Skip to content

GurdipSCode/devops-policies-mondoo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

7 Commits
policies
policies
Β 
Β 
tests
tests
Β 
Β 
README.md
README.md
Β 
Β 
cliff.toml
cliff.toml
Β 
Β 
gitguardian.yml
gitguardian.yml
Β 
Β 

Repository files navigation

devops-policies-mondoo

OPA Mondoo Terraform License

Security Governance Tests

πŸ›‘οΈ OPA policies for validating Mondoo Terraform provider configurations

πŸ“‹ Overview

These OPA (Open Policy Agent) policies validate Terraform configurations that use the Mondoo Terraform Provider. They enforce security best practices, governance standards, and prevent common misconfigurations.

✨ Features

Category Checks Description
πŸ”§ Provider Config 4 Region specification, credential security
🏒 Spaces 3 Naming conventions, org association
πŸ”‘ Service Accounts 6 Role restrictions, scope requirements
πŸ“œ Custom Policies 4 Source validation, overwrite warnings
πŸ“‹ Policy Assignment 4 MRN validation, assignment requirements
☸️ Kubernetes 5 Scan configuration, security recommendations
πŸ™ GitHub/GitLab 4 Token security, hardcoded credential detection
πŸ–₯️ Host/Domain 5 SSH key security, password handling
πŸ”’ Sensitive Data 3 Output/variable sensitivity marking

πŸ“ Files

.
β”œβ”€β”€ mondoo-terraform-policies.rego       # Main policy file
β”œβ”€β”€ mondoo-terraform-policies_test.rego  # Unit tests
└── README.md

πŸš€ Quick Start

Prerequisites

# Install OPA CLI
brew install opa          # macOS
choco install opa         # Windows

Installation

# Clone or download the policies
git clone <repo-url>
cd mondoo-opa-policies

# Verify policies with tests
opa test . -v

Usage

Convert Terraform to JSON

# Convert your Terraform config to JSON for OPA
terraform show -json > tfplan.json

# Or for HCL files
terraform-config-inspect --json . > tfconfig.json

Evaluate Policies

# Check for violations (deny rules)
opa eval --input tfplan.json \
  --data mondoo-terraform-policies.rego \
  "data.mondoo.deny"

# Check for warnings
opa eval --input tfplan.json \
  --data mondoo-terraform-policies.rego \
  "data.mondoo.warn"

# Get full summary
opa eval --input tfplan.json \
  --data mondoo-terraform-policies.rego \
  "data.mondoo.summary"

Using Conftest

# Install conftest
brew install conftest

# Run policies
conftest test tfplan.json -p mondoo-terraform-policies.rego

πŸ“– Policy Reference

Provider Configuration

Rule Severity Description
Region required πŸ”΄ Deny Must specify region ("us" or "eu")
Valid region πŸ”΄ Deny Region must be "us" or "eu"
No hardcoded credentials πŸ”΄ Deny Use MONDOO_CONFIG_BASE64 env var
Version constraint 🟑 Warn Should specify provider version

Space Management

Rule Severity Description
Name required πŸ”΄ Deny Spaces must have a name
Name format πŸ”΄ Deny Lowercase alphanumeric, 3-63 chars
Organization 🟑 Warn Should be associated with org_id

Service Accounts

Rule Severity Description
Scope required πŸ”΄ Deny Must have space_id or org_id
Name required πŸ”΄ Deny Must have a name
Roles required πŸ”΄ Deny Must have explicit roles
Non-empty roles πŸ”΄ Deny At least one role required
Admin/Owner role 🟑 Warn Consider least-privilege
Description 🟑 Warn Should have description

Custom Resources

Rule Severity Description
Space required πŸ”΄ Deny Custom policies/frameworks/querypacks need space_id
Source required πŸ”΄ Deny Must specify source file
YAML extension 🟑 Warn Source should be .yaml/.yml
Overwrite flag 🟑 Warn Warns when overwrite=true

Integrations (Kubernetes, GitHub, GitLab, Host)

Rule Severity Description
Space required πŸ”΄ Deny All integrations need space_id
Hardcoded tokens πŸ”΄ Deny No hardcoded PATs (ghp_, glpat-, etc.)
Hardcoded SSH keys πŸ”΄ Deny No inline private keys
Hardcoded passwords πŸ”΄ Deny Use variables for credentials
Scan recommendations 🟑 Warn Enable node/workload/image scanning

πŸ”§ Configuration Examples

βœ… Compliant Configuration

terraform {
  required_providers {
    mondoo = {
      source  = "mondoohq/mondoo"
      version = ">= 0.10.0"
    }
  }
}

provider "mondoo" {
  region = "us"  # Explicit region
}

resource "mondoo_space" "production" {
  name   = "production-security"  # Valid naming
  org_id = var.mondoo_org_id      # Associated with org
}

resource "mondoo_service_account" "scanner" {
  name        = "ci-scanner"
  description = "Service account for CI/CD scanning"
  space_id    = mondoo_space.production.id
  roles       = ["viewer"]  # Least privilege
}

resource "mondoo_integration_kubernetes" "cluster" {
  name     = "production-cluster"
  space_id = mondoo_space.production.id  # Reference, not hardcoded

  scan_configuration {
    node_scan            = true
    workload_scan        = true
    container_image_scan = true
    admission_controller = true
  }
}

resource "mondoo_integration_github" "org" {
  name     = "github-org-scanner"
  space_id = mondoo_space.production.id

  credentials {
    token = var.github_token  # Variable reference
  }
}

output "scanner_token" {
  value     = mondoo_service_account.scanner.token
  sensitive = true  # Marked sensitive
}

❌ Non-Compliant Configuration

provider "mondoo" {
  # Missing region - DENIED
}

resource "mondoo_space" "bad" {
  # Missing name - DENIED
  # Missing org_id - WARNED
}

resource "mondoo_service_account" "bad" {
  name = "admin-sa"
  # Missing space_id/org_id - DENIED
  # Missing roles - DENIED
  roles = ["admin"]  # WARNED - overly permissive
}

resource "mondoo_integration_github" "bad" {
  name     = "scanner"
  space_id = "hardcoded-space-id"  # WARNED - should use reference

  credentials {
    token = "ghp_xxxxxxxxxxxx"  # DENIED - hardcoded token
  }
}

output "token" {
  value = mondoo_service_account.bad.token
  # Missing sensitive = true - DENIED
}

πŸ”— CI/CD Integration

GitHub Actions

name: Validate Mondoo Terraform

on: [pull_request]

jobs:
  validate:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup OPA
        uses: open-policy-agent/setup-opa@v2

      - name: Setup Terraform
        uses: hashicorp/setup-terraform@v3

      - name: Terraform Init
        run: terraform init

      - name: Convert to JSON
        run: terraform show -json > tfplan.json

      - name: Run OPA Policies
        run: |
          opa eval --input tfplan.json \
            --data mondoo-terraform-policies.rego \
            --fail-defined \
            "data.mondoo.deny[x]"

GitLab CI

validate-mondoo:
  image: openpolicyagent/opa:latest
  script:
    - terraform show -json > tfplan.json
    - opa eval --input tfplan.json --data mondoo-terraform-policies.rego --fail-defined "data.mondoo.deny[x]"

πŸ§ͺ Running Tests

# Run all tests
opa test . -v

# Run specific tests
opa test . -v --run "test_deny_provider"

# Coverage report
opa test . --coverage --format=json | jq '.coverage'

🀝 Contributing

  1. Fork the repository
  2. Add/modify policies in .rego files
  3. Add corresponding tests in _test.rego
  4. Run opa test . -v to verify
  5. Submit a Pull Request

πŸ“„ License

Apache License 2.0

Built for Mondoo Terraform governance

About

OPA Policies for Mondoo

gurdipsira.dev

Topics

opa mondoo

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages