A Tutorial on Using Open Policy Agent with Terraform
This is a work in progress (WIP) and as such is not in any way complete. If you're watching this repository, just know that I am working on building out a tutorial for using OPA, Rego, and Terraform along with a series of YouTube videos on my channel. As each video is published, the supporting code will land here.
No not really. I don't know how to nae nae. I do know something about building a tutorial. So watch me toot toot? No, that's worse.
Open Policy Agent (OPA) is a graduated CNCF project used to define and evaluate policy as code written in Rego. Since OPA is a general purpose solution, it can evaulate anything that can be expressed using JSON. How does this fit into the world of Terraform? When you generate an execution plan in Terraform, the plan can be expressed as JSON using the terraform show command. The execution plan includes the current state data, the proposed changes to resources and outputs, and the interpreted configuration with variable values submitted during the planning run. Based on the contents of the execution plan, you can determine through policy whether the plan should proceed as expressed, and any additional actions that are necessary from an operational standpoint.
That's it. That's the summary.
Here's the plan for learning about OPA and Terraform:
- Describe how OPA and Terraform can work together (see summary)
- Go over the basics of the Rego language
- Review the contents of a Terraform execution plan
- Develop basic policies using Rego with an execution plan
- Implement evaluation as part of a pipeline
- GitHub Actions
- Azure DevOps
- Terraform Cloud
- Create reusable OPA policies for Terraform
- Win Win Win
- All I do ☝️
I may add more components or revise the order as we go, but I think this is a good start.