Selefra: The Open-Source Policy-as-Code Tool for Terraform and Multi-Cloud

Selefra
5 min readMar 21, 2023

--

We are excited to share the launch of Selefra with everyone, open-source policy-as-code software that provides analytics for multi-cloud and SaaS.

Selefra product positioning

Why Selefra

Several years ago, when I was researching new security attack techniques in public clouds, I had conversations with friends in positions such as CTO, CISO, and SRE. I found that everyone was using different tools, either self-developed or off-the-shelf, to solve various problems in multi-cloud scenarios, such as resource management and cost analysis. However, we all relied on the same basic principle of collecting data using APIs and SDKs provided by cloud service providers or SaaS vendors. I wondered if it was possible to build a multi-cloud analysis infrastructure tool since all cloud analysis scenarios in different fields require the same type of data. This tool could provide standard data collection and more flexible data analysis frameworks, allowing experts in different fields to focus on building analysis scenarios, rather than duplicating data development and learning different analysis languages. Just as Terraform has solved the problem of multi-cloud infrastructure construction as a representative Infrastructure as Code product, we hope to have a product that can solve the unified analysis problem of multi-cloud infrastructure.

Our tool can:

  • Meet the data analysis requirements of multi-cloud and SaaS services, and can customize data sources.
  • Provide a simple analysis language.
  • Manage analysis strategies in code.

To meet these requirements, my team and I have spent the past year building an open-source tool for infrastructure analysis that supports common public cloud resource types. We hope to achieve our vision of providing customers with the ability to analyze all infrastructure through open-source means. We are excited to announce that today we are releasing this product as open-source. Selefra is a combination of Select and Infrastructure, and we hope customers can use Selefra to analyze infrastructure more easily, without spending too much time learning about data and specifications.

What’s Selefra

Selefra means “select * from infrastructure”. It is an open-source infrastructure-as-code software that provides analysis for multi-cloud and SaaS environments, including over 30 services such as AWS, GCP, Azure, Alibaba Cloud, Kubernetes, Github, Cloudflare, and Slack.

Selefra Architecture Diagram

SQL is Simply Policy Language

Selefra uses SQL+YAML to define policies, which means developers can easily define policies using familiar SQL syntax without having to learn new specific policy syntax. Based on the Terraform Provider, Selefra has built a rich data integration ecosystem. As a developer, you can easily develop and analyze policies for any infrastructure.

For example, you can use SQL to analyze whether AWS S3 Buckets have a security risk of public write access:

selefra:
name: selefra-demo
cli_version: latest
providers:
- name: aws
source: aws
version: latest
rules:
- name: bucket_resources
query: |
SELECT
DISTINCT(a1.*)
FROM
aws_s3_buckets a1,
aws_s3_bucket_grants a2
WHERE
a1.selefra_id = a2.aws_s3_buckets_selefra_id
AND a2.grantee :: jsonb ->> 'URI' = '<http://acs.amazonaws.com/groups/global/AllUsers>'
AND a2.permission IN ('WRITE_ACP', 'FULL_CONTROL')
output: "S3 bucket acl public writable, arn: {{.arn}} , bucket name: {{.name}}"

Additionally, you can use it to analyze whether the logging function is enabled for GCP Storage service:

selefra:
name: selefra-demo
cli_version: latest
providers:
- name: gcp
source: gcp
version: latest
rules:
- name: bucket_logging_disable
query: |
SELECT
*
FROM
gcp_storage_buckets
WHERE
logging IS NULL
output: "Bucket logging disable, bucket name: {{.name}}, region: {{.location}}"

For more examples of strategies, you can click to view the Selefra open-source example repository at https://github.com/selefra/selefra-modules-aws-s3 or write the strategy you need based on the Selefra documentation at https://www.selefra.io/docs/build-projects/overview.

Feature of Selefra

Policy-as-Code

Custom analysis policies (security, compliance, cost) can be written through a combination of SQL and YAML.

Configuration of Multi-Cloud, Multi-SaaS

Unified multi-cloud configuration data integration capabilities that can support analysis of configuration data from any cloud service via SQL.

Version Control

Analysis policies can be managed through VCS such as GitHub/Gitlab.

Automation

Policies can be automated to enforce compliance, security, and cost optimization rules through Scheduled tasks and cloud automation tools.

How to use

Read detailed documentation for how to Get Started with Selefra.

For Quick Start, run this demo, it should take less than a few minutes:

  1. Install Selefra

For non-macOS users, other installation methods for Selefra.

On macOS, tap Selefra with Homebrew:

brew tap selefra/tap

Next, install Selefra:

brew install selefra/tap/selefra

Initialization project

mkdir selefra-demo && cd selefra-demo && selefra init

Build code

selefra apply

Selefra Roadmap

  • Scale provider coverage for AWS, GCP, Azure, K8S, etc. to aim for 100% resource coverage.
  • Support Terraform, Pulumi, Crossplane, and other mainstream IaC tools to enable rules during deployment and in production.
  • Scale to 30 more SaaS providers, reaching a total of 70 providers.
  • We welcome your feedback on our roadmap regarding requirements and bugs: https://github.com/orgs/selefra/projects/1

Supporting Quotes

Salamanka, Senior Information Security Manager, Advance Group

Selefra effectively detects and identifies security risks in cloud platforms, helping to ensure their security compliance and establish a secure baseline, thereby reducing our concerns about using cloud platforms.

Jay, CTO, Airgram

Selefra can help us analyze AWS IAM, which we believe is the most difficult part of AWS, and it greatly improves our efficiency.

Zijie He, HashiCorp Ambassador

Selefra is an ambitious and imaginative open-source software tool that creatively converts IaC resources into SQL tables, making it possible to establish superstructures based on any multi-cloud infrastructure resources, including but not limited to compliance policy, FinOps, etc.

Wrapping Up

If you are interested in Selefra after reading this article, please click here to know more: https://github.com/selefra/selefra

If you have any questions about productivity tools or Selefra products, please feel free to ask questions on Reddit: https://www.reddit.com/r/Selefra or report a bug on our GitHub and join our Slack Community

We are eager to work with excellent individuals who are passionate about infrastructure development, data engineering, and other related fields to build our products together, and we welcome all kinds of contributions.

Join us on Slack and at our weekly open-source community meetups: https://selefra.io/community/join

More Selefra Links:

We are very excited to see what scenarios you will build using Selefra, and to grow together with Selefra!

--

--

Selefra
Selefra

Written by Selefra

0 Followers

Selefra is an open-source policy-as-code software that provides analytics for multi-cloud and SaaS. https://selefra.io https://github.com/selefra/selefra

No responses yet