How to Secure OpenClaw Infrastructure as Code

# terraform/backend.tf
terraform {
  backend "s3" {
    bucket         = "openclaw-terraform-state"
    key            = "prod/terraform.tfstate"
    region         = "us-east-1"
    encrypt        = true
    dynamodb_table = "terraform-locks"
  }
}

# AWS Configuration:
aws s3api create-bucket --bucket openclaw-terraform-state --region us-east-1
aws s3api put-bucket-versioning --bucket openclaw-terraform-state --versioning-configuration Status=Enabled
aws s3api put-bucket-public-access-block --bucket openclaw-terraform-state --public-access-block-configuration "BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true"
aws dynamodb create-table --table-name terraform-locks --attribute-definitions AttributeName=LockID,AttributeType=S --key-schema AttributeName=LockID,KeyType=HASH --billing-mode PAY_PER_REQUEST

# terraform/variables.tf
variable "anthropic_api_key" {
  type      = string
  sensitive = true  # Prevents value from being logged
}

variable "database_password" {
  type      = string
  sensitive = true
}

# .gitignore
*.tfvars          # Never commit variable files
terraform.tfstate* # Never commit state files
.terraform/

# Create terraform.tfvars (locally only):
echo 'anthropic_api_key = "sk-ant-xxx"' > terraform.tfvars
echo 'terraform.tfvars' >> .gitignore

# Or use environment variables:
export TF_VAR_anthropic_api_key="sk-ant-xxx"
export TF_VAR_database_password="secure-password"

# Install and run TruffleHog (secret scanning):
pip install truffleHog
trufflehog filesystem . --json | grep -i "secret\|password\|key"

# Pre-commit hook to prevent secret commits:
brew install pre-commit
cat > .pre-commit-config.yaml <<EOF
repos:
  - repo: https://github.com/Yelp/detect-secrets
    rev: v1.4.0
    hooks:
      - id: detect-secrets

  - repo: https://github.com/gitleaks/gitleaks-action
    rev: v2.1.0
    hooks:
      - id: gitleaks
EOF

pre-commit install
pre-commit run --all-files

# Scan Terraform for misconfigurations with Checkov:
pip install checkov
checkov -d . --framework terraform --output json > checkov-report.json

# Terraform Cloud/Enterprise with Sentinel:
# policies/require-encryption.sentinel
import "tfplan/v2" as tfplan

main = rule {
  all tfplan.resource_changes.aws_s3_bucket as _, bucket {
    bucket.change.after.server_side_encryption_configuration[0].rule[0].apply_server_side_encryption_by_default[0].sse_algorithm == "AES256"
  }
}

# OPA (Open Policy Agent) for Terraform:
# policies/security.rego
package main

deny[msg] {
  input.resource_type == "aws_security_group"
  input.ingress[_].from_port == 22
  input.ingress[_].cidr_blocks[_] == "0.0.0.0/0"
  msg = "SSH (port 22) should not be open to 0.0.0.0/0"
}

deny[msg] {
  input.resource_type == "aws_s3_bucket"
  not input.server_side_encryption_configuration
  msg = "S3 buckets must have encryption enabled"
}

# terraform/variables.tf with sensitive outputs protection
locals {
  sensitive_data = {
    database_password = var.database_password
    api_key          = var.anthropic_api_key
  }
}

resource "aws_rds_cluster" "openclaw" {
  master_password = var.database_password  # This is sensitive
  # ...
}

# Block these from state and logs:
output "rds_endpoint" {
  value       = aws_rds_cluster.openclaw.endpoint
  sensitive   = false  # Safe to show
}

output "rds_password" {
  value       = aws_rds_cluster.openclaw.master_password
  sensitive   = true   # Never log or show
}

# Use random provider for auto-generated passwords:
resource "random_password" "db_password" {
  length  = 32
  special = true
}

resource "aws_secretsmanager_secret" "db_password" {
  name                    = "openclaw-db-password"
  recovery_window_in_days = 7
}

resource "aws_secretsmanager_secret_version" "db_password" {
  secret_id      = aws_secretsmanager_secret.db_password.id
  secret_string  = random_password.db_password.result
}

# Enable S3 versioning for state (already in Step 1):
aws s3api put-bucket-versioning --bucket openclaw-terraform-state --versioning-configuration Status=Enabled

# Enable access logging:
aws s3api put-bucket-logging --bucket openclaw-terraform-state --bucket-logging-status file://logging.json

# logging.json:
{
  "LoggingEnabled": {
    "TargetBucket": "openclaw-terraform-logs",
    "TargetPrefix": "state-access-logs/"
  }
}

# Review Terraform changes before applying:
terraform plan -out=tfplan
terraform show tfplan  # Review all changes
terraform apply tfplan

# Git audit trail:
git log --oneline -- terraform/
git show <commit> -- terraform/  # See exact IaC changes

# AWS IAM policy for Terraform-only access:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject"
      ],
      "Resource": "arn:aws:s3:::openclaw-terraform-state/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:GetItem",
        "dynamodb:DeleteItem"
      ],
      "Resource": "arn:aws:dynamodb:*:*:table/terraform-locks"
    }
  ]
}

# GitHub branch protection for main:
# Settings → Branches → main → Require pull request reviews → Require approval from code owners
# Add CODEOWNERS file:
echo "terraform/ @infrastructure-team" > CODEOWNERS
git add CODEOWNERS && git commit -m "chore: add code owners for IaC review"