This repository contains Appvia company policies that have been codified into kyverno and checkov policies.
A working example will be made available in the tf-aws-rds-postgres Terraform Module.
These policies exist within the infra/ directory, with sub-directories created for grouped policies which may be applied independently depending on the particular use case. For now we have a generic policy package defined which should be applied against all resources created within this Organisation.
Checkov has a collection of built-in Terraform resource scan checks, which can be referenced directly in our policy config and used for resource scanning. To include an official policy in our policy package, the ID for that policy simply needs referencing within the config yaml.
Any custom policies to be defined which are not otherwise available as part of the built-in Checkov policies, can be created locally within this repository by following the below steps:
- Create a directory within the relevant policy package for your new custom policy, e.g. "./infra/generic/example-rds-encrypted-storage"
- Create a "policy.yaml" defining the metadata (name, id, category) and the policy definition itself. Checkov official documentation provides a breakdown of what is contained in this policy file.
- Create test Terraform files in the same directory with the naming convention
pass[numeric-id].tf
andfail[numeric-id].tf
which are used to validate against your policy.
You can manually test this policy by running the following:
# Run all custom tests
./infra/generate-bats-tests.sh
bats infra-tests.bats
# Run custom test files individually against your new policy
policy_testfile="pass0.tf"
policy_dir="infra/generic/example-rds-encrypted-storage"
policy_id=`yq eval '.metadata.id' ${policy_dir}/policy.yaml`
checkov --framework terraform -f ${policy_dir}/${policy_testfile} --external-checks-dir ${policy_dir} --check ${policy_id}
See the What is Policy As [versioned] Code? blog post for more information.