BOOST_INVALID_TF_TAGS¶
Boost provides custom Terraform Tags validation functionality to ensure compliance with organizational policies. This feature enables users to define and enforce specific tagging conventions, promoting consistency and clarity across cloud resources. By leveraging this capability, you can ensure that your cloud infrastructure aligns with established guidelines, reducing the risk of misconfigurations and improving overall governance. The process involves generating a Terraform plan in JSON format and specifying a tags validation policy via the BOOST_TF_TAGS_POLICY environment variable.
Tags policy¶
{
"version": "v1.0.0",
"enforcement_policy": "lax",
"supported_resources": [
"aws_s3_bucket"
],
"remediation_message": "For more information, please check our wiki...",
"required_tags": [
"db-cloud",
"db-owner",
"db-environment",
"db-purpose"
],
"allowed_tag_values": {
"db-cloud": [
"AWS",
"GCP",
"Azure"
],
"db-environment": [
"dev",
"staging",
"prod"
]
}
}
.gitlab-ci.yml example¶
variables:
IGNORE_TF_DEPRECATION_WARNING: true
include:
- template: Terraform/Base.gitlab-ci.yml
- remote: 'https://raw.githubusercontent.com/boostsecurityio/boostsec-scanner-gitlab/main/scanner.yml'
workflow:
rules:
# execute on pushes to the default branch
- if: ($CI_PIPELINE_SOURCE == "push") && ($CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH)
# execute on merge request
- if: ($CI_PIPELINE_SOURCE == "merge_request_event")
stages:
- validate
- test
- build
- boost
- deploy
- cleanup
fmt:
extends: .terraform:fmt
needs: []
validate:
extends: .terraform:validate
needs: []
build:
extends: .terraform:build
environment:
name: $TF_STATE_NAME
action: prepare
after_script:
# Convert Terraform Plan to JSON for Boost usage (on HEAD and optionnally on the BASE of the MR)
- gitlab-terraform show -json ${TF_ROOT}/plan.cache > boost.tfplan.head.json
- |
if [[ -n $CI_MERGE_REQUEST_IID ]]; then
git checkout $CI_MERGE_REQUEST_DIFF_BASE_SHA;
TF_PLAN_CACHE=${TF_ROOT}/plan.base.cache gitlab-terraform plan;
gitlab-terraform show -json ${TF_ROOT}/plan.base.cache > boost.tfplan.base.json;
fi
artifacts:
public: false
paths:
- ${TF_ROOT}/plan.cache
- boost.tfplan.base.json
- boost.tfplan.head.json
reports:
terraform: ${TF_ROOT}/plan.json
boost-terraform:
stage: boost
extends:
- .boost_scan
variables:
BOOST_SCANNER_REGISTRY_MODULE: "boostsecurityio/checkov-tf-plan"
BOOST_PRE_SCAN: |
# Use the pre-generated Terraform Plan based on the different scenarios
if [[ -n $CI_MERGE_REQUEST_IID ]]; then
if [[ "$(git rev-parse HEAD)" = "$CI_MERGE_REQUEST_DIFF_BASE_SHA" ]]; then
cp $CI_PROJECT_DIR/boost.tfplan.base.json ./boost.tfplan.json
else
cp $CI_PROJECT_DIR/boost.tfplan.head.json ./boost.tfplan.json
fi
else
cp $CI_PROJECT_DIR/boost.tfplan.head.json ./boost.tfplan.json
fi
BOOST_TF_TAGS_POLICY: '{"version":"v1.0.0","enforcement_policy":"lax","supported_resources":["aws_s3_bucket"],"remediation_message":"For more information, please check our wiki...","required_tags":["db-cloud","db-owner","db-environment","db-purpose"],"allowed_tag_values":{"db-cloud":["AWS","GCP","Azure"],"db-environment":["dev","staging","prod"]}}'
deploy:
extends: .terraform:deploy
dependencies:
- build
environment:
name: $TF_STATE_NAME
action: start