Skip to content
Integration of OPA, Fugue and Codepipeline
Branch: master
Clone or download

Latest commit

Fetching latest commit…
Cannot retrieve the latest commit at this time.


Type Name Latest commit message Commit time
Failed to load latest commit information.

For help, email

What is AICF?

The Automated Infrastructure Compliance Framework is an open-source integrated pipeline for deploying and monitoring infrastructure. Specific features include:

  • Pre-deployment policy checking using Open Policy Agent
  • Post-deployment AWS/Azure drift detection using
  • Terraform for Infrastructure-as-Code deployments

Technical Summary

AICF is currently built on AWS Codepipeline and AWS Codebuild and integrates Open Policy Agent, Terraform, and Fugue.

Deployment/installation overview

Before deploying by any of the following methods, the values for the following configuration parameters must be gathered:

"ApplicationName" - Any name of your choosing for the AWS codepiplne reference name
"ArtifactS3Bucket" - Name of existing AWS S3 bucket for the AWS codepiplne artifact store
"GitHubOAuthToken" - programmatic auth token for github user
"GitHubUser" - Github user name
"GitHubRepository" - Github repository where terraform '.tf' files are
"GitHubBranch" - Specific Github repository branch to be used for the above terraform files
"TerraformSha256" - Sha256 hash of terraform binary
"TerraformVersion" - Version of of terraform to use during initiation of terraform environment
"TerraformCloudToken" - programmatic auth token for terraform enterprise environment
"Intervalinseconds" - Interval, in seconds, that Fugue will scan AWS evironment
"Fugueenvironmentid" - Id of Fugue environment
"FugueCLIENTID" - Client Id of Fugue username
"FugueCLIENTSECRET" - Secret of the Fugue client Id

CLI method
In order to deployment AICF via bash CLI environment, one must first have the aws cli binary installed and have properfly configured the ~/.aws/config and ~/.aws/credentials files

  1. Create of json formatted configuration file with the parameters descriped in the Deployment/installation overview

  2. Run the command below, subsituting the name "testStack" with one of your choosing.

$ aws cloudformation create-stack --stack-name testStack --template-body file://aicf.yaml --parameters file://aicf-configuration.json --capabilities CAPABILITY_NAMED_IAM

Accelerated CloudFormation method

  1. Login to the AWS account you wish to deploy the AICF

  2. Click here to deploy the AICF Cloudformation stack to your account.

  3. Click "Next", give your new stack a name and then fill in the variable parameters that are required to deploy the pipeline.

  4. Complete Steps 6 & 7 in the **Console section described below

Manual Method Using the AWS Console

  1. Log onto the your AWS web console

  2. Navigate to the AWS cloudformation service page:

  1. Click on "Create Stack"

  1. Ensure "Template is Ready" and "Upload a template file" are chosen. Choose the cloudformation template file (OPAFugueCodepipeline.yaml) in this repository

  1. Fill in the parameters with the information gathered in Deployment/installation overview and click next

  2. Click next again

  3. Ensure the following checkbox is clicked and select "Create Stack"

How to run AICF

Once you deplopy the AICF, it is ready to be usedThe first run will initiate itself once the AWS cloudformation stack is created. By default, the AWS pipeline is configured to run manually. In order to run, execute the following steps:

  1. In AWS console, nagivate to the codepipeline service. Click on the reference name, "ApplicationName", you chose above.

  1. Then, click on "Release Change"


  1. Confirm start of pipeline by clicking on "Release"

Some Example CLI Commands:


$ terraform apply -auto-approve


$ terraform destroy -auto-approve

Delete Stack

$ aws cloudformation delete-stack --stack-name testStack --profile e3_sandbox

Install OPA binary locally

curl -L -o opa && chmod +x opa && mv opa /usr/bin


  1. Clone repo
  2. Create new branch, make changes and commit and push to remote i.e. git push --set-upstream origin new-branch
  3. Log into github and create pull request to the master branch


New Light Technologies, Inc.
Carl Alleyne -

You can’t perform that action at this time.