Sinasco is a standardization framework for Infrastructure as Code. Designed with cloud computing principals in mind, it allows users to cross validate their IaC scripts against organizational and security policies and configuration rules to enable a well managed and secure cloud infrastructure, without compromising the benefits an organization can harness in a cloud centric infrastructure ecosystem. Sinasco includes a library of rules written in Golang alogn with a wrapper written for Open Policy Agent (OPA) binaries.
Sinasco can be used to manage Terraform, a popular Infrastructure as Code tool, scripts for infrastructure provisioning on AWS, Azure, and GCP.
Validate whether the approved Terraform modules are used in the code. Modules which available over the internet could compromised the infrastructure built by violating the organizational standards.
Sinasco can be used to force organizational modules for the scripts.
Validate whether the valid Terraform syntaxes are used in the code. As the validations conducts before initializing and building the code, it provides faster validation.
Managed Sinasco rules can be utilized for standard infrastructure evaluations. However, users are encouraged to write their own rules, catered for the organizational standrads and policies.
Measure the health of the Terraform script depending on the environment and create a quality report for the build. Further, weight and measure compliance & policy violations on severity, environment and the impact to generate the quality score. The quality score can be used to determine whether the code passes the custom quality gates built for the project, thus reject or create the infrastructure on a fully-automated manner.
With industry moving towards multi-cloud, it is vital to be CSP-independent and move cloud services between different environments with standardized service definitions.
Sinasco can be used to verify multi-cloud supportability of your code, by providing cross-validation on the policy docements against Terraform scripts written for any major cloud services provider.
Sinasco requires the following tools to function:
Installation can be verified as below
opa version
Version: 0.28.0
Build Commit: 3fbcd71
Build Timestamp: 2021-04-27T13:51:21Z
Build Hostname: c8a0b3ab05bf
Go Version: go1.15.8
terraform -v
Terraform v0.14.4
Once OPA and Terraform are set, navigate to the Sinasco releases and download the latest binary (sinasco.zip) bin directory contains the sinasco wrapper, which is used to run the framework. lib directory contains Sinasco managed policies for unit tests, organizational compliance and security, for major cloud providers which can be used to evaluate and standardize the terraform code. Additional policies can be added to here
Once the steps on the Install Requirements are done, we can proceed to evaluate the Terraform code. Sinasco requires 3 user inputs to evalaute the code
| Input Flag | Description | Sample Input |
|---|---|---|
| -d | Sinasco rule file to evalaute the code | lib/aws/security/datastore.go |
| -i | Directory with Terraform Code | RP-Code/nonprod/ |
| -f | Evaluation output format | score - Quality Gate Evaluation or violation - Violated policies or quality_gate_passed - Final Evaluation of the Code |
Sinasco can be used to show the violated rule through violation flag
sinasco.sh -d lib/aws/security/datastore.go -i RP-Code/nonprod/ -f violation
+--------------------------------+
| violations |
+--------------------------------+
| ["One or more S3 Buckets are |
| public. Please change the ACL |
| to Private"] |
+--------------------------------+
Sinasco can be used to show the cumulative marks assigned to violates rules through score flag
sinasco.sh -d lib/aws/security/datastore.go -i RP-Code/nonprod/ -f score
+------------+
| score |
+------------+
| 10 |
+------------+
Sinasco can be used to measure whether given resource stack passed the custom quality gate through quality_gate_passed flag
sinasco.sh -d lib/aws/security/datastore.go -i RP-Code/nonprod/ -f quality_gate_passed
+---------------------+
| Quality Gate Passed |
+---------------------+
| false |
+---------------------+
Setting the Quality Gateway. score is calculated through the summation of the violated rules multiplied by the weight assigned for the rule.
// Cumulative score for the validation
quality_gate = 5
// Weights assigned for validation rule
quality_values = {
"aws_instance": {"naming":10}
}
// Compute the score for the terraform gold module usage
score = eval {
all := [ res |
some resource_type
crud := quality_values[resource_type];
ec2_naming := crud["naming"] * ec2_naming_validation[resource_type];
res := ec2_naming
]
eval := sum(all)
}
// Quality Gate Evaluation
default quality_gate_passed = false
quality_gate_passed {
score < quality_gate
}
Evaluating the defined standardization rule and providing the output is handled by the below section
// Error message to display on a violation
violation["EC2 naming standard violated. Please refer udaara.confluence.com/org_naming for the standard documentation"] {
ec2_naming_validation[resource_types[_]] > 0
}
// Enforce the instance naming standard
ec2_naming_validation[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
val = true
creates := [res | res:= all[_]; not val = (glob.match("aue1[l,w][d,q,s,p][a-z][a-z][a-z][0-9][0-9]", [], res.change.after.tags.Name))];
num := count(creates)
}
Sinasco is licensed under the MIT License