Update security docs #1511
Update security docs #1511
Conversation
| 1. Bake providers into the Atlantis image or host and deny egress in production. | ||
| 1. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry. |
There was a problem hiding this comment.
@nishkrishnan please help with this section
There was a problem hiding this comment.
It's worth noting that external data source would likely not be available for use if you don't add it to your internal provider registry. This is an assumption though.
Codecov Report
@@ Coverage Diff @@
## master #1511 +/- ##
==========================================
- Coverage 70.21% 70.08% -0.13%
==========================================
Files 94 94
Lines 6530 6485 -45
==========================================
- Hits 4585 4545 -40
+ Misses 1555 1554 -1
+ Partials 390 386 -4
Continue to review full report at Codecov.
|
runatlantis.io/docs/security.md
Outdated
| 1. Implement the provider registry protocol internally and deny public egress, that way you control who has write access to the registry. | ||
| 1. Modify your [server-side repo configuration](https://www.runatlantis.io/docs/server-side-repo-config.html)'s `plan` step to validate against the | ||
| use of not allowed providers or data sources or PRs from not allowed users. You could also add in extra validation at this point, e.g. | ||
| requiring a "thumbs-up" on the PR before allowing the `plan` to continue. |
There was a problem hiding this comment.
Is there an example of how to do this validation of providers / data sources somewhere?
There was a problem hiding this comment.
I'm not sure exactly. I think a regex would probably work. @nishkrishnan conftest only works on the plan output so that wouldn't work right?
There was a problem hiding this comment.
conftest works on any structured data but the way it's been written in Atlantis is to run explicitly on the plan output. Support could probably be added to run a pre-plan conftest validation step on the terraform hcl itself.
There was a problem hiding this comment.
Hello, we use this two policies to block any local-exec and null_resource:
local-exec.rego
package main
# List of disallowed provisioner types
denied_provisioners := ["local-exec"]
array_contains(arr, elem) {
arr[_] = elem
}
# count(path)-2 selects the parent object in path example: `module.test`
module_name(path) = name {
name := sprintf("module.%s", [path[count(path)-2]])
} else = root {
root := "root-module"
}
# Walk the configuration looking in root module and any called module for provisioners and check against denied list.
deny[reason] {
some path, value
walk(input.configuration.root_module, [path, value])
resource := value.resources[_]
provisioner := resource.provisioners[_]
array_contains(denied_provisioners, provisioner.type)
module := module_name(path)
reason := sprintf(
"%s.%s: provisioner of type '%s' is not allowed",
[module, resource.address, provisioner.type]
)
}null_resource.rego
package main
# List of disallowed resources types
denied_resources := {"null_resource"}
# all resources
resources[resource_type] = all {
some resource_type
denied_resources[resource_type]
all := [ name | name:= input.resource_changes[_]; name.type == resource_type ]
}
# number of creations of resources of a given type
num_creates[resource_type] = num {
some resource_type
denied_resources[resource_type]
all := resources[resource_type]
creates := [ res | res := all[_]; res.change.actions[_] == "create" ]
num := count(creates)
}
deny[msg] {
num_resources := num_creates["null_resource"]
num_resources > 0
msg := "resource of type 'null_resource' is forbidden – just for example and testing purposes"
}
lkysow
force-pushed
the
security-docs-update
branch
from
cd7dee5
to
cc0bb8f
Compare
|
I don't want perfect to be the enemy of good here so I'm going to merge this and we can continue to iterate. |
No description provided.