Ansible¶
Ansible is a “radically simple IT automation system.”
The easy_infra
project includes and secures Ansible as a component due to its popularity and versitility in provisioning and managing systems as
Infrastructure as Code (IaC).
easy_infra
uses security tools such as KICS to semi-transparently assess the provided IaC against the defined security
policy.
Use Cases¶
If you use Software Version Control (such as git
) to manage your Ansible IaC, consider executing ansible-playbook EXAMPLE.yml --syntax-check
with
easy_infra as a pipeline action on commit or pull request:
docker run -v .:/iac seiso/easy_infra:latest-ansible ansible-playbook EXAMPLE.yml --syntax-check
Customizing KICS¶
Environment variable |
Result |
Example |
---|---|---|
|
Passes the value to |
|
|
Passes the value to |
|
KICS_INCLUDE_QUERIES=c3b9f7b0-f5a0-49ec-9cbc-f1e346b7274d,7dfb316c-a6c2-454d-b8a2-97f147b0c0ff
KICS_EXCLUDE_SEVERITIES=info,low
docker run --env-file <(env | grep ^KICS_) -v .:/iac easy_infra:latest-ansible ansible-playbook EXAMPLE.yml --syntax-check
Disabling Security¶
The injected security tooling can be disabled entirely or individually, using easy_infra
-specific command line arguments or environment variables.
Environment variable |
Default |
Result |
---|---|---|
|
|
Disables all security tooling (Not just Ansible-related) |
|
|
Disables KICS |
Parameter |
Result |
Example |
---|---|---|
|
Disable all security tooling |
|
|
Disable KICS |
|
Note
All command-line arguments in the above table are processed by easy_infra and removed prior to passing parameters to Ansible commands.
Resources¶
Configuring custom checks can be done by leveraging the robust Rego language, maintained by the Open Policy Agent (OPA). OPA hosts The Rego Playground for testing custom rules written in Rego.