Bridgecrew configuration as code using our new Terraform Provider

Terraform is one of the most popular infrastructure as code (IaC) tools used to deploy, manage, and destroy infrastructure. Bridgecrew helps developers secure Terraform templates from code to cloud. Until now, what we haven’t let you do is manage Bridgecrew using Terraform.

That’s why we’re excited to announce our official Bridgecrew Terraform provider!

With the new provider you can:

  • Create, remove, update, or delete (CRUD) a custom policy (simple or complex) using Terraform directly or referencing a YAML file.
  • Import existing policies and then manage them using Terraform.
  • List policies, suppressions, integrations, users, and integrated repositories.

We’re just getting started! The provider is open-source and we’re always looking for community contributions.

A new way to do policy-as-code

There are multiple ways you can create and manage custom policies. Natively, you can add Python or YAML checks directly to Checkov, the tool backing Bridgecrew, using the --external-checks-dir or --external-checks-git. In Bridgecrew, you can add a check using the custom policy code editor or visual editor, or push custom policies using our public API.

That last one is actually how the provider works under the hood. The provider leverages Go libraries to gather metadata on existing custom policies from Bridgecrew and make API calls to create, read, update, or delete (CRUD) custom policies. That goes for policies created by Terraform and ones already in the system.

And like custom policies added to the platform, all of the custom policies will be used in all of Bridgecrew’s scans of repositories and Checkov CLI scans that include your API key. For example, if you add a new policy using the Terraform provider and include your API key in your CircleCI integration, every CI run will also check for your new policy.

How does it work?

We’ll keep an up-to-date set of examples in the repo, but let’s take a look at creating a new policy.

Start by activating the provider, then add either an API key in the provider block or set and an environment variable called BRIDGECREW_API to your API key. Be sure not to check this secret into git.

export BRIDGECREW_API="xxxx"

Then add a Terraform file with the provider details:

terraform {
  required_providers {
    bridgecrew = {
      version = "0.2.1"
      source  = "PaloAltoNetworks/bridgecrew"
    }
  }
}

Next, add a new policy. There are two different ways to add a policy through the provider. The first is by creating a YAML file and then referencing it in the Terraform resource block using:

file = "<path>/policy.yaml"

The second is to use a simple or complex policy in the actual resource block. When not using a YAML file, you’ll need to fill in all of the fields below except the benchmarks. When not using a file, you’ll need to fill in all of the fields below except the benchmarks.

resource "bridgecrew_policy" "new" {
  cloud_provider = "aws"
  title          = "my first test"
  severity       = "critical"
  category       = "logging"

  conditions {
    resource_types = ["aws_s3_bucket", "aws_instance"]
    cond_type      = "attribute"
    attribute      = "bucket"
    operator       = "not_equals"
    value          = "jimbo"
  }

  guidelines = "This should explain a little"

  benchmarks {
    cis_aws_v12 = ["1.1", "2.1"]
  }

}

output "policy" {
  value = bridgecrew_policy.new
}

That last line outputs the name of the policy that was just created. Now you can run terraform apply and accept it to create the new policy.

Updating that policy is as simple as making a change to the Terraform file and applying again. The Terraform plan will even show the lines that are changing. As with other custom policies, the policies generated by the Terraform provider will show up wherever an API key is used. For example, doing a Checkov scan with an API key:

Watching the watcher

In addition to the new provider, we’ve added the constructs to check for misconfigurations in your Bridgecrew Terraform code using Checkov. For example, here Checkov is identifying a Bridgecrew API token in a Terraform file:

We’ll be adding more checks soon.

Just a start

This is just the first iteration of our Terraform provider. We expect to have many more ways for you to manage Bridgecrew using Terraform soon. Try it out for yourself and contribute with issues and code to the repo!