Image Credit: Pixabay on Pexels
Securing Terraform and You, Part 3
By Morgan Lucas
This is a post intended for this site, as a way to get a feel of using it consistently. Older posts are here.
I went back to tfsec after seeing the simple start guide posted here, by Liam Galvin at Ghost Security.
There are two aspects of my code:
Allow buckets starting with [word]
deny buckets that don't start with [word].
The initial guide only has "don't allow buckets that are exactly named this", but that's all I needed to actually get going!
Troubleshooting using Trivy and Terraform
The problems could have been;
The rego file and the terraform file don't play well in the same folder. Having the options in two separate subfolders helped even though there was a command that I used to read both files in the same folder.
Trivy ... I don't know. Maybe the metadata setup was incorrect - but if it's set up as comments -- readable by the program but not acknowledged in the rego -- who knows. I can work on that in the future.
The code was similar though not exact to examples and code I puzzled together initially. 100% it could be wrong (ChatGPT didn't know how to write it either. Is this too new and the ChatGPT learning model doesn't know it? [This was written in August 2023 and reposted here in August 2024; ChatGPT has more than likely gotten a new stack of online content to be trained off of; It might even include rego now!)
Remember - tfsec has been bought by Aqua Security, the people behind Trivy; This code could probably work if I put in the correct metadata tags and use the right command.
Q&A
You went back and forth between two programs (tfsec and Trivy) - Why did you stick with coding this solution in rego instead of another language that was compatible with the software?
Probably sunk cost fallacy and feeling that rego, even with its difficulty, was easier to read for me to read as code than Python is.