad integration capabilities and comprehensive policy management features, Mondoo is well-suited for modern DevOps environments.
Overall, Mondoo offers a robust platform for continuous security and compliance checks across your infrastructure, ensuring that your Terraform-managed resources adhere to your organization's security policies. These policies can be maintained on the Mondoo platform and enforced as part of your Terraform workflows and CI/CD pipelines.
Start leveraging Mondoo today and ensure your Terraform-managed infrastructure remains secure and compliant.
You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.
Contact us