Fugue open sources Regula, security and compliance tool for Terraform
Working with Terraform infrastructure-as-code can sometimes be a bit of a headache when it comes to tracking security misconfigurations and compliance violations, but now Fugue has open sourced their Regula tool to assist engineers with maintaining vigilance. Let’s take a closer look.
Last week, cloud infrastructure security and compliance solution provider Fugue open sourced one of their tools called Regula. From the press release, it “is a tool that evaluates Terraform infrastructure-as-code for security misconfigurations and compliance violations prior to deployment. Regula rules are written in Rego, the open source policy language employed by the Open Policy Agent project and can be integrated into CI/CD pipelines to prevent cloud infrastructure deployments that may violate security and compliance best practices.”
A bit about Regula
The way the tool works is it checks Terraform scripts before they deploy infrastructure, nipping any potential security or compliance concerns in the bud before they enter the main pipeline. The changes will only be passed onto the next stage if the check passes without issue.
One of the cool things about Regula is that it can catch misconfigurations that might not be flagged by the more common compliance standards. For example, it checks that IAM policies don’t have full admin privileges and that they are not attached directly to users. A full list of the rules can be found on the GitHub repo.
Regula initially supports rules that validate Terraform scripts written for AWS infrastructure, and includes mapping to CIS AWS Foundations Benchmark controls where relevant. Regula also includes helper libraries that enable users to easily build their own rules that conform to enterprise policies. At launch, Fugue has provided examples of Regula working with GitHub Actions for CI/CD, and with Fregot, a tool that enables developers to easily evaluate Rego expressions, debug code, and test policies. Fugue open sourced Fregot in November 2019.
SEE ALSO: Getting started with Terraform
Why open source?
When we asked why they decided to open source the tool, Josh Stella said:
When it comes to tools for developers to use, especially tools they’ll need to use locally, those should be open source. That’s how the ecosystem needs to work because it gives the community a chance to develop these tools for their own specific use cases. With Regula we are creating what we hope will be the standard place for the community to contribute to these security checks for infrastructure as code.
Regula is available on Fugue’s GitHub repo.