feat(terraform): terraform metadata adapter for rego rules

[lyoung-confluent]

This PR adds a terraform object to the rego state containing metadata about various Terraform internals/structures.

Modules

The modules attribute matches every module block in the input HCL, ex:

module "consul" {
  source = "app.terraform.io/example-corp/k8s-cluster/azurerm"
  version = "1.1.0"
}

The corresponding rego input is an array of objects with the source and version attributes. A custom rego rule could be to prevent usage of modules outside of an allowed list of sources (ex: github.com/org/*) or even just block the usage of older versions that had an insecure default:

deny[res] {
	module := input.terraform.modules[_]
	not startswith(module.source.value, "github.com/org/")
	res := result.new("untrusted module source", module.source)
}

Provisioner

The provisioner attribute adds the relevant parser/adapter for Terraform Provisioners which can be used to execute commands locally or remotely when a resource is created/updated/deleted, ex:

resource "null_resource" "pwn" {
	provisioner "local-exec" {
		command = "whoami"
	}
}

The corresponding rego input contains attributes from the three builtin provisioners (local-exec, remote-exec and file) such as command, and in the case of remote provisioners, details of the connection block. A custom rego rule could be applied either blocking their usage outright, or applying filtering such as restricting the allowed commands, ex:

deny[res] {
	not count(input.terraform.provisioner.localexecs[_]) == 0
	res := result.new("One or more local exec provisioners are configured", input.terraform.provisioner.localexecs[_])
}

[github-actions[bot]]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 10 days.

[github-actions[bot]]

This PR was closed because it has been stalled for 7 days with no activity.