lleps / terraform-validator Goto Github PK
View Code? Open in Web Editor NEWCompliance monitoring for terraform infrastructure.
Compliance monitoring for terraform infrastructure.
Using data pulled from S3 buckets containing terraform states, this will pull all data from the account and compare against current state.
Additional Features:
Example: A terraform state file is in S3 bucket and added to the list of TFSTATES. The state was abandoned and does no longer represent what was deployed in the account.
I want to check a TFSTATE file in S3 and confirm its resources were actually deployed and are RUNNING or has discrepancies. There are ways to do this through Terraform, but can also be codified.
The best solution (though it costs 150mb) is to add the whole .terraform folder to api.
Another elegant solution is to add a file "dummy_aws.tf" and invoke "terraform init" every time you want to initialize the api.
The point of this issue is to make a painless docker image.
Must add endpoint /login
and endpoint /refresh
. That should return the jwt token:
{
"access": ...,
"refresh": ...
}
The only endpoint that doesn't require the Authorization:
header. All the other endpoints should have it built-in.
Login details may be passed as parameters or environment variables for now.
--login-password {password} --login-username {username}
Of course, must implement login page in the frontend with POST to that /login. And must append the authorization header in axios.
The program should fetch features on startup, write them to disk on /features, and add/remove from db on /remove and /add.
Also log entries should have an "account".
Question: how to do ui?
opt1: url /tfstates/. Selects the account to show elements. Same for logs.
Some kind of abstraction to reuse this in /logs. FilterableTable, with some control above the table.
So it should act exactly like a table, except it should only show those which "column" account is of
a particular way?
Maybe:
<FilteredTable filter={filter} onSetFilter={filter => onSetFilter(filter)} objs={objs}
columnsRender={() => {
}
rowRender={obj =>
} />
Implement the necessary feature in both server and client.
Why?
Why not?
For now, gonna have both. The CLI itself is really simple. However, output must be formatted for cli server-side. With web, backend should return stuf in json
Using react, making the same endpoints with react router, /features, /features/id, etc. with tables or cards on each one.
jsonTopLevel() interface{}
and jsonDetails interface{}
in restObject. And /endpoint/json/{...}.
This sounds good.
like:
func (feature *ComplianceFeature) jsonTopLevel(map map[string]interface{}) {
result["name"] = feature.Name
}
The problem with this is that you won't be able to return arbitrary objects. But this doesn't seem neccessary.
Because loads all the foreign resources, but doesn't load states, which are used to determine if the resource is foreign or not.
Solution is to add two functions: losdAllTFStatesMinimal and loadAllTFStatesFull.
Also use the full version on state monitoring as well, to avoid a bunch of get requests.
The minimal/full postfix makes the meaning cleaner without needing documentation. Should be applied to all db.getAll* functions.
The point of labels is solving the following issue:
Sometimes I want specific states to run against specific features.
So, how do I do this?
Well, chances are:
1, Reference in every state which features you want.
2. Reference in every feature which states are affected.
Both suck. 1 sucks because it'll be very painful. For every state, I add which features I want. Imagine 20 states, and specifying which features I want for them. Also, when I add a new feature, I need to edit all states to include the new feature.
2 sucks because for every state I add, I will need to update the feature to include it.
Also, It'll be a pain in the ass to implement in Dynamo.
So, what's the solution?
The solution is tags. Tags are the bridge between states and features.
Every feature specify tags. And every state specify tags.
So, they won't be directly coupled, but will be connected through tags.
So, to implement:
Store documents as:
tfstate {
stateJSON
complianceResult: ComplianceResult
}
log {
stateJSON
oldStateJSON
complianceResult complianceResult
oldComplianceResult complianceResult
This will take a lot of complexity away.
Allows to:
How to get the current tfState?
Maybe add a -tf-state-s3-bucket and -tf-state-s3-key.
´/validate´ endpoint with hardcoded features.
plan file must be sent as a raw base64 string in the body.
cmd ./client <plan file> <ip>
Very simple: on get/{id} don't fetch the whole object set. Just the one that was GETted
A validation consists of:
type ValidationLog struct {
Time time.Time
InputJson string
Output string
WasSucessful bool
ErrorCount int
SkippedCount int
PassedCount int
}
Ok. So... Problems to solve:
It's necessary to check what went wrong without having to check the app logs
Add server_test.go to check whether or not all endpoints behave as expected
Changes required:
How to handle validation errors:
For example, should return 404 on reading/deleting a feature that doesn't exists.
Using data pulled from S3 and stored in DynamoDB program will check terraform compliance against TFstate and log results if non-compliant states are found.
This features facilitates the addition of TFSTATES
terraform-validator/api/rest.go
Line 60 in 6f450de
The application's embeds untrusted data in the generated output with WriteHeader, at line 42... This untrusted data is embedded straight into the output without proper sanitization or encoding, enabling an attacker to inject malicious code in the output.
The attacker would be able to alter the returned web page by saving malicious data in data-store ahead of time. The attacker's modified data is then read from the database by the registerEndpoint method with ReadAll, of this code. This untrusted data then flows through code straight to the output web page without sanitization.
Takes some compexity away, standarizes a way to get results sorted, and results per date as well.
That's because dynamo doesn't keep any order in the records, making this necessary.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.