opa-policies

Rego policies for use with Open Policy Agent (OPA) / Regula.

Using these policies

Sparse-clone into your project folder locally

cd into your project folder and issue:

git clone --depth 1 --filter=blob:none --sparse https://github.com/jupiterone/opa-policies && \ 
cd opa-policies && \
git sparse-checkout policy-terraform

The git clone command ensures that minimal commit history and blob data is downloaded, and the sparse-checkout command ensures that only the files in the policy-terraform directory are checked out and present locally.

Install via NPM

These policies are also distributed as a private NPM module: npm install @jupiterone/opa-policies.

Running Regula locally

To test our custom Regula policies against your local project, you'll first need to install regula or use their Docker image.

Next, perform a manual plan with jupiterone-manual-deploy -a plan -t jupiterone-dev. This will create a work/terraform dir with your built TF HCL files, as well as a full JSON-format plan at work/tfplan.json. Both of these inputs can be scanned with Regula, though the full plan is definitive. From the root of your project, issue:

regula run --no-built-ins --include opa-policies work

Regula runs against most structured inputs and will recurse through directories, applying appropriate rulesets to them. The --no-built-ins flag disables Regula's default policy set, which will test for CIS benchmarks.

Developing Regula policy rules

Each unique policy bundle that needs to be capable of being evaluated alone at any one time should be in a top-level directory of this project, prefixed with policy-. To be evaluated with Regula, each policy must be uniquely namespaced in the rules package, e.g.: package rules.<identifier>.

Policy bundles should have Rego unit tests that pass via regula test.

Additional Resources

• Open Policy Agent
• Regula