OPA Policy

Tools installed

• conftest
• fregot
• terraform
• Open Policy Agent (opa) cli

Things we are testing for

Name	Description	Severity
API gateway integration URI	Checks if the URI is in the correct format if the API gateway integration has a type of: AWS, AWS_PROXY, HTTP, or HTTP_PROXY	DENY
Cloudwatch log metric pattern	Checks if the Cloudwatch log metric pattern is valid	WARN
Container name spaces	Checks if ECS container definitions have a name with spaces in it	DENY
Container definition trailing commas	Checks if ECS container definitions have trailing commas in it	DENY
Invalid effect	IAM Policy Effect is only Approve or Deny	DENY
Lambda VPC ENI permission	A lambda attached to a VPC is missing the permissions to mange an ENI	DENY
Postgres DB password	Postgres DB password is: greater than 8 characters only has valid characters is not on the reserved list	DENY
Postgres DB username	Postgres DB username is: greater than 16 characters only has valid characters is not on the reserved list	DENY
Postgres DB name	Postgres DB name is: is not on the reserved list	DENY
Security group invalid ports	Deny if protocol is set to -1 but the port range is not set to 0	DENY
Tagging	All resources that allow tags have a CostCentre and Terraform tag	WARN
Unscoped IAM Service Roles	All IAM policies that have a service user as the Principal should have a condition limiting access to the account. (sts:AssumeRole actions are excepted)	WARN
Unsupported Lambda runtime	Checks if the lambda runtime is unsupported	DENY
WAF duplicate priorities	Checks if the WAF rule has duplicate priorities	DENY

How to run tests

Run the following command to run opa tests:

  make test

Run the following command to generate tf.plan to run against the test environment:

  make generate-plan

Run the following command to run conftest against an example tf.plan:

  make test-plan