Manage Cloud Governance with AWS CDK, Aspects and Open Policy Agent

Nowadays with the established concepts of cloud computing, infrastructure as code, and automation; the volume and complexity of environments are increasing exponentially.

This landscape makes it necessary to implement a clear set of rules and policies regarding the lifecycle of cloud resources, otherwise known as Cloud Governance.

In this article, the implementation of a real-life set of tools will be discussed in order to provide Cloud Governance using AWS CDK and Open Policy Agent (OPA)

You can follow the code used in this article by cloning the repo: https://github.com/nearform/cdk-aspects-opa-example

Principles of Cloud Governance

What is Cloud Governance?

  • Compliance with company policies and standards
  • Alignment with business objectives
  • Collaboration
  • Change management
  • Dynamic Response for events

Cloud Governance Pillars

Cloud Governance Pillars: Cloud Financial, Cloud Operations Management, Cloud Data Management, Cloud Security and Compliance Management

Image extracted from: https://www.imperva.com/learn/data-security/cloud-governance/

  • Cloud Financial Management: Financial Policies, Budgets, Cost reporting
  • Cloud Operations Management: A clear definition of resources allocated to the service over time, Performance SLAs, Ongoing monitoring, Access control requirements
  • Cloud Data Management: Automation of data lifecycle management, Ensuring all data is encrypted, Developing a tiering strategy
  • Cloud Security and Compliance Management: Risk assessment, Identity and access management, Data management and encryption, Application security

More information on good Cloud Governance Framework can be found at Imperva: https://www.imperva.com/learn/data-security/cloud-governance/

What’s CDK?

AWS CDK lets you build reliable, scalable, cost-effective applications in the cloud with the considerable expressive power of a programming language”

For building these examples you will need a working AWS Account and the AWS CDK CLI installed with the appropriate permissions on your AWS Account.

A simple CDK stack

This snippet shows a complete declaration of a stack containing an S3 bucket without encryption:

Copy to Clipboard

CDK Aspects

Aspects are a way to change constructs in a given scope based on any characteristics of that node.  CDK Aspects implements the Visitor pattern using the interface IAspect.

Workflow using Aspects

When using CDK Aspects, before the changes have been applied in the AWS environment, all registered aspects on a stack are visited and you can implement validations and make changes in nodes. You also have access to a complete tree of current node (stack, resources, etc). In this aspect, you can also insert information or error annotations in nodes.

A changing flow follows this steps: Change is requested to be applied, CDK run Process Aspects Checkers and if all Policies were accepted the changes are applied else an error is presented and the process stops

A policy to block the creation of buckets without encryption

In this example we can see the declaration of a class that implements the IAspect interface. The visit method verifies if the node is an S3 Bucket with encryption. If the answer is negative, an error annotation is included in the node:

Copy to Clipboard

A rich example using OPA

When we talk about dozens of policies and their validation, in some contexts it can turn the codebases into a mess and very hard to maintain and deal with. In this case the Open Policy Agent or just OPA can help us!

Policy-based control for cloud native environments

OPA brings us stable, simple and flexible fine-grained control for all aspects of elements in a stack. With this feature you can decouple your Cloud Governance policies and rules from your services and maintain a concise base for those without losing performance or availability.

OPA Architecture

You can use OPA as Daemon receiving inputs from an HTTP API or as a library. You can build and distribute compiled policies in webassembly to be used as well.

Daemon: Services makes http calls over OPA Api and validates Data against the Policy. Library: Services uses OPA as a library and can validate Data just by calling a method.

Image extracted from: https://www.openpolicyagent.org

Workflow using Aspects + OPA Policies

A workflow with an Aspect calling OPA to validate the node through one or more policies:

A changing flow follows these steps: Change is requested to be applied, CDK run Process Aspects Checkers submitting the node information to OPA Agent through HTTP, if all Policies were accepted the changes are applied else an error is presented and the process stops
An example of Financial Policy

This is an example of a policy that just returns allow: true when the input object has the properties active and hasBudget filled with “yes”:

Copy to Clipboard
Controlling Resources Life Cycle

Let’s imagine that we want to enforce that the applied stacks have an explicit repository tag and the current Error Budget of the project is greater than 0.  We can do that by declaring a policy like this:

Copy to Clipboard

An OPA Checker that implements IAspect

In this implementation, we create a data object with information about node/resource and submit that to OPA. If the response is different than { result: { allow: true } } an error annotation is created blocking the process of deployment:

Copy to Clipboard

Bringing it all together

Here is a complete implementation of a stack that has three Aspect Checkers:

  • BucketEncryptionChecker
  • OpaChecker for Change Policy
  • OpaChecker for Financial Policy
Copy to Clipboard

Conclusion

Aspects is an interesting way to control DevOps flows based on project characteristics and business rules. The combination of this tool with OPA brings us flexibility and power to implement Cloud Governance rules and policies in a clear and centralized way, and it’s pretty good!

Don’t miss a beat

Get all the latest NearForm news,
from technology to design.
Follow us for more information on this and other topics.