HashiCorp Sentinel with Mondoo Policies for Terraform: A Compact Guide

Martin Buchleitner | 20.06.2024 Devops, Infrastructure as Code

In today's fast-paced DevOps environments, ensuring infrastructure compliance and security is paramount. Traditionally, HashiCorp Sentinel has been a go-to for policy as code within the HashiCorp ecosystem, particularly for Terraform users. However, Mondoo offers a compelling alternative, providing extensive security and compliance capabilities that can seamlessly integrate with Terraform. This article explores how to use Mondoo policies as a replacement for HashiCorp Sentinel with practical examples.

Why Consider Mondoo for Terraform Policy Management?

Mondoo is a security and compliance platform that offers robust capabilities for continuous security assessments and compliance checks across cloud, on-premises, and hybrid environments. Here are some key reasons to consider Mondoo:

Broad Integrations: Mondoo supports multiple cloud providers, CI/CD pipelines, Kubernetes, and more.
Comprehensive Security: In-depth security and compliance checks with pre-built and customizable policies.
Ease of Use: User-friendly platform with extensive documentation and support.

Writing Mondoo Policies

Mondoo policies are written using Mondoo's policy language. Here’s an example of a simple Mondoo policy to check that no AWS S3 bucket is publicly accessible:

 1policies:
 2  - uid: terraform-aws-s3-public-access
 3    name: "Ensure no S3 bucket is publicly accessible."
 4    version: 1.0.0
 5    scoring_system: highest impact
 6    tags:
 7      mondoo.com/category: security
 8    groups:
 9      - title: AWS S3 Bucket Policies
10        filters: asset.runtime == "terraform"
11        checks:
12          - uid: aws-s3-public-access
13
14queries:
15  - uid: aws-s3-public-access
16    title: AWS S3 Public Access
17    impact: 50
18    mql: |
19        terraform.plan.resourceChanges.where(r: r.type == "aws_s3_bucket_acl" ).all(i:  i.change.after.acl.in( props.allowedACLs ) )        
20
21    props:
22      - uid: allowedACLs
23        title: Allowed ACLs
24        mql: |
25          ["private", "authenticated-read"]

To ensure your policy definition is valid, you can use the Mondoo CLI to validate the policy file:

1cnspec policy lint aws_s3_bucket_policy.mql.yaml

Integrating Mondoo with Terraform

Integrating Mondoo with Terraform involves running Mondoo checks as part of your Terraform workflow based on the terraform plan. So we need some terraform code that creates a plan and then we can scan it with Mondoo. In our example, we will use an AWS S3 bucket as a sample resource. We will also rely on the Mondoo CLI to scan the Terraform plan with local policy files. On a production system, you would typically use the Mondoo platform to manage policies, scan results and integrate with CI/CD pipelines.

 1resource "aws_s3_bucket" "example" {
 2  bucket = "my-tf-example-bucket"
 3}
 4
 5resource "aws_s3_bucket_ownership_controls" "example" {
 6  bucket = aws_s3_bucket.example.id
 7  rule {
 8    object_ownership = "BucketOwnerPreferred"
 9  }
10}
11
12resource "aws_s3_bucket_acl" "example" {
13  depends_on = [aws_s3_bucket_ownership_controls.example]
14
15  bucket = aws_s3_bucket.example.id
16  acl    = "private"
17}

Create a Terraform Plan:

1terraform plan -out=tfplan

Convert the Plan to JSON:

1terraform show -json tfplan > tfplan.json

Run Mondoo Scan:

Use Mondoo to scan the Terraform plan:

 1cnspec scan terraform plan tfplan.json -f aws_s3_bucket_policy.mql.yaml
 2
 3→ discover related assets for 1 asset(s)
 4
 5 Terraform Static Analysis tfplan ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100% score: A
 6
 7Asset: Terraform Static Analysis tfplan
 8---------------------------------------
 9
10Checks:
11✓ Pass:  100  AWS S3 Public Access
12
13Scanned 1 asset
14
15Terraform Plan
16    [100/100]   Terraform Static Analysis tfplan

Example: Enforcing Security Groups Policies

Let's enforce a policy to ensure that no security group allows SSH access from anywhere.

Mondoo Policy

 1policies:
 2  - uid: terraform-aws-sec-group-ssh-access
 3    name: "Ensure No Security Group Allows SSH from 0.0.0.0/0"
 4    version: 1.0.0
 5    scoring_system: highest impact
 6    tags:
 7      mondoo.com/category: security
 8    groups:
 9      - title: AWS SSH Security Group Check
10        filters: asset.runtime == "terraform"
11        checks:
12          - uid: aws-ssh-security-group
13queries:
14  - uid: aws-ssh-security-group
15    title: AWS SSH Security Group Check
16    impact: 20
17    mql: |
18      terraform.plan.resourceChanges.where(r: r.type == "aws_security_group" || r.type == "aws_security_group_rule" ).all(i:
19        i.change.after.from_port == 22
20        && i.change.after.to_port == 22
21        && i.change.after.cidr_blocks.not_in( props.disAllowedCIDRs )
22        && i.change.after.ipv6_cidr_blocks.not_in( props.disAllowedCIDRs )
23        )      
24
25    props:
26      - uid: disAllowedCIDRs
27        title: Disallowed CIDRs
28        mql: |
29          ["0.0.0.0/0", "::/0" ]

Terraform Configuration

Here’s a sample Terraform configuration for an AWS security group:

 1resource "aws_security_group" "example" {
 2  name        = "example-sg"
 3  description = "Example security group"
 4
 5  ingress {
 6    from_port   = 22
 7    to_port     = 22
 8    protocol    = "tcp"
 9    cidr_blocks = ["0.0.0.0/0"]
10  }
11}
12resource "aws_security_group_rule" "example" {
13  type              = "ingress"
14  from_port         = 22
15  to_port           = 22
16  protocol          = "tcp"
17  ipv6_cidr_blocks = [ "::/0" ]
18  security_group_id = aws_security_group.example.id
19}

Running the Mondoo Policy Against the Terraform Plan

Create and Show Plan:

1terraform plan -out=tfplan
2terraform show -json tfplan > tfplan.json

Scan with Mondoo:

1cnspec scan terraform plan tfplan.json -f aws_security_group_policy.mql.yaml

The Mondoo scan will analyze the Terraform plan and enforce the policy, alerting you if any security group allows SSH access from 0.0.0.0/0.

Conclusion

Mondoo provides a powerful and flexible alternative to HashiCorp Sentinel for enforcing policies in your Terraform workflows. By integrating Mondoo, you can enhance your infrastructure's security and compliance posture with minimal effort. With its broad integration capabilities and comprehensive policy management features, Mondoo is well-suited for modern DevOps environments.

Overall, Mondoo offers a robust platform for continuous security and compliance checks across your infrastructure, ensuring that your Terraform-managed resources adhere to your organization's security policies. These policies can be maintained on the Mondoo platform and enforced as part of your Terraform workflows and CI/CD pipelines.

Start leveraging Mondoo today and ensure your Terraform-managed infrastructure remains secure and compliant.

Go Back explore our courses

Terraform Foundations

Introduction to modern infrastructure provisioning.

Mondoo Essentials

Gain hands-on experience with Mondoo, mastering its features, custom policies, and advanced security management.

Mondoo Advanced

Master Mondoo’s advanced features in one day, focusing on policy scoring, exception handling, data exporting, smart ticketing, and custom compliance frameworks.

Martin Buchleitner | 17.10.2024 Infrastructure as Code, Devops, HashiCorp, Packer, Vault, Mondoo

Github Action to Build Golden Images with HashiCorp Packer

In previous posts we have already shown multiple ways to use HashiCorp Packer to build Golden Images. In this post we will show how to automate the process with

Martin Buchleitner | 16.10.2024 Infrastructure as Code, Devops, HashiCorp, Consul

Automating DNS Updates from Kubernetes - HashiCorp Style

In dynamic Kubernetes environments, managing DNS records can be a challenge. As services scale, redeploy, or change IP addresses, ensuring that DNS records

Martin Buchleitner | 15.10.2024 Infrastructure as Code, Devops, HashiCorp, Consul, Nomad, Çonsul Connect', Traefik

Secure Communication between HashiCorp Nomad and Traefik with Consul Connect

In today's rapidly evolving cloud-native landscape, the need for efficient service orchestration, service discovery, and secure communication between services

Martin Buchleitner | 14.10.2024 Infrastructure as Code, Devops, HashiCorp, Consul, Nomad, Çonsul Connect'

Secure Communication on HashiCorp Nomad with Consul Connect

Securing Communication on HashiCorp Nomad Payloads with HashiCorp Consul Connect In modern cloud-native environments, security is paramount. One of the key

Paul Strebenitzer | 10.10.2024 Devops

AI in DevOps: Revolutionizing Automation with Generative AI

The rise of AI in DevOps has been causing a revolution in how we approach software development and operations. We're witnessing a shift in our industry, where

We are here for you

You are interested in our courses or you simply have a question that needs answering? You can contact us at anytime! We will do our best to answer all your questions.