Using Regula and OPA to check AWS AMI IDs in Terraform (blog post) -- Rego custom rule and Terraform file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A Terraform file to test the approved_ami.rego custom rule | |
| # See our blog post for details: https://blog.fugue.co | |
| provider "aws" { | |
| region = "us-east-1" | |
| } | |
| resource "aws_instance" "good" { | |
| ami = "ami-09e67e426f25ce0d7" | |
| instance_type = "t2.micro" | |
| } | |
| resource "aws_instance" "bad" { | |
| ami = "ami-totallylegitamiid" | |
| instance_type = "t2.micro" | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # A Rego custom rule to check AWS EC2 AMI IDs, for use with Regula | |
| # See our blog post for details: https://blog.fugue.co | |
| package rules.approved_ami | |
| __rego__metadoc__ := { | |
| "id": "CUSTOM_0002", | |
| "title": "AWS EC2 instances must use approved AMIs", | |
| "description": "Per company policy, EC2 instances may only use AMI IDs from a pre-approved list", | |
| "custom": { | |
| "controls": { | |
| "CORPORATE-POLICY": [ | |
| "CORPORATE-POLICY_1.2" | |
| ] | |
| }, | |
| "severity": "High" | |
| } | |
| } | |
| resource_type = "aws_instance" | |
| approved_amis = { | |
| # Ubuntu Server 20.04 LTS (HVM), SSD Volume Type | |
| "ami-09e67e426f25ce0d7", # us-east-1 | |
| "ami-03d5c68bab01f3496" # us-west-2 | |
| } | |
| deny[msg] { | |
| not approved_amis[input.ami] | |
| msg = sprintf("%s is not an approved AMI ID", [input.ami]) | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment