6.2.4 Integrating OPA with GHA
Now that we've seen the power of OPA and how it can help identify cloud misconfiguration before they are applied, let's look at how we can automated running OPA using Github Actions !
๐ ๏ธ Preparing Codeโ
The below command shall update the code to include Github Actions for OPA and also create a new branch called opa
cd ~/playground/
cp -r ~/s4cpcode/chapter6/6C/. ~/playground/
git checkout -b opa
git status
git add .
git commit -m "checking out opa"
git push --set-upstream origin opa
๐ Create PRโ
Let's create a PR from opa
branch to main
branch as shown below
๐๏ธ View the PR Commentsโ
Check the results of OPA in PR Comments
- OPA Scan output for Global Infrastructure , showing excessive permissions being attached
- OPA Scan output for Prod Infrastrucutre , showing excessive permissions attached to a security group
๐ ๏ธ Preparing Code for Rolling Backโ
Let's roll back the changes by firing the below commands , as we donot wish to commit the above identified abnormalities in the code.
cd ~/playground/
cp -r ~/s4cpcode/chapter6/6D/. ~/playground/
git status
git add .
git commit -m "rolling back changes"
git push --set-upstream origin opa
๐ Merge the PRโ
Lastly, we need to close the PR by merging the opa
branch into main
branch with [skip ci] in comments.
Its important here to add the string [skip ci] in the message as we don't wish to run the Github Actions upon the merge. Same can be seen in the screenshot below.
- First enter [skip ci] in the comment.
- Click on
Close with comment
button.
That completes the Chapter 6 and of the course ๐๐๐๐๐๐๐๐๐๐ฅณ , highligthing what we've learned in Chapter 6
- We installed and executed Service Control Policies and observed how they can truly help us in shifting left towards our compliance policies.
- Next, we spent a lot of time on Open Policy Agent by learning a policy on How to enforce IMDSv2
- Then we saw how can OPA be integrated into GHA in this section.