Skip to content

Instantly share code, notes, and snippets.

@becki-at-luminal

becki-at-luminal/ami.tf

Created September 27, 2021 18:46
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save becki-at-luminal/6cfc9b3a947111b38e14234174b2340b to your computer and use it in GitHub Desktop.
Save becki-at-luminal/6cfc9b3a947111b38e14234174b2340b to your computer and use it in GitHub Desktop.
Download ZIP
Using Regula and OPA to check AWS AMI IDs in Terraform (blog post) -- Rego custom rule and Terraform file
Raw
ami.tf
# A Terraform file to test the approved_ami.rego custom rule
# See our blog post for details: https://blog.fugue.co
provider "aws" {
region = "us-east-1"
}
resource "aws_instance" "good" {
ami = "ami-09e67e426f25ce0d7"
instance_type = "t2.micro"
}
resource "aws_instance" "bad" {
ami = "ami-totallylegitamiid"
instance_type = "t2.micro"
}
Raw
approved_ami.rego
# A Rego custom rule to check AWS EC2 AMI IDs, for use with Regula
# See our blog post for details: https://blog.fugue.co
package rules.approved_ami
__rego__metadoc__ := {
"id": "CUSTOM_0002",
"title": "AWS EC2 instances must use approved AMIs",
"description": "Per company policy, EC2 instances may only use AMI IDs from a pre-approved list",
"custom": {
"controls": {
"CORPORATE-POLICY": [
"CORPORATE-POLICY_1.2"
]
},
"severity": "High"
}
}
resource_type = "aws_instance"
approved_amis = {
# Ubuntu Server 20.04 LTS (HVM), SSD Volume Type
"ami-09e67e426f25ce0d7", # us-east-1
"ami-03d5c68bab01f3496" # us-west-2
}
deny[msg] {
not approved_amis[input.ami]
msg = sprintf("%s is not an approved AMI ID", [input.ami])
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment