CloudFormation¶
AWS CloudFormation enables you to safely and predictably create, change, and improve infrastructure.
The easy_infra
project includes and secures CloudFormation as a component due to its popularity and versitility in provisioning and updating
environments as Infrastructure as Code (IaC).
easy_infra
uses security tools, such as Checkov, to transparently assess the provided IaC against the defined security policy.
Use Cases¶
If you use Software Version Control (such as git
) to manage your CloudFormation IaC, consider executing aws cloudformation validate-template
with
easy_infra as a pipeline action on commit or pull request:
docker run -v $(pwd):/iac seiso/easy_infra:latest-cloudformation aws cloudformation validate-template --template-body file://./example.yml
You can also use easy_infra to deploy your infrastructure using aws cloudformation deploy
:
docker run -v $(pwd):/iac seiso/easy_infra:latest-cloudformation aws cloudformation deploy --template-file file://./example.yml --stack-name example
Note
In order to run aws cloudformation validate-template
, AWS requires that you have an active session with AWS
Customizing Checkov¶
Environment Variable |
Result |
Example |
---|---|---|
|
Passes the value to |
|
|
Passes the value to |
|
|
Passes the value to |
|
CHECKOV_BASELINE=/iac/.checkov.baseline
CHECKOV_EXTERNAL_CHECKS_DIR=/iac/checkov_rules/
CHECKOV_SKIP_CHECK=CKV_AWS_46
docker run --env-file <(env | grep ^CHECKOV_) -v $(pwd):/iac easy_infra:latest-cloudformation aws cloudformation validate-template --template-body file://./example.yml
Disabling Security¶
The injected security tooling can be disabled entirely or individually, using easy_infra
-specific command line arguments or environment variables.
Environment variable |
Default |
Result |
---|---|---|
|
|
Disables all security tooling (Not just CloudFormation-related) when set to |
|
|
Disables Checkov when set to |
Parameter |
Result |
Example |
---|---|---|
|
Disable all security tooling |
|
|
Disable Checkov |
|
Note
All command-line arguments in the above table are processed by easy_infra and removed prior to passing parameters to aws cloudformation commands.