Skip to content

Latest commit

 

History

History
86 lines (59 loc) · 3.88 KB

README.md

File metadata and controls

86 lines (59 loc) · 3.88 KB

PaC with checkov example (300 level)

This example demonstrates how to use checkov to detect security or policy misconfigurations using terraform to deploy an Azure storage account and a blob container.

Policy as Code (PaC)

Policy As Code is a DevOps Practice that verify and enforce security configurations when you deploy Infrastructure, can also ben use to force the configuration of other policy checks like enable encryption of disks on virtual machines or the replication of storage or databases on different regions.

Policy as code is a practice of managing and defining policies in a code-like format, which can be version-controlled, tested, and automatically deployed. This approach allows for the automation of policy enforcement and compliance, making it easier to manage and maintain policies across an organization.

Prerequisites

  • Checkov and Python are already configured on the dev container of this repo, we recommend using the dev container.
  • Entra ID Tenant
  • Azure subscription where the terraform state will be stored
  • Power Platform environment (optional)

Example Files

The example files can be found in quickstarts/300-pac-checkov

Provider Requirements

The Terraform plugins or "providers" that this IaC deployment requires are:

  • azurecaf (aztfmod/azurecaf): >=1.2.26

  • azurerm (hashicorp/azurerm): >=3.74.0

Input Variables

Name Description Type Default Required
base_name The base name which should be used for all resources name string "pac" false
location The Azure region where the resources in this example should be created string null true
prefix The prefix which should be used for all resources name string "pac" false
subscription_id The subscription ID of the service principal with on-premise data gateway admin permissions string null true
tenant_id The tenant ID of service principal or user at Power Platform string null true

Resources

  • azurecaf_name.rg from azurecaf

  • azurerm_resource_group.rg from azurerm

PaC example steps

  • Clone the repo on your computer.
  • Select the PaC example branch
  • Start the dev container, this process can take a couple of minutes.
  • We include a basic terraform storage account creation example in quickstarts/300-pac-checkov/main.tf
  • Look to the file and identify the resources that you can deploy with this terraform file.
  • Run the azure login command and authenticate with azure services.
  • Open the quickstarts/300-pac-checkov/tfcheckov.sh and look to the commands that are required to run checkov and terraform.
  • Run checkov, we create the tfcheckov.sh (described above), to do that on the dev container console execute the “sh” file “./tfcheckov.sh”.
./tfcheckov.sh
  • The first time that you run the command you will not receive any warning this is expected because the storage account is commented.
  • Uncomment the storage account part, save the file and run checkov again.
  • Now you will receive checkov warnings, for example one could be to enable GRS for the storage account.
  • Enable GRS, change the account_replication_type from "LRS" to be "GRS", save the file and run checkov again.
resource "azurerm_storage_account" "storage_account" {
 name                     = azurecaf_name.storage_account_name.result
 resource_group_name      = azurerm_resource_group.rg.name
 location                 = azurerm_resource_group.rg.location
 account_tier             = "Standard"
 account_replication_type = "GRS"
}

./tfcheckov.sh

The goal is to see the checkov behavior and solve a couple of those warnings.

Additional Resources