Inspired by a piece of work we’ve recently done at work, where we pipe all our cloud API logs to Elasticsearch and create alerts based on user and service activity, I wanted to share the budget version of that that I use in my private AWS account. To deploy all my infrastructure, I use Terraform, and at the end of this article, I share the code in the form of a Terraform module.
In times where most of us are working remotely, I thought it was important to remind us all of the importance of security awareness, an aspect of security that thanks to the protection of our homes may sometimes be neglected. Security awareness, as put by some sources, is the knowledge and attitude members of an organisation possess regarding the protection of the assets of that organisation. I really like that definition.
Encryption · GPG · PGP
If like me, you also use the terraform binary from your computer to describe and deploy the infrastructure of your projects, you might want to add an extra level of security. This extra level of security that I am referring to is encrypting your terraform secrets, both on-screen and in the terraform state files. Of course, the method I am going to describe in this article can be used for production-grade environments.
Policy as code · conftest · OPA · Rego
For those who don’t know what conftest is, conftest is an open-source utility that helps engineers write tests against structured configuration data. At the time of writing, conftest supports many formats such as YAML, JSON, Dockerfile, and HCL/HCL2 amongst others. This variety of formats allows teams to validate their configurations regardless of the platform they belong to before making changes to live systems. Conftest relies on the Rego language from Open Policy Agent for writing the assertions, which is a high-level declarative language that lets users specify policy as code and offload their policy decision-making from their software.