Regula adds another element of control to cloud infrastructure as code


Cloud security company Fugue has pushed Regula into the open, providing a way of checking Terraform plans for AWS infrastructure for misconfigurations.

The initial release promises to support security and compliance efforts by identifying scripts containing IAM policies and security group rules that could be too permissive, untagged cloud resources, or EBS volumes without proper encryption amongst other things. 

The project does this by checking if a Terraform plan complies to a set of rules written in Rego, a query language inspired by monitoring company Datadog which is used in the Open Policy Agent project. A simple exemplary rule would be that new volumes have to be encrypted by default. Ops folks can either write those themselves or take them from the Regula rule library, which at this point only contains policies for AWS but should see more rules being transferred in the coming weeks.

If no breaches are found, the tool allows the plan to be deployed to the cloud for infrastructure provisioning. To automate the process, Regula can be integrated into workflows with CI/CD tools such as Jenkins or AWS CodePipeline. A GitHub Action for integration into the repository management service can be found in Fugue’s repository.

Regula is made up of a shell script and a Rego framework. The first is needed to turn the Terraform plan into a JSON, since the tool uses the Open Policy Agent which can only read the latter format. The framework then extracts planned_values and configuration information from the plan and transforms them into another format, looks for rules to execute, and compiles the results into a report and a control mapping other tools can use.

Regula is protected under the GNU Affero General Public License, and, even though it is heavily referenced in the documentation, supposed to work independently from other, commercial Fugue projects.