Open intekaws-axiamed opened 11 months ago
Hey there, thanks for the report. For our info, a couple questions:
Hey there, thanks for the report. For our info, a couple questions:
- What's the current impact of this? Are you still able to provision accounts and apply customizations?
- Where in the code have you added the lines to pull and run OPA? Hi, current impact - I can't validate my IaC against OPA which is a security risk and prevent code promotion to production. I am running in pre_build helper.
Got ya, makes sense. We do have a backlog to look at container upgrades, but we need to be careful since the container version is one that all AFT customers consume. We need to ensure that we don't break AFT itself, but also that we don't break customers who have automation that lives within that container. We can understand impacts in the first case; we have integration testing internally that catches issues that would break the AFT framework. But we can't know what software customers run in things like the pre-API helper for example, so it's difficult to understand if a major version increment would break those customers.
In the meantime, my suggestion would be to run validations and testing before modules are committed to AFT repos. AFT was originally conceptualized as a "last step"; the mechanism to apply customizations to accounts rather than being a full-lifecycle CI or change management/approval tool. As such the API helper stages were meant only to establish conditions that would make the application of customizations possible. While customers have expressed interest in things like approval steps and validation gates within AFT itself, currently that isn't in the scope of business problems that AFT seeks to address.
Thanks for your response. The running of OPA requires Terraform plan since it runs against Terraform plan file which can only be accessed within AFT pipeline so I won't be able to run OPA outside of AFT pipeline as part of automation. Running OPA on developer local environment is not recommended as other developers will not have any visibility on the report.
@intekaws-axiamed, we have created a backlog to let customer specify the container to be used in AFT pipelines. Thank you for the context and details for your use case.
Thank you, I have updated the tittle to reflect the enhancement, I am looking forward for this release!
Hi @intekaws-axiamed,
Following up to let you know that AFT 1.11.0 updated the codebuild image to aws/codebuild/amazonlinux2-x86_64-standard:5.0
, which I believe resolves your original request to provide an OPA compatible image.
I'm leaving this issue open to track the enhancement request to allow customer-specified container images.
Terraform Version & Prov:
AFT Version: 1.10.3
Terraform Version & Provider Versions Please provide the outputs of
terraform version
andterraform providers
from within your AFT environmentterraform version
Terraform v1.3.9AWS