The goal: introduction into policies management
-
Policy: system of rules and principal to achieve a rational outcomes.
-
Why do we need policies:
- A set of agreements/rules that should enforce desired outcome
- Clouds are monstrously huge and keeping everything in head is impossible - policies can help to track your posture
- Policy encodes decision, avoid repeating mistakes, comply with legal requirements
-
Try to keep policies as code:
- codify your rules
- review and history
- easier to ensure policies compliance
-
(Almost) each cloud has built-in policy-engines. (Almost) each tool/framework has own policy-engine. There are also open source solutions, for example, Open Policy Agent, Checkov, Polaris, kyverno to name a few.
-
You can verify your configuration before release (as a part of ci/cd process or Pull-Request review process) or even in runtime.
-
For example, to scan terraform configuration in this repository with checkov
ABSOLUTE_PATH_TO_TF=/workspaces/cloud_computing_course/src/terraform
docker run --volume $ABSOLUTE_PATH_TO_TF:/tf bridgecrew/checkov:3.2.63 --quiet --compact --directory /tf