Cloud Contracts as Code are examples of using the Dome9 Terraform Provider to build a Cloud Security Contract or Compliance Ruleset for the public cloud. By using Terraform for your cloud contracts you automate the process of creating and maintaining your policies and guardrails.
The example configuration supports building custom rules for Azure, AWS and GCP with the Dome9 GSL language. It creates a mail alert and attaches the alert with the specified cloud account through a notification policy.
A additional CloudBot alert and notification policy gets configured with the specified SNS topic ARN for automatic remediation with Cloudbots.io. For the remediative action to happen the CloudBots should be installed in your cloud account first.
- Terraform 0.12.x
- Terraform Dome9 Provider > 1.17.x
- Storage Buckets must always be encrypted
- Storage buckets must always be Private unless tagged with: PublicBucketXYZ
- Load Balancers use TLS 1.2 and above
- In PROD and STAGE only use RHEL 7.3
- Everyone must use SSO with MFA enabled
- DEV should only use US-East2 or US-West2
- Clone the repository and create a terraform.tfvars file within the root folder with contents like these (use your details):
### General settings
dome9_access_id = ""
dome9_secret_key = ""
email_recipients = ""
sns_topic_arn = ""
### AWS Settings, if applicable
use_aws = true
aws_cloud_account_id = ""
aws_account_number = ""
### Azure Settings, if applicable
use_azure = true
azure_cloud_account_id = ""
azure_account_subscription = ""
### Google Settings, if applicable
use_gcp = true
gcp_cloud_account_id = ""
gcp_project_id = ""
-
From a command line initialize the Terraform configuration directory:
terraform init
-
Create an execution plan:
terraform plan
-
Create or modify the deployment:
terraform apply