Create resources and policies from Terraform
You can automatically update your Panoptica environments from Terraform files. You can include resources and actions in these files to maintain your Panoptica environments as you manage your Kubernetes clusters from Terraform.
The Panoptica Terraform Provider
To use Terraform to manage your Panoptica environments, you must first configure Terraform to pull the Panoptica Terraform Provider from the Terraform Registry:
terraform {
required_providers {
securecn = {
source = "Portshift/securecn"
version = ">= 1.1.0"
}
}
}
Use the Terraform Provider
The resources in the following sections can be invoked to create and modify entities in the Panoptica environment.
Follow these steps for the resources
- On the host, run the command:
terraform init
- Edit a terraform plan to include the resource, and the keys, as in the example below (using the securecn_k8s_cluster resource, which creates a cluster on Panoptica).
provider "securecn" {
access_key = "**********"
secret_key = "**********"
}
resource "securecn_k8s_cluster" "myCluster" {
kubernetes_cluster_context = "clusterContext"
name = "mySecureCNCluster"
ci_image_validation = false
cd_pod_template = false
connections_control = true
multi_cluster_communication_support = false
inspect_incoming_cluster_connections = false
fail_close = false
persistent_storage = false
}
Replace access_key and secret_key with the actual key values, as described above (Prerequisites). Alternatively, define environment variables SECURECN_ACCESS_KEY and SECURECN_SECRET_KEY with these values, and remove the "securecn" provider block from the file.
- Run the following command from the folder with the Terraform file, to apply it. This will create or modify the resource, based on the parameters configured in the file.
terraform apply
Resources
You can use the resources described in the following sections to create or modify entities in your Panoptica environment.
Create and modify clusters
This resource creates a cluster in your environment.
Resource name
securecn_k8s_cluster
Use
resource "securecn_k8s_cluster" "myCluster" {
kubernetes_cluster_context = "clusterContext"
name = "mySecureCNCluster"
ci_image_validation = false
cd_pod_template = false
connections_control = true
multi_cluster_communication_support = false
inspect_incoming_cluster_connections = false
fail_close = false
persistent_storage = false
minimum_replicas = 2
}
Resource reference
| Field | Description |
|---|---|
| kubernetes_cluster_context | the Kubernetes cluster context in your local kubeconfig of that cluster to be added to Panoptica |
| name | name of the cluster in Panoptica |
| orchestration_type (optional) | Orchestration type of the Kubernetes cluster. Valid values are: "GKE", "OPENSHIFT", "RANCHER", "AKS", "EKS", "KUBERNETES", "IKS" Default value is "GKE". |
| ci_image_validation (optional) | Panoptica will attempt to validate images according to the hash value generated by the Panoptica CI Plugin. If the hash value does not match, the pod will be marked as unknown. |
| cd_pod_template (optional) | Panoptica will identify new Pod template workloads deployed in the cluster from a CD tool that has a Panoptica CD plugin installed, and will assume that Pod templates running on the cluster, but not identified by the CD plugin, are 'unknown'. |
| connections_control (optional) | Panoptica will track connections to the workloads deployed on the cluster, and apply the Runtime Connection Policy to it. |
| multi_cluster_communication_support (optional) | Enables the Panoptica controller to discover pods on other clusters in a multi-cluster environment. This option must be enabled in order to apply runtime policies on workloads across multiple clusters. |
| inspect_incoming_cluster_connections (optional) | Connection rules with external IP-based sources will be enforced, and external IP sources will be shown with their IP address. When switched off, these rules will not be enforced, and the external IP address will not be shown. |
| istio_ingress_enabled (optional) | Whether installing Istio, use Istio ingress or not. |
| istio_ingress_annotations (optional) | A map of annotations to apply on the Istio ingress resource. |
| istio_version (optional) | The Istio version that is installed (if istio_already_installed is True) |
| istio_already_installed (optional) | If True, indicates that Istio is already installed in the cluster. In this case, istio_version indicates the version that was installed. If False, indicates that Istio will be installed by the controller |
| fail_close (optional) | when enabled, workloads and connections will be blocked if the Panoptica controller is not responding. |
| persistent_storage (optional) | The controller will save the policy in persistent storage (disk), to be available after a pod restart, without having to copy it from the server. Requires 128MB of storage. |
| minimum_replicas (optional) | The minimum number of controller replicas (applicable only when 'persistent_storage' is "false") |
| external_https_proxy (optional) | if your cluster has an HTTP proxy configured, enable this switch, and set the value to the address of the proxy |
| external_ca (optional) | Use an external CA for this cluster. Fields: - id: The id of the external CA (required). - name: The name of the external CA |
| token_injection (optional) | Indicates whether the token injection feature is enabled, default false. |
| trace_analyzer (optional) | Indicates whether the trace analyzer is enabled, default false. |
| tls_inspection (optional) | Indicates whether the TLS inspection is enabled, default false. |
| service_discovery_isolation (optional) | Indicates whether the service discovery isolation is enabled, default false. |
| api_intelligence_dast (optional) | Enable API Intelligence DAST integration, default false. |
| internal_registry (optional) | Use an internal container registry for this cluster. Fields: - url: The url of the internal registry (required) |
| restrict_registries (optional). | Workload from untrusted registries will be marked as 'unknown'. |
| auto_labeling (optiona) | Enable auto labelling of new Kubernetes namespaces. |
Modify an existing cluster
You can modify the cluster as it is defined in Panoptica (the name, or any of its parameters) by modifying the Terraform plan file, and then applying it again. Terraform detects the changes, and makes the changes to the cluster in Panoptica.
Similarly, you can remove the cluster in Panoptica by removing the resource from the Terraform file, and then apply it. Terraform will detect this change and remove the cluster from Panoptica.
Create and modify Panoptica Environments
This resource creates or modifies Environments for resources directly from Terraform files.
Resource name
securecn_environment
Use
resource "securecn_environment" "staging" {
name = "staging"
description = "our staging environment"
risk = "MEDIUM"
kubernetes_environment {
cluster_name = securecn_k8s_cluster.myCluster.name
namespaces_by_labels = {
env = "staging"
app = "finance"
}
}
}
You can use the following fields to specify different cluster and namespace combinations (see Environments).
Resource reference
| Field | Description |
|---|---|
| name | Name of the environment. |
| description | Description of the environment. |
| risk | Risk level for the environment. This is the maximum risk level workloads running in this environment, values: "LOW", "MEDIUM", "HIGH" |
| kubernetes_environment | The Kubernetes environments to include in the Panoptica environment. See reference below. |
kubernetes_environment block reference
| Field | Description |
|---|---|
| cluster_name | The name of the Kubernetes cluster in Panoptica for this environment. |
| namespaces_by_names (optional) | The env will match namespaces using namespace name. |
| namespaces_by_labels | The env will match namespaces using a label selector. |
Create and modify Connection Policy rules
This resource creates or modifies Connection rules for resources directly from Terraform files.
Resource name
securecn_connection_rule
Use
resource "securecn_connection_rule" "name in terraform" {
rule_name = "name in securecn"
source_by_ip_range {
ips = ["192.168.1.0/24"]
}
destination_by_address_ip_range {
ips = ["192.168.1.0/24"]
}
}
You can use the following fields to specify different source and destination entities (see Connection Policy).
Resource reference
| Field | Description |
|---|---|
| rule_name | the name of the rule |
| source_by_ip_range | Select the source by IP range. Example source_by_ip_range { ips = ["192.168.1.0/24"] } |
| source_by_external | Select external sources Example source_by_external = true |
| source_by_pod_name | Select the source by pod name Example source_by_pod_name { names = ["pod name3","pod name2"] vulnerability_severity_level = "HIGH" } |
| source_by_pod_label | Select the source by pod Label Example source_by_pod_label { labels = { key1 = "value1" key2 = "value2" } |
| vulnerability_severity_level | Select the source by pod vulnerability level; can be used together with source_by_pod_any, below. Example vulnerability_severity_level = "HIGH" |
| source_by_pod_any | Select any pod as the source Example source_by_pod_any { vulnerability_severity_level = "HIGH" } |
| destination_by_address_ip_range | Select the destination by IP range. Example destination_by_address_ip_range { ips = ["192.168.1.0/24"] } |
| destination_by_address_domain | Select the destination by domain Example destination_by_address_domain { domains = ["www.domain.com"] } |
| destination_by_external | Select external destinations Example destination_by_external = true |
| destination_by_pod_name | Select the destination by Pod name Example destination_by_pod_name { names = ["pod name"] vulnerability_severity_level = "HIGH" } |
| destination_by_pod_label | Select the destination by pod label Example destination_by_pod_label { labels = { key1 = "value1" key2 = "value2" } |
| vulnerability_severity_level | Select the destination by severity level; can be used with destination_by_pod_any, below. Example vulnerability_severity_level = "HIGH" |
| destination_by_pod_any | Select any destination pod Example destination_by_pod_any { vulnerability_severity_level = "HIGH" } |
Example
This Terraform file creates three Connection Policy rules.
provider "securecn" {
access_key = "********-****-****-****-************"
secret_key = "********************************************"
}
resource "securecn_connection_rule" "Pod_mongodb_to_external" {
rule_name = "Pod mongodb to external 2"
source_by_pod_name {
names = ["mongodb"]
# vulnerability_severity_level = "MEDIUM"
}
destination_by_external = true
}
resource "securecn_connection_rule" "External_to_pod_nginx_with_vulnerability_medium" {
rule_name = "External to pod nginx with vulnerability medium"
source_by_external = true
destination_by_pod_name {
names = ["nginx"]
vulnerability_severity_level = "MEDIUM"
}
}
resource "securecn_connection_rule" "Pod_nginx_to_aws" {
rule_name = "Pod nginx to aws"
source_by_pod_name {
names = ["nginx"]
# vulnerability_severity_level = "HIGH"
}
destination_by_address_domain {
domains = ["aws.amazon.com"]
}
}
When run, the rules appear in the Connection Policy:
Create and modify Deployers
This resource creates or modifies Deployer entities.
Resource name
securecn_deployer
Use
resource "securecn_deployer" "vault" {
name = "vault"
operator_deployer {
cluster_id = securecn_k8s_cluster.myCluster.id
service_account = "vault"
namespace = "default"
rule_creation = false
security_check = true
}
}
You can use the following fields to specify different attributes on the deployer entities (see Deployers).
Resource reference
| Field | Description |
|---|---|
| name | Name of the deployer entity. |
| operator_deployer | Define an operator type deployer. See reference below. |
operator_deployer block reference
| Field | Description |
|---|---|
| cluster_id | The ID of the Kubernetes cluster in Panoptica. |
| service_account | The name of the service account of the deployer in the Kubernetes cluster. |
| namespace | The namespace of the deployer service account in the Kubernetes cluster. |
| rule_creation (optional) | Enable connection rule creation for this deployer, default: false. |
| security_check (optional) | Enable security checks for this deployer, default false. |
Create and modify CD Policies
This resource creates or modifies CD Policies.
Resource name
securecn_cd_policy
Use
resource "securecn_cd_policy" "vault" {
name = "vault"
deployers = [
securecn_deployer.vault.id,
]
secret_policy {
permissible_vulnerability_level = "HIGH"
enforcement_option = "FAIL"
}
}
You can use the following fields to specify different attributes on the CD Policy entities (see CI/CD Scan Policy).
Resource reference
| Field | Description |
|---|---|
| name | The name of the CD Policy. |
| description | The description of the CD Policy. |
| deployers | The id of deployers this CD policy should be associated and executed. |
| api_security_policy (optional) | Specify the CD policy's api security profile. See reference below. |
| permission_policy (optional) | Specify the cd policy's permission check profile. See reference below. |
| secret_policy (optional) | Specify the cd policy's secret check profile. See reference below. |
| security_context_policy (optional) | Specify the cd policy's security context check profile. See reference below. |
api_security_policy reference
| Field | Description |
|---|---|
| api_security_profile | The id of the api security profile to use for this api policy. |
| enforcement_option | The enforcement type for this policy: FAIL, IGNORE. |
permission_policy, secret_policy, security_context_policy block reference
| Field | Description |
|---|---|
| permissible_vulnerability_level | The level of risk accepted in this policy: "NO_RISK", "MEDIUM", "HIGH" |
| enforcement_option | The enforcement type for this policy: FAIL, IGNORE. |
Create and modify CI Policies
This resource creates or modifies CI Policies.
Resource name
securecn_ci_policy
Use
resource "securecn_ci_policy" "global" {
name = "global"
description = "Our account level CI policy"
vulnerability_policy {
permissible_vulnerability_level = "MEDIUM"
enforcement_option = "FAIL"
}
dockerfile_scan_policy {
permissible_dockerfile_scan_severity = "INFO"
enforcement_option = "IGNORE"
}
}
You can use the following fields to specify different attributes on the CI Policy entities (see CI/CD Scan Policy).
Resource reference
| Field | Description |
|---|---|
| name | The name of the CI Policy. |
| description | The description of the CI Policy. |
| vulnerability_policy (optional) | Specify the CI policy's vulnerability policy part. See reference below. |
| dockerfile_scan_policy (optional) | Specify the CI policy's dockerfile scan policy part. See reference below. |
vulnerability_policy block reference
| Field | Description |
|---|---|
| permissible_vulnerability_level | The level of risk accepted in this policy: "UNKNOWN", "LOW", "MEDIUM", "HIGH", "CRITICAL". |
| enforcement_option | The enforcement type for this policy: FAIL, IGNORE. |
dockerfile_scan_policy block reference
| Field | Description |
|---|---|
| permissible_dockerfile_scan_severity | The scan result severity accepted in this policy: "INFO", "WARN", "FATAL" |
| enforcement_option | The enforcement type for this policy: FAIL, IGNORE. |
Create and modify Deployment Rules
This resource creates or modifies Deployment Rules.
Resource name
securecn_deployment_rule
Use
resource "securecn_deployment_rule" "rule1" {
rule_name = "terraform deployment rule"
match_by_pod_name {
names = ["Finance"]
vulnerability_severity_level = "HIGH"
vulnerability_on_violation_action = "BLOCK"
psp_profile = "Baseline"
psp_on_violation_action = "ENFORCE"
}
Resource reference
| Field | Description |
|---|---|
| rule_name | The name of the rule |
| match_by_pod_name | Select the pod by name Example match_by_pod_name { names = ["Finance"] vulnerability_severity_level = "HIGH" vulnerability_on_violation_action = "BLOCK" psp_profile = "Baseline" psp_on_violation_action = "ENFORCE" } |
| match_by_pod_label | Select the pod by a label associated with it Example match_by_pod_label = { key11 = "value11" key22 = "value22" } |
| match_by_pod_any | Selects all pods |
| scope | The scope of the rule |
Match pod by name fields
| Field | Description |
|---|---|
| vulnerability_severity_level | The severity level of the workload (pod). The pod is selected if its severity is equal to or exceeds this level |
| vulnerability_on_violation_action | The action to be taken on the pods selected by the rule - block from deployment, or allow to be deployed |
| psp_profile | A PSP profile to be applied by the rule as additional filters to select pods |
| psp_on_violation_action | The action to be taken on pods selected by the PSP profile - block from deployment, or enforce compliance. See Pod Security Standards Profiles. |
Create and modify Serverless Rules
This resource creates or modifies Serverless Rules.
Resource name
securecn_serverless_rule
Use
resource "securecn_serverless_rule" "name_of_rule_in_TF" {
rule_name = "SERVERLESS RULE DEMO"
match_by_function_name {
names = ["billing"]
}
serverless_function_validation {
risk = "CRITICAL"
vulnerability = "CRITICAL"
secrets_risk = "RISK_IDENTIFIED"
function_permission_risk = "MEDIUM"
publicly_accessible_risk = "LOW"
data_access_risk = "LOW"
is_unused_function = true
}
scope {
cloud_account = "Production"
regions = ["us-east-1"]
}
}
Resource reference
| Field | Description |
|---|---|
| rule_name | The name of the rule |
| match_by_function_name | Select functions by name Example match_by_function_name { names = ["billing"] } |
| match_by_function_arn | Select functions by their ARN Example match_by_function_arn { arns = ["arn1", "arn2"] } |
| match_by_function_any | Select all functions |
| serverless_function_validation | Select functions by properties Example serverless_function_validation { risk = "CRITICAL" vulnerability = "CRITICAL" secrets_risk = "RISK_IDENTIFIED" function_permission_risk = "MEDIUM" publicly_accessible_risk = "LOW" data_access_risk = "LOW" is_unused_function = true } |
| scope | Set the scope of the rule, the AWS account(s) and regions Example scope { cloud_account = "Production" regions = ["us-east-1"] } |
Serverless function validation fields
| Field | Description |
|---|---|
| risk | The risk level of the function: functions with risk equal to or greater than this level are selected |
| vulnerability | The vulnerability level of the function: functions with vulnerability equal to or greater than this level are selected |
| secrets_risk | Select functions with identified secrets written in plain text in the code (RISK_IDENTIFIED), or without (NOT_IDENTIFIED) |
| function_permission_risk | Select functions with permissions risk equal to or greaterthan this level are selected |
| publicly_accessible_risk | Select functions that are publicly accessible and with risk equal to or greater than this level |
| data_access_risk | Select functions that access data (YES) or do not (NO) |
| is_unused_function | Select functions that have not been used for 30 days (YES) or not (NO) |
Trusted Signers
This resource creates or modifies Trusted Signers.
Resource name
securecn_trusted_signer
Use
resource "securecn_trusted_signer" "securecn_trusted_signer" {
name = "terraform_trusted_signer"
keys = {
key33 = "value33"
key44 = "value44"
}
clusters = [securecn_k8s_cluster.terraform_cluster.id]
}
Resource reference
| Field | Description |
|---|---|
| name | The trusted signer name |
| keys | |
| clusters | A list of clusters |
See Also
See details for the Terraform Provider in terraform here https://registry.terraform.io/providers/Portshift/securecn/latest/docs
Updated 9 months ago