IAC Policies
An IAC (Infrastructure as Code) policy is a set of rules that govern the configuration and provisioning of infrastructure through code. With StackGuardian, you can implement custom logic within these policies to ensure your infrastructure aligns with organizational standards and best practices.
For instance, an IAC policy might enforce security standards by restricting access levels or ensuring all deployed resources are tagged correctly.
Motivation​
StackGuardian's custom runtime feature is driven by the following advantages:
- Flexibility: Beyond Terraform, users can integrate various IAC tools to meet unique project requirements.
- Efficiency: Leveraging existing IAC toolsets reduces the learning curve, enhancing productivity.
- Optimization: IAC policies enable users to maximize their infrastructure code, such as incorporating Ansible for its robust automation capabilities.
Create IAC Policy Template​
Creating an Infrastructure as Code (IAC) policy in StackGuardian is a straightforward process. This guide will walk you through setting up a policy to ensure that the IAM root user does not have access keys.
To begin, navigate to the StackGuardian Marketplace and select the option to create an IAC policy template.
Template Details​
-
Template Type: This specifies the kind of template you are creating, in this case, an IAC policy template. For example
IAC_POLICY
-
Template Name: A unique name for your template within the organization.For example
No_Root_Access_Key_Policy
-
Owner Org: The organization within StackGuardian that will own and manage this template. For example
demo-org
Template Description​
- Short Description: A brief explanation of what the template does or is used for. For example
Ensures AWS root account's keyless security.
Tags and Documentation​
-
Add Tag: Tags for categorizing and searching templates within the marketplace. For example
aws
,root
,noaccesskeys
-
Documentation: Provide any additional information or instructions in markdown format.
Configuration Settings​
-
Source Config Kind: The policy framework or tool you are using to write the policy. For example Open Policy Agent (OPA)
-
Source Config Dest Kind: The destination type where the policy configuration is hosted, such as GitHub, Gitlab, BitBucket and so on. For example GITHUB.COM
-
Repository URL: The URL where the IAC policy configuration is stored. For example https://github.com/your-org-name/template-aws-root-access-policy
-
Reference: he branch or tag in the repository that should be used. For example main
-
Working Dir: The directory within the repository where the policy configuration is located. For example policy/app1/aws/ec2
-
Git Sparse Checkout Config: Select paths to include or exclude when checking out the repository, similar to
.gitignore
rules. -
Enable git core.autocrlf: If checked, Git will automatically convert line endings to maintain consistency across different operating systems.
-
Authentication Method: If using a private repository, specify the authentication method that should be used.
-
OPA Deciding Query: The OPA rule that will decide the final policy result. For example, <opa-package-path>.<rule-name-returning-boolean>
-
Template Inputs: Define the input for your policy in JSON format. Here is an example that specifies the denial of access key creation for the IAM root user:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "iam:CreateAccessKey",
"Resource": "arn:aws:iam::*:user/root",
"Condition": {"Bool": {"aws:ViaAWSService": "false"}}
}
]
}
View the Template and Create Revision​
After creating your IAC policy template in StackGuardian, you can manage and review it through a user-friendly interface with multiple tabs. Each tab provides different information and functionalities:
Fig: View and Create Revision
- Meta: Displays an overview of the template's details, such as name, owner organization, and a short description.
- Documentation: Contains a detailed guide and references for using the template effectively.
- No Code: Offers a JSON Schema form that allows you to provide inputs without writing code.
- Code: Allows direct code input for configuring and modifying the template.
- Analysis: Provides a review of the IAC setup, detailing the resources, modules, and outputs used.
- Usage: Shows how the template has been used in workflows, serving as a quick reference for similar applications.
To create a new revision of your template, select the "Create New Revision" button located at the top of the interface.
Depending on your governance needs, templates can be deleted, deprecated, or unpublished.
Configure Access to IAC Templates​
Proper access management is key to collaborative and secure use of IAC templates. StackGuardian offers various options to control how your templates are accessed:
Share Template​
- Share Template: This feature allows you to share your template with other StackGuardian users or teams, promoting collaborative development on infrastructure projects.
Subscribe​
- Subscribe: By subscribing to a template, you can integrate it into your workflows and receive updates, ensuring you stay aligned with the latest infrastructure standards.
Public Access and Publishing​
- Make Public + Publish: To make a template visibility outside your own organization you need to make the template public (Make Public) and also choose one or multiple revisions by using Publish.
Deprecation​
- Deprecate: This option allows you to mark a template as outdated, which helps direct users toward newer and more current templates, without the need to delete the old ones.