Tirith (StackGuardian Policy Framework)

A call for contributors

We are calling for contributors to help build out new features, review pull requests, fix bugs, and maintain overall code quality. If you're interested, please email us at team[at]stackguardian.io or get started by reading the contributing.md.

Tirith scans declarative Infrastructure as Code (IaC) configurations like Terraform against policies defined using JSON.

Content

• Features
• Usage
• Example Tirith policies
• Want to contribute?
  • Getting an issue assigned
  • A bug report
  • Opening a Pull Request and getting it merged
• Submitting a feedback
• Support
• License

Features

• An easy to read and simple way to define policy as code against structured formats.
• Use providers to define policies for terraform plan, infracost or any abstract JSON.
• Easily evaluate inputs against policy using pre-defined evaluators like ContainedIn, Equals, RegexMatch etc.
• Write your own provider (plugin) by leveraging a highly extensible and pluggable architecture to support any input formats.

Usage

usage: tirith [-h] [-policy-path PATH] [-input-path PATH] [--json] [--verbose] [--version]

Tirith (StackGuardian Policy Framework)

optional arguments:
  -h, --help               show this help message and exit
  -policy-path PATH        Path containing Tirith policy as code
  -input-path PATH         Input file path
  --json                   Only print the result in JSON form (useful for passing output to other programs)
  --verbose                Show detailed logs of from the run
  --version                show program's version number and exit

Example Tirith policies

Examples using various providers

1. VPC and EC2 instance policy (using Terraform plan provider)

• AWS VPC instance_tenancy is "default"
• EC2 instance cannot be destroyed

{
  "meta": {
    "required_provider": "stackguardian/terraform_plan",
    "version": "v1"
  },
  "evaluators": [
    {
      "id": "check_ec2_tenancy",
      "provider_args": {
        "operation_type": "attribute",
        "terraform_resource_type": "aws_vpc",
        "terraform_resource_attribute": "instance_tenancy"
      },
      "condition": {
        "type": "Equals",
        "value": "default"
      }
    },
    {
      "id": "destroy_ec2",
      "provider_args": {
        "operation_type": "action",
        "terraform_resource_type": "aws_instance"
      },
      "condition": {
        "type": "ContainedIn",
        "value": ["destroy"]
      }
    }
  ],
  "eval_expression": "check_ec2_tenancy && !destroy_ec2"
}

2. Cost control policy (using Infracost provider)

• EC2 instance cost is lower than 100 USD per month

{
  "meta": {
    "required_provider": "stackguardian/infracost",
    "version": "v1"
  },
  "evaluators": [
    {
      "id": "ec2_cost_below_100_per_month",
      "provider_args": {
        "operation_type": "total_monthly_cost",
        "resource_type": ["aws_ec2"]
      },
      "condition": {
        "type": "LessThanEqualTo",
        "value": 100
      }
    }
  ],
  "eval_expression": "ec2_cost_below_100_per_month"
}

3. StackGuardian Workflow Policy (using SG workflow provider)

• Terraform Workflow should require an approval to create or destroy resources

{
  "meta": {
    "required_provider": "stackguardian/sg_workflow",
    "version": "v1"
  },
  "evaluators": [
    {
      "id": "require_approval_before_creating_ec2",
      "provider_args": {
        "operation_type": "attribute",
        "workflow_attribute": "approvalPreApply"
      },
      "condition": {
        "type": "Equals",
        "value": true
      }
    }
  ],
  "eval_expression": "require_approval_before_creating_ec2"
}

4. Make sure that all AWS ELBs are attached to security group (using Terraform plan provider)

{
  "meta": {
    "version": "v1",
    "required_provider": "stackguardian/terraform_plan"
  },
  "evaluators": [
    {
      "id": "aws_elbs_have_direct_references_to_security_group",
      "provider_args": {
        "operation_type": "direct_references",
        "terraform_resource_type": "aws_elb"
        "references_to": "aws_security_group"
      },
      "condition": {
        "type": "Equals",
        "value": true,
        "error_tolerance": 0
      }
    }
  ],
  "eval_expression": "aws_elbs_have_direct_references_to_security_group"
}

5. Make sure that all aws_s3_bucket are referenced by aws_s3_bucket_intelligent_tiering_configuration (using Terraform plan provider)

{
  "meta": {
    "required_provider": "stackguardian/terraform_plan",
    "version": "v1"
  },
  "evaluators": [
    {
      "id": "s3HasLifeCycleIntelligentTiering",
      "description": "Make sure all aws_s3_bucket are referenced by aws_s3_bucket_intelligent_tiering_configuration",
      "provider_args": {
        "operation_type": "direct_references",
        "terraform_resource_type": "aws_s3_bucket",
        "referenced_by": "aws_s3_bucket_intelligent_tiering_configuration"
      },
      "condition": {
        "type": "Equals",
        "value": true,
        "error_tolerance": 0
      }
    }
  ],
  "eval_expression": "s3HasLifeCycleIntelligentTiering"
}

6. Kubernetes (using Kubernetes provider)

• Make sure that all pods have a liveness probe defined

{
  "meta": {
    "version": "v1",
    "required_provider": "stackguardian/kubernetes"
  },
  "evaluators": [
    {
      "id": "kinds_have_null_liveness_probe",
      "provider_args": {
        "operation_type": "attribute",
        "kubernetes_kind": "Pod",
        "attribute_path": "spec.containers.*.livenessProbe"
      },
      "condition": {
        "type": "Contains",
        "value": null,
        "error_tolerance": 2
      }
    }
  ],
  "eval_expression": "!kinds_have_null_liveness_probe"
}

Want to contribute?

If you're interested, please email us at team[at]stackguardian.io or get started by reading the contributing.md.

Getting an issue assigned

Go to the Tirith Repository and in the issues tab describe any bug or feature you want to add. If found relevant, the maintainers will assign the issue to you and you may start working on it as mentioned in the next section.

The kinds of issues a contributor can open:

• Report Bugs
• Feature Enhancement
• If any "help" is needed with using Tirith

A bug report

Head over to the Tirith repository and in the issues tab describe the bug you encountered and we will be happy to take a look into it.

Opening a Pull Request and getting it merged?

1. Go to the repository and fork it.
2. Clone the repository in your local machine.
3. Open your terminal and cd tirith
4. Create your own branch to work on the changes you intend to perform. For e.g. if you want some changes or bug fix to any function in the evaluators, name your branch with something relevant like, git branch bug-fix-equals-evaluator
5. After necessary changes, git push --set-upstream origin bug-fix-equals-evaluator, git checkout main and git merge bug-fix-equals-evaluator or use the GUI to create a "Pull Request" after pushing it in the respective branch.
6. A review request will be sent to the repository maintainers and your changes will be merged if found relevant.

Submitting a Feedback

Wanna submit a feedback? It's as simple as writing and posting it in the feedback section.

Your feedback will help us improve

Support

License

Apache License 2.0

The Apache License is a permissive free software license written by the Apache Software Foundation (ASF). It allows all users to use the software for any purpose, to distribute it, to modify it, and to distribute modified versions of the software under the terms of the license, without concern for royalties.