Regula is a tool that evaluates CloudFormation and Terraform infrastructure-as-code for potential AWS, Azure, and Google Cloud security misconfigurations and compliance violations prior to deployment. This is a GitHub Action to run Regula against your repository.
Here's an example workflow file. It checks three different IaC configurations: one Terraform directory and two CloudFormation templates:
on: [push]
jobs:
regula_tf_job:
runs-on: ubuntu-latest
name: Regula Terraform
steps:
- uses: actions/checkout@master
- uses: fugue/[email protected]
with:
input_path: infra_tf
include: example_custom_rule
regula_cfn_job:
runs-on: ubuntu-latest
name: Regula CloudFormation
steps:
- uses: actions/checkout@master
- uses: fugue/[email protected]
with:
input_path: infra_cfn/cloudformation.yaml
regula_valid_cfn_job:
runs-on: ubuntu-latest
name: Regula Valid CloudFormation
steps:
- uses: actions/checkout@master
- uses: fugue/[email protected]
with:
input_path: infra_valid_cfn/cloudformation.yaml
regula_multi_cfn_job:
runs-on: ubuntu-latest
name: Regula multiple CloudFormation templates
steps:
- uses: actions/checkout@master
- uses: fugue/[email protected]
with:
input_path: '*/cloudformation.yaml'
regula_input_list_job:
runs-on: ubuntu-latest
name: Regula on CloudFormation and Terraform
steps:
- uses: actions/checkout@master
- uses: fugue/[email protected]
with:
input_path: |
infra_cfn/cloudformation.yaml
infra_valid_cfn/cloudformation.yaml
infra_tf
regula_tf_plan_job:
runs-on: ubuntu-latest
name: Regula on a Terraform plan JSON
steps:
- uses: actions/checkout@master
- uses: hashicorp/setup-terraform@v1
with:
# See the note below for why this option is necessary.
terraform_wrapper: false
terraform_version: 1.0.8
- run: |
cd infra_tf
terraform init
terraform plan -refresh=false -out="plan.tfplan"
terraform show -json plan.tfplan > plan.json
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
- uses: fugue/[email protected]
with:
input_path: infra_tf/plan.json
input_type: tf-plan
include: example_custom_rule
You can see this example in action in the regula-ci-example.
input_path
: One or more Terraform directories, Terraform JSON plans, or CloudFormation templates. Accepts space-separated or newline-separated filenames and/or globbing expressions. This defaults to.
(the root of your repository).config
: Path to .regula.yaml file. By default regula will look in the current working directory and its parents.environment_id
: Environment ID in Fugue.exclude
: Rule IDs or names to exclude. This can be a space or newline-separated list.include
: Custom rule and configuration paths passed in to the Regula interpreter. This can be a space or newline-separated list.input_type
: The input types that Regula will evaluate. Defaults toauto
, which evaluates all supported types. Possible values are:auto
tf-plan
-- Terraform plan JSON filescfn
-- CloudFormation templates in YAML/JSONtf
-- Terraform directories or filesk8s
-- Kubernetes manifest in YAML format
no_built_ins
: Disable the built-in Regula rules. Set to"true"
if you only want to run custom rules.no_config
: Do not look for or load a regula config file. Set to"true"
to enable this option.no_ignore
: Disable use of .gitignore. Set to"true"
to enable this option.only
: Rule IDs or names to run. All other rules will be excluded. This can be a space or newline-separated list.severity
: The minimum severity where Regula will produce a non-zero exit code for failing rules. Defaults tounknown
. Useoff
to always produce a zero exit code. Possible values are:- unknown
- informational
- low
- medium
- high
- critical
- off
sync
: Fetch rules and configuration from Fugue. Set to"true"
to enable this option.upload
: Upload results to Fugue. Set to"true"
to enable this. Requiressync
to be set as well.rego_paths
: Custom rule and configuration paths passed in to the Regula interpreteruser_only
: Disable the builtin Regula rules. Set totrue
if you only want to run custom rules.
You can easily integrate this action with Fugue.
-
Set
sync
andupload
to true in the input values:- uses: fugue/[email protected] with: sync: "true" upload: "true"
Note that setting
upload
will require you to set an environment ID as well. You can either specify that in the.regula.yaml
or pass it in as an input value. -
Set up
FUGUE_API_ID
andFUGUE_API_SECRET
environment variables for the action.You can find more info about these in the Fugue API Documentation.
These options still function, but we encourage you to update your configurations before they are removed in a future release.
user_only
is deprecated. Useno_built_ins
instead.rego_paths
is deprecated. Useinclude
instead.terraform_directory
is deprecated. Useinput_path
instead.
To use Regula to evaluate the infrastructure-as-code in your own repository via GitHub Actions, see the instructions in regula-ci-example. The example walks through how to use this GitHub Action in your own repo.
The hashicorp/setup-terraform
action can be used to generate a Terraform plan JSON file that Regula can evaluate. By default, the hashicorp/setup-terraform
action wraps the terraform
binary with a script that outputs some additional information for each command it executes. It's necessary to use the terraform_wrapper: false
option, as we're doing in the example above, in order for the plan JSON file to be valid.