Biju
Reputation: 1008
How to detect illegal password handling in Terraform code using Open Policy Agent (OPA)?
I am creating RDS using Terraform by using a code that looks something like this:
data "aws_secretsmanager_secret_version" "creds" {
# Fill in the name you gave to your secret
secret_id = "db-creds"
}
locals {
db_creds = jsondecode(
data.aws_secretsmanager_secret_version.creds.secret_string
)
}
resource "aws_db_instance" "example" {
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
name = "example"
# Set the secrets from AWS Secrets Manager
username = local.db_creds.username
password = local.db_creds.password
}
Using rego in OPA how can I raise an error if password is NOT passed from secrets manager as shown above (and passed through illegal ways like hardcoded password instead)?
Terraform plan output just shows the password irrespective of whether it was obtained through a hardcoded value or through secrets manager - hence my confusion.
Upvotes: 0
Views: 179
Answers (1)
Related Questions
- How can I pass credentials in Terraform?
- Validating through terraform that a vault policy exists before using it in a group
- Terraform - Security rules creation with count
- Terraform azurerm_key_vault - Access policy raising errors
- Terraform v0.13 - Check if password or secret provided, use a randomly generated one if not
- Terraform key vault access policy
- How to use random_password multiple times in terraform script
- Terraform - how to avoid password for VM in the terraform script
- Can I loop over keys and values of an object in OPA to validate if they adhere to a certain format (CamelCase)
- Terraform and cleartext password in (remote) state file