From 27c35798d232e4df2afc597134214ede11c9fc18 Mon Sep 17 00:00:00 2001 From: Viacheslav Lyzohub Date: Mon, 1 Jul 2024 15:49:02 +0300 Subject: [PATCH 1/4] SCALRCORE-31241: Policy example for workspace.environment_type --- README.md | 1 + management/workspace_environment_type.rego | 8 +++++++ .../workspace_environment_type_mock.json | 24 +++++++++++++++++++ .../workspace_environment_type_test.rego | 11 +++++++++ 4 files changed, 44 insertions(+) create mode 100644 management/workspace_environment_type.rego create mode 100644 management/workspace_environment_type_mock.json create mode 100644 management/workspace_environment_type_test.rego diff --git a/README.md b/README.md index cc93e5b..30069ac 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,7 @@ Many policies contain arrays of values that are checked against resources. The a | [management/resource_tags.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/resource_tags.rego) | Checks required tags are configured for all clouds. | | [management/whitelist_ami.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/whitelist_ami.rego) | Checks AMI against allowed list or configured from data source. | | [management/workspace_name.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_name.rego) | Simple example of using `tfrun` data and validating a workspace name. | +| [management/workspace_environment.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_environment_type.rego) | Checks workspace environment type and enforces cost limits based on environment. | | [management/workspace_destroy.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_destroy.rego) | Checks workspace has an active state and denies its destroy, if active state is present. | | [management/workspace_tags.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_tags.rego) | Checks workspace is tagged with provider name. | | [modules/pin_module_version.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/modules/pin_module_version.rego) | Enforces use of specific module versions. | diff --git a/management/workspace_environment_type.rego b/management/workspace_environment_type.rego new file mode 100644 index 0000000..b4365b3 --- /dev/null +++ b/management/workspace_environment_type.rego @@ -0,0 +1,8 @@ +package terraform + +import input.tfrun as tfrun + +deny["Monthly cost for dev workspace exceeds $100"] { + tfrun.workspace.environment_type == "development" + tfrun.cost_estimate.proposed_monthly_cost > 100 +} diff --git a/management/workspace_environment_type_mock.json b/management/workspace_environment_type_mock.json new file mode 100644 index 0000000..fc8bf5b --- /dev/null +++ b/management/workspace_environment_type_mock.json @@ -0,0 +1,24 @@ +{ + "mock": { + "valid_input": { + "tfrun": { + "workspace": { + "environment_type": "development" + }, + "cost_estimate": { + "proposed_monthly_cost": 50 + } + } + }, + "invalid_input": { + "tfrun": { + "workspace": { + "environment_type": "development" + }, + "cost_estimate": { + "proposed_monthly_cost": 150 + } + } + } + } +} diff --git a/management/workspace_environment_type_test.rego b/management/workspace_environment_type_test.rego new file mode 100644 index 0000000..168d804 --- /dev/null +++ b/management/workspace_environment_type_test.rego @@ -0,0 +1,11 @@ +package terraform + +test_dev_workspace_cost_allowed { + result = deny with input as data.mock.valid_input + count(result) == 0 +} + +test_dev_workspace_cost_denied { + result = deny with input as data.mock.invalid_input + count(result) > 0 +} From 8d1d921c299b42504c366bddcb59716982548ace Mon Sep 17 00:00:00 2001 From: Viacheslav Lyzohub Date: Tue, 2 Jul 2024 10:43:59 +0300 Subject: [PATCH 2/4] SCALRCORE-31241: Folder structure --- .github/workflows/opa.yml | 1 + .../enforce_aws_iam_and_workspace.rego | 0 .../enforce_aws_iam_and_workspace_mock.json | 0 .../enforce_aws_iam_and_workspace_test.rego | 0 .../enforce_aws_resource.rego | 0 .../enforce_aws_resource_mock.json | 0 .../enforce_aws_resource_test.rego | 0 aws/{ => enforce_cidr}/enforce_cidr.rego | 0 .../enforce_cidr_mock.json} | 0 .../enforce_cidr_test.rego} | 0 aws/enforce_ebs_del_on_term.mock.json | 777 ------------------ .../enforce_ebs_del_on_term.rego | 3 +- .../enforce_ebs_del_on_term_mock.json | 776 +++++++++++++++++ .../enforce_ebs_del_on_term_test.rego} | 0 .../enforce_iam_instance_profiles.rego | 3 +- .../enforce_iam_instance_profiles_mock.json} | 0 .../enforce_iam_instance_profiles_test.rego} | 0 .../enforce_instance_subnet.rego | 1 - .../enforce_instance_subnet_mock.json} | 0 .../enforce_instance_subnet_test.rego} | 0 .../enforce_kms_key_names.rego | 0 .../enforce_kms_key_names_mock.json} | 0 .../enforce_kms_key_names_test.rego} | 0 .../enforce_lb_subnets.rego | 3 +- .../enforce_lb_subnets_mock.json} | 0 .../enforce_lb_subnets_test.rego} | 0 .../enforce_rds_subnets.rego | 1 - .../enforce_rds_subnets_mock.json} | 0 .../enforce_rds_subnets_test.rego} | 0 .../enforce_s3_buckets_encryption.rego | 0 .../enforce_s3_buckets_encryption_mock.json | 0 .../enforce_s3_buckets_encryption_test.rego | 0 .../enforce_s3_private.rego | 0 .../enforce_s3_private_mock.json} | 0 .../enforce_s3_private_test.rego} | 0 .../enforce_sec_group.rego | 3 +- .../enforce_sec_group_mock.json} | 0 .../enforce_sec_group_test.rego} | 0 .../limit_monthly_cost.rego | 0 .../limit_monthly_cost_mock.json | 0 .../limit_monthly_cost_test.rego | 0 .../{ => limit_monthly_cost}/scalr-policy.hcl | 0 .../random_decision.rego | 0 .../random_decision_test.rego | 0 .../{ => random_decision}/scalr-policy.hcl | 0 .../enforce_gcs_private.rego | 0 .../enforce_gcs_private_mock.json} | 0 .../enforce_gcs_private_test.rego} | 0 .../denied_provisioners.rego | 0 .../denied_provisioners_mock.json | 0 .../denied_provisioners_test.rego | 0 .../enforce_ami_owners.rego | 0 .../enforce_ami_owners_mock.json | 0 .../enforce_ami_owners_test.rego | 0 .../enforce_var_desc.mock.json | 0 .../enforce_var_desc.rego | 0 .../enforce_var_desc.test.rego | 0 .../{ => instance_types}/instance_types.rego | 0 .../instance_types_mock.json | 0 .../instance_types_test.rego | 0 .../{ => pull_requests}/pull_requests.rego | 0 .../pull_requests_mock.json | 0 .../pull_requests_test.rego | 0 .../resource_tags.rego | 0 .../resource_tags_mock.json | 0 .../resource_tags_test.rego | 0 .../whitelist_ami.rego | 0 .../whitelist_ami_mock.json | 0 .../whitelist_ami_test.rego | 0 .../workspace_destroy.rego | 0 .../workspace_destroy_mock.json | 0 .../workspace_destroy_test.rego | 0 .../workspace_environment_type.rego | 0 .../workspace_environment_type_mock.json | 0 .../workspace_environment_type_test.rego | 0 .../{ => workspace_name}/workspace_name.rego | 0 .../workspace_name_mock.json | 0 .../workspace_name_test.rego | 0 .../{ => workspace_tags}/workspace_tags.rego | 0 .../workspace_tags_mock.json | 0 .../workspace_tags_test.rego | 0 .../pin_module_version.rego | 0 .../pin_module_version_mock.json | 0 .../pin_module_version_test.rego | 0 .../required_modules.rego | 0 .../required_modules_mock.json | 0 .../required_modules_test.rego | 0 .../{ => cloud_location}/cloud_location.rego | 0 .../cloud_location_mock.json | 0 .../cloud_location_test.rego | 0 .../blacklist_provider.rego | 0 .../blacklist_provider_mock.json | 205 +++++ .../blacklist_provider_test.rego | 0 providers/blacklist_provider_mock.json | 205 ----- user/{ => check_user}/user.rego | 0 user/{ => check_user}/user_mock.json | 0 user/{ => check_user}/user_test.rego | 0 97 files changed, 986 insertions(+), 992 deletions(-) rename aws/{ => enforce_aws_iam_and_workspace}/enforce_aws_iam_and_workspace.rego (100%) rename aws/{ => enforce_aws_iam_and_workspace}/enforce_aws_iam_and_workspace_mock.json (100%) rename aws/{ => enforce_aws_iam_and_workspace}/enforce_aws_iam_and_workspace_test.rego (100%) rename aws/{ => enforce_aws_resource}/enforce_aws_resource.rego (100%) rename aws/{ => enforce_aws_resource}/enforce_aws_resource_mock.json (100%) rename aws/{ => enforce_aws_resource}/enforce_aws_resource_test.rego (100%) rename aws/{ => enforce_cidr}/enforce_cidr.rego (100%) rename aws/{enforce_cidr.mock.json => enforce_cidr/enforce_cidr_mock.json} (100%) rename aws/{enforce_cidr.test.rego => enforce_cidr/enforce_cidr_test.rego} (100%) delete mode 100644 aws/enforce_ebs_del_on_term.mock.json rename aws/{ => enforce_ebs_del_on_term_mock}/enforce_ebs_del_on_term.rego (96%) create mode 100644 aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_mock.json rename aws/{enforce_ebs_del_on_term.test.rego => enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_test.rego} (100%) rename aws/{ => enforce_iam_instance_profiles}/enforce_iam_instance_profiles.rego (95%) rename aws/{enforce_iam_instance_profiles.mock.json => enforce_iam_instance_profiles/enforce_iam_instance_profiles_mock.json} (100%) rename aws/{enforce_iam_instance_profiles.test.rego => enforce_iam_instance_profiles/enforce_iam_instance_profiles_test.rego} (100%) rename aws/{ => enforce_instance_subnet}/enforce_instance_subnet.rego (97%) rename aws/{enforce_instance_subnet.mock.json => enforce_instance_subnet/enforce_instance_subnet_mock.json} (100%) rename aws/{enforce_instance_subnet.test.rego => enforce_instance_subnet/enforce_instance_subnet_test.rego} (100%) rename aws/{ => enforce_kms_key_names}/enforce_kms_key_names.rego (100%) rename aws/{enforce_kms_key_names.mock.json => enforce_kms_key_names/enforce_kms_key_names_mock.json} (100%) rename aws/{enforce_kms_key_names.test.rego => enforce_kms_key_names/enforce_kms_key_names_test.rego} (100%) rename aws/{ => enforce_lb_subnets}/enforce_lb_subnets.rego (96%) rename aws/{enforce_lb_subnets.mock.json => enforce_lb_subnets/enforce_lb_subnets_mock.json} (100%) rename aws/{enforce_lb_subnets.test.rego => enforce_lb_subnets/enforce_lb_subnets_test.rego} (100%) rename aws/{ => enforce_rds_subnets}/enforce_rds_subnets.rego (96%) rename aws/{enforce_rds_subnets.mock.json => enforce_rds_subnets/enforce_rds_subnets_mock.json} (100%) rename aws/{enforce_rds_subnets.test.rego => enforce_rds_subnets/enforce_rds_subnets_test.rego} (100%) rename aws/{ => enforce_s3_buckets_encryption}/enforce_s3_buckets_encryption.rego (100%) rename aws/{ => enforce_s3_buckets_encryption}/enforce_s3_buckets_encryption_mock.json (100%) rename aws/{ => enforce_s3_buckets_encryption}/enforce_s3_buckets_encryption_test.rego (100%) rename aws/{ => enforce_s3_private}/enforce_s3_private.rego (100%) rename aws/{enforce_s3_private.mock.json => enforce_s3_private/enforce_s3_private_mock.json} (100%) rename aws/{enforce_s3_private.test.rego => enforce_s3_private/enforce_s3_private_test.rego} (100%) rename aws/{ => enforce_sec_group}/enforce_sec_group.rego (96%) rename aws/{enforce_sec_group.mock.json => enforce_sec_group/enforce_sec_group_mock.json} (100%) rename aws/{enforce_sec_group.test.rego => enforce_sec_group/enforce_sec_group_test.rego} (100%) rename cost/{ => limit_monthly_cost}/limit_monthly_cost.rego (100%) rename cost/{ => limit_monthly_cost}/limit_monthly_cost_mock.json (100%) rename cost/{ => limit_monthly_cost}/limit_monthly_cost_test.rego (100%) rename cost/{ => limit_monthly_cost}/scalr-policy.hcl (100%) rename external_data/{ => random_decision}/random_decision.rego (100%) rename external_data/{ => random_decision}/random_decision_test.rego (100%) rename external_data/{ => random_decision}/scalr-policy.hcl (100%) rename gcp/{ => enforce_gcs_private}/enforce_gcs_private.rego (100%) rename gcp/{enforce_gcs_private.mock.json => enforce_gcs_private/enforce_gcs_private_mock.json} (100%) rename gcp/{enforce_gcs_private.test.rego => enforce_gcs_private/enforce_gcs_private_test.rego} (100%) rename management/{ => denied_provisioners}/denied_provisioners.rego (100%) rename management/{ => denied_provisioners}/denied_provisioners_mock.json (100%) rename management/{ => denied_provisioners}/denied_provisioners_test.rego (100%) rename management/{ => enforce_ami_owners}/enforce_ami_owners.rego (100%) rename management/{ => enforce_ami_owners}/enforce_ami_owners_mock.json (100%) rename management/{ => enforce_ami_owners}/enforce_ami_owners_test.rego (100%) rename management/{ => enforce_var_desc}/enforce_var_desc.mock.json (100%) rename management/{ => enforce_var_desc}/enforce_var_desc.rego (100%) rename management/{ => enforce_var_desc}/enforce_var_desc.test.rego (100%) rename management/{ => instance_types}/instance_types.rego (100%) rename management/{ => instance_types}/instance_types_mock.json (100%) rename management/{ => instance_types}/instance_types_test.rego (100%) rename management/{ => pull_requests}/pull_requests.rego (100%) rename management/{ => pull_requests}/pull_requests_mock.json (100%) rename management/{ => pull_requests}/pull_requests_test.rego (100%) rename management/{ => resource_tags_mock}/resource_tags.rego (100%) rename management/{ => resource_tags_mock}/resource_tags_mock.json (100%) rename management/{ => resource_tags_mock}/resource_tags_test.rego (100%) rename management/{ => whitelist_ami_mock}/whitelist_ami.rego (100%) rename management/{ => whitelist_ami_mock}/whitelist_ami_mock.json (100%) rename management/{ => whitelist_ami_mock}/whitelist_ami_test.rego (100%) rename management/{ => workspace_destroy}/workspace_destroy.rego (100%) rename management/{ => workspace_destroy}/workspace_destroy_mock.json (100%) rename management/{ => workspace_destroy}/workspace_destroy_test.rego (100%) rename management/{ => workspace_environment_type}/workspace_environment_type.rego (100%) rename management/{ => workspace_environment_type}/workspace_environment_type_mock.json (100%) rename management/{ => workspace_environment_type}/workspace_environment_type_test.rego (100%) rename management/{ => workspace_name}/workspace_name.rego (100%) rename management/{ => workspace_name}/workspace_name_mock.json (100%) rename management/{ => workspace_name}/workspace_name_test.rego (100%) rename management/{ => workspace_tags}/workspace_tags.rego (100%) rename management/{ => workspace_tags}/workspace_tags_mock.json (100%) rename management/{ => workspace_tags}/workspace_tags_test.rego (100%) rename modules/{ => pin_module_version}/pin_module_version.rego (100%) rename modules/{ => pin_module_version}/pin_module_version_mock.json (100%) rename modules/{ => pin_module_version}/pin_module_version_test.rego (100%) rename modules/{ => required_modules}/required_modules.rego (100%) rename modules/{ => required_modules}/required_modules_mock.json (100%) rename modules/{ => required_modules}/required_modules_test.rego (100%) rename placement/{ => cloud_location}/cloud_location.rego (100%) rename placement/{ => cloud_location}/cloud_location_mock.json (100%) rename placement/{ => cloud_location}/cloud_location_test.rego (100%) rename providers/{ => blacklist_provider}/blacklist_provider.rego (100%) create mode 100644 providers/blacklist_provider/blacklist_provider_mock.json rename providers/{ => blacklist_provider}/blacklist_provider_test.rego (100%) delete mode 100644 providers/blacklist_provider_mock.json rename user/{ => check_user}/user.rego (100%) rename user/{ => check_user}/user_mock.json (100%) rename user/{ => check_user}/user_test.rego (100%) diff --git a/.github/workflows/opa.yml b/.github/workflows/opa.yml index 81875e2..2ebe0a4 100644 --- a/.github/workflows/opa.yml +++ b/.github/workflows/opa.yml @@ -31,6 +31,7 @@ jobs: management/workspace_destroy.rego;management/workspace_destroy_test.rego;management/workspace_destroy_mock.json management/pull_requests.rego;management/pull_requests_test.rego;management/pull_requests_mock.json management/workspace_tags.rego;management/workspace_tags_test.rego;management/workspace_tags_mock.json + management/workspace_environment_type.rego;management/workspace_environment_type_еуіе.rego;management/workspace_environment_type_mock.json modules/pin_module_version.rego;modules/pin_module_version_test.rego;modules/pin_module_version_mock.json; modules/required_modules.rego;modules/required_modules_test.rego;modules/required_modules_mock.json; placement diff --git a/aws/enforce_aws_iam_and_workspace.rego b/aws/enforce_aws_iam_and_workspace/enforce_aws_iam_and_workspace.rego similarity index 100% rename from aws/enforce_aws_iam_and_workspace.rego rename to aws/enforce_aws_iam_and_workspace/enforce_aws_iam_and_workspace.rego diff --git a/aws/enforce_aws_iam_and_workspace_mock.json b/aws/enforce_aws_iam_and_workspace/enforce_aws_iam_and_workspace_mock.json similarity index 100% rename from aws/enforce_aws_iam_and_workspace_mock.json rename to aws/enforce_aws_iam_and_workspace/enforce_aws_iam_and_workspace_mock.json diff --git a/aws/enforce_aws_iam_and_workspace_test.rego b/aws/enforce_aws_iam_and_workspace/enforce_aws_iam_and_workspace_test.rego similarity index 100% rename from aws/enforce_aws_iam_and_workspace_test.rego rename to aws/enforce_aws_iam_and_workspace/enforce_aws_iam_and_workspace_test.rego diff --git a/aws/enforce_aws_resource.rego b/aws/enforce_aws_resource/enforce_aws_resource.rego similarity index 100% rename from aws/enforce_aws_resource.rego rename to aws/enforce_aws_resource/enforce_aws_resource.rego diff --git a/aws/enforce_aws_resource_mock.json b/aws/enforce_aws_resource/enforce_aws_resource_mock.json similarity index 100% rename from aws/enforce_aws_resource_mock.json rename to aws/enforce_aws_resource/enforce_aws_resource_mock.json diff --git a/aws/enforce_aws_resource_test.rego b/aws/enforce_aws_resource/enforce_aws_resource_test.rego similarity index 100% rename from aws/enforce_aws_resource_test.rego rename to aws/enforce_aws_resource/enforce_aws_resource_test.rego diff --git a/aws/enforce_cidr.rego b/aws/enforce_cidr/enforce_cidr.rego similarity index 100% rename from aws/enforce_cidr.rego rename to aws/enforce_cidr/enforce_cidr.rego diff --git a/aws/enforce_cidr.mock.json b/aws/enforce_cidr/enforce_cidr_mock.json similarity index 100% rename from aws/enforce_cidr.mock.json rename to aws/enforce_cidr/enforce_cidr_mock.json diff --git a/aws/enforce_cidr.test.rego b/aws/enforce_cidr/enforce_cidr_test.rego similarity index 100% rename from aws/enforce_cidr.test.rego rename to aws/enforce_cidr/enforce_cidr_test.rego diff --git a/aws/enforce_ebs_del_on_term.mock.json b/aws/enforce_ebs_del_on_term.mock.json deleted file mode 100644 index 1586179..0000000 --- a/aws/enforce_ebs_del_on_term.mock.json +++ /dev/null @@ -1,777 +0,0 @@ -{ - "mock": { - "invalid": { - "tfplan": { - "format_version": "0.1", - "terraform_version": "0.12.28", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_instance.web", - "mode": "managed", - "type": "aws_instance", - "name": "web", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "values": { - "ami": "ami-03f6f0014076ab3c5", - "credit_specification": [], - "disable_api_termination": null, - "ebs_block_device": [ - { - "delete_on_termination": false, - "device_name": "/dev/sda2" - }, - { - "delete_on_termination": true, - "device_name": "/dev/sda3" - } - ], - "ebs_optimized": null, - "get_password_data": false, - "hibernation": null, - "iam_instance_profile": null, - "instance_initiated_shutdown_behavior": null, - "instance_type": "t3.micro", - "monitoring": null, - "root_block_device": [ - { - "delete_on_termination": false - } - ], - "source_dest_check": true, - "tags": null, - "timeouts": null, - "user_data": null, - "user_data_base64": null - } - } - ] - } - }, - "resource_changes": [ - { - "address": "aws_instance.web", - "mode": "managed", - "type": "aws_instance", - "name": "web", - "provider_name": "registry.terraform.io/hashicorp/aws", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "ami": "ami-03f6f0014076ab3c5", - "credit_specification": [], - "disable_api_termination": null, - "ebs_block_device": [ - { - "delete_on_termination": false, - "device_name": "/dev/sda2" - }, - { - "delete_on_termination": true, - "device_name": "/dev/sda3" - } - ], - "ebs_optimized": null, - "get_password_data": false, - "hibernation": null, - "iam_instance_profile": null, - "instance_initiated_shutdown_behavior": null, - "instance_type": "t3.micro", - "monitoring": null, - "root_block_device": [ - { - "delete_on_termination": false - } - ], - "source_dest_check": true, - "tags": null, - "timeouts": null, - "user_data": null, - "user_data_base64": null - }, - "after_unknown": { - "arn": true, - "associate_public_ip_address": true, - "availability_zone": true, - "cpu_core_count": true, - "cpu_threads_per_core": true, - "credit_specification": [], - "ebs_block_device": [ - { - "encrypted": true, - "iops": true, - "kms_key_id": true, - "snapshot_id": true, - "volume_id": true, - "volume_size": true, - "volume_type": true - }, - { - "encrypted": true, - "iops": true, - "kms_key_id": true, - "snapshot_id": true, - "volume_id": true, - "volume_size": true, - "volume_type": true - } - ], - "ephemeral_block_device": true, - "host_id": true, - "id": true, - "instance_state": true, - "ipv6_address_count": true, - "ipv6_addresses": true, - "key_name": true, - "metadata_options": true, - "network_interface": true, - "outpost_arn": true, - "password_data": true, - "placement_group": true, - "primary_network_interface_id": true, - "private_dns": true, - "private_ip": true, - "public_dns": true, - "public_ip": true, - "root_block_device": [ - { - "device_name": true, - "encrypted": true, - "iops": true, - "kms_key_id": true, - "volume_id": true, - "volume_size": true, - "volume_type": true - } - ], - "secondary_private_ips": true, - "security_groups": true, - "subnet_id": true, - "tenancy": true, - "volume_tags": true, - "vpc_security_group_ids": true - } - } - } - ], - "prior_state": { - "format_version": "0.1", - "terraform_version": "0.12.28", - "values": { - "root_module": { - "resources": [ - { - "address": "data.aws_ami.ubuntu", - "mode": "data", - "type": "aws_ami", - "name": "ubuntu", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "values": { - "architecture": "x86_64", - "arn": "arn:aws:ec2:us-east-1::image/ami-03f6f0014076ab3c5", - "block_device_mappings": [ - { - "device_name": "/dev/sda1", - "ebs": { - "delete_on_termination": "true", - "encrypted": "false", - "iops": "0", - "snapshot_id": "snap-02d61473d2745f9b7", - "volume_size": "8", - "volume_type": "gp2" - }, - "no_device": "", - "virtual_name": "" - }, - { - "device_name": "/dev/sdb", - "ebs": {}, - "no_device": "", - "virtual_name": "ephemeral0" - }, - { - "device_name": "/dev/sdc", - "ebs": {}, - "no_device": "", - "virtual_name": "ephemeral1" - } - ], - "creation_date": "2020-09-04T22:45:42.000Z", - "description": "Canonical, Ubuntu, 20.04 LTS, amd64 focal image build on 2020-09-03", - "executable_users": null, - "filter": [ - { - "name": "name", - "values": [ - "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*" - ] - }, - { - "name": "virtualization-type", - "values": [ - "hvm" - ] - } - ], - "hypervisor": "xen", - "id": "ami-03f6f0014076ab3c5", - "image_id": "ami-03f6f0014076ab3c5", - "image_location": "099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200903", - "image_owner_alias": null, - "image_type": "machine", - "kernel_id": null, - "most_recent": true, - "name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200903", - "name_regex": null, - "owner_id": "099720109477", - "owners": [ - "099720109477" - ], - "platform": null, - "product_codes": [], - "public": true, - "ramdisk_id": null, - "root_device_name": "/dev/sda1", - "root_device_type": "ebs", - "root_snapshot_id": "snap-02d61473d2745f9b7", - "sriov_net_support": "simple", - "state": "available", - "state_reason": { - "code": "UNSET", - "message": "UNSET" - }, - "tags": {}, - "virtualization_type": "hvm" - } - } - ] - } - } - }, - "configuration": { - "provider_config": { - "aws": { - "name": "aws", - "expressions": { - "region": { - "constant_value": "us-east-1" - } - } - } - }, - "root_module": { - "resources": [ - { - "address": "aws_instance.web", - "mode": "managed", - "type": "aws_instance", - "name": "web", - "provider_config_key": "aws", - "expressions": { - "ami": { - "references": [ - "data.aws_ami.ubuntu" - ] - }, - "ebs_block_device": [ - { - "delete_on_termination": { - "constant_value": false - }, - "device_name": { - "constant_value": "/dev/sda2" - } - }, - { - "delete_on_termination": { - "constant_value": true - }, - "device_name": { - "constant_value": "/dev/sda3" - } - } - ], - "instance_type": { - "constant_value": "t3.micro" - }, - "root_block_device": [ - { - "delete_on_termination": { - "constant_value": false - } - } - ] - }, - "schema_version": 1 - }, - { - "address": "data.aws_ami.ubuntu", - "mode": "data", - "type": "aws_ami", - "name": "ubuntu", - "provider_config_key": "aws", - "expressions": { - "filter": [ - { - "name": { - "constant_value": "name" - }, - "values": { - "constant_value": [ - "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*" - ] - } - }, - { - "name": { - "constant_value": "virtualization-type" - }, - "values": { - "constant_value": [ - "hvm" - ] - } - } - ], - "most_recent": { - "constant_value": true - }, - "owners": { - "constant_value": [ - "099720109477" - ] - } - }, - "schema_version": 0 - } - ] - } - } - }, - "tfrun": { - "workspace": { - "name": "opa-dev", - "description": null, - "auto_apply": false, - "working_directory": null, - "tags": {} - }, - "environment": { - "id": "env-t2daq8tprsifel8", - "name": "pg-opa-dev" - }, - "vcs": null, - "cost_estimate": { - "prior_monthly_cost": 0, - "proposed_monthly_cost": 8.39, - "delta_monthly_cost": 8.39 - }, - "credentials": { - "ec2": "cred-stsfnc76g3pknk8" - }, - "source": "cli", - "message": "Queued manually using Terraform", - "is_destroy": false, - "is_dry": true, - "created_by": { - "name": "", - "email": "xxxxx@scalr.com", - "username": "xxxxx@scalr.com" - } - } - }, - "valid": { - "tfplan": { - "format_version": "0.1", - "terraform_version": "0.12.28", - "planned_values": { - "root_module": { - "resources": [ - { - "address": "aws_instance.web", - "mode": "managed", - "type": "aws_instance", - "name": "web", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 1, - "values": { - "ami": "ami-03f6f0014076ab3c5", - "credit_specification": [], - "disable_api_termination": null, - "ebs_block_device": [ - { - "delete_on_termination": true, - "device_name": "/dev/sda2" - }, - { - "delete_on_termination": true, - "device_name": "/dev/sda3" - } - ], - "ebs_optimized": null, - "get_password_data": false, - "hibernation": null, - "iam_instance_profile": null, - "instance_initiated_shutdown_behavior": null, - "instance_type": "t3.micro", - "monitoring": null, - "root_block_device": [ - { - "delete_on_termination": true - } - ], - "source_dest_check": true, - "tags": null, - "timeouts": null, - "user_data": null, - "user_data_base64": null - } - } - ] - } - }, - "resource_changes": [ - { - "address": "aws_instance.web", - "mode": "managed", - "type": "aws_instance", - "name": "web", - "provider_name": "registry.terraform.io/hashicorp/aws", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "ami": "ami-03f6f0014076ab3c5", - "credit_specification": [], - "disable_api_termination": null, - "ebs_block_device": [ - { - "delete_on_termination": true, - "device_name": "/dev/sda2" - }, - { - "delete_on_termination": true, - "device_name": "/dev/sda3" - } - ], - "ebs_optimized": null, - "get_password_data": false, - "hibernation": null, - "iam_instance_profile": null, - "instance_initiated_shutdown_behavior": null, - "instance_type": "t3.micro", - "monitoring": null, - "root_block_device": [ - { - "delete_on_termination": true - } - ], - "source_dest_check": true, - "tags": null, - "timeouts": null, - "user_data": null, - "user_data_base64": null - }, - "after_unknown": { - "arn": true, - "associate_public_ip_address": true, - "availability_zone": true, - "cpu_core_count": true, - "cpu_threads_per_core": true, - "credit_specification": [], - "ebs_block_device": [ - { - "encrypted": true, - "iops": true, - "kms_key_id": true, - "snapshot_id": true, - "volume_id": true, - "volume_size": true, - "volume_type": true - }, - { - "encrypted": true, - "iops": true, - "kms_key_id": true, - "snapshot_id": true, - "volume_id": true, - "volume_size": true, - "volume_type": true - } - ], - "ephemeral_block_device": true, - "host_id": true, - "id": true, - "instance_state": true, - "ipv6_address_count": true, - "ipv6_addresses": true, - "key_name": true, - "metadata_options": true, - "network_interface": true, - "outpost_arn": true, - "password_data": true, - "placement_group": true, - "primary_network_interface_id": true, - "private_dns": true, - "private_ip": true, - "public_dns": true, - "public_ip": true, - "root_block_device": [ - { - "device_name": true, - "encrypted": true, - "iops": true, - "kms_key_id": true, - "volume_id": true, - "volume_size": true, - "volume_type": true - } - ], - "secondary_private_ips": true, - "security_groups": true, - "subnet_id": true, - "tenancy": true, - "volume_tags": true, - "vpc_security_group_ids": true - } - } - } - ], - "prior_state": { - "format_version": "0.1", - "terraform_version": "0.12.28", - "values": { - "root_module": { - "resources": [ - { - "address": "data.aws_ami.ubuntu", - "mode": "data", - "type": "aws_ami", - "name": "ubuntu", - "provider_name": "registry.terraform.io/hashicorp/aws", - "schema_version": 0, - "values": { - "architecture": "x86_64", - "arn": "arn:aws:ec2:us-east-1::image/ami-03f6f0014076ab3c5", - "block_device_mappings": [ - { - "device_name": "/dev/sda1", - "ebs": { - "delete_on_termination": "true", - "encrypted": "false", - "iops": "0", - "snapshot_id": "snap-02d61473d2745f9b7", - "volume_size": "8", - "volume_type": "gp2" - }, - "no_device": "", - "virtual_name": "" - }, - { - "device_name": "/dev/sdb", - "ebs": {}, - "no_device": "", - "virtual_name": "ephemeral0" - }, - { - "device_name": "/dev/sdc", - "ebs": {}, - "no_device": "", - "virtual_name": "ephemeral1" - } - ], - "creation_date": "2020-09-04T22:45:42.000Z", - "description": "Canonical, Ubuntu, 20.04 LTS, amd64 focal image build on 2020-09-03", - "executable_users": null, - "filter": [ - { - "name": "name", - "values": [ - "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*" - ] - }, - { - "name": "virtualization-type", - "values": [ - "hvm" - ] - } - ], - "hypervisor": "xen", - "id": "ami-03f6f0014076ab3c5", - "image_id": "ami-03f6f0014076ab3c5", - "image_location": "099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200903", - "image_owner_alias": null, - "image_type": "machine", - "kernel_id": null, - "most_recent": true, - "name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200903", - "name_regex": null, - "owner_id": "099720109477", - "owners": [ - "099720109477" - ], - "platform": null, - "product_codes": [], - "public": true, - "ramdisk_id": null, - "root_device_name": "/dev/sda1", - "root_device_type": "ebs", - "root_snapshot_id": "snap-02d61473d2745f9b7", - "sriov_net_support": "simple", - "state": "available", - "state_reason": { - "code": "UNSET", - "message": "UNSET" - }, - "tags": {}, - "virtualization_type": "hvm" - } - } - ] - } - } - }, - "configuration": { - "provider_config": { - "aws": { - "name": "aws", - "expressions": { - "region": { - "constant_value": "us-east-1" - } - } - } - }, - "root_module": { - "resources": [ - { - "address": "aws_instance.web", - "mode": "managed", - "type": "aws_instance", - "name": "web", - "provider_config_key": "aws", - "expressions": { - "ami": { - "references": [ - "data.aws_ami.ubuntu" - ] - }, - "ebs_block_device": [ - { - "delete_on_termination": { - "constant_value": true - }, - "device_name": { - "constant_value": "/dev/sda2" - } - }, - { - "delete_on_termination": { - "constant_value": true - }, - "device_name": { - "constant_value": "/dev/sda3" - } - } - ], - "instance_type": { - "constant_value": "t3.micro" - }, - "root_block_device": [ - { - "delete_on_termination": { - "constant_value": true - } - } - ] - }, - "schema_version": 1 - }, - { - "address": "data.aws_ami.ubuntu", - "mode": "data", - "type": "aws_ami", - "name": "ubuntu", - "provider_config_key": "aws", - "expressions": { - "filter": [ - { - "name": { - "constant_value": "name" - }, - "values": { - "constant_value": [ - "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*" - ] - } - }, - { - "name": { - "constant_value": "virtualization-type" - }, - "values": { - "constant_value": [ - "hvm" - ] - } - } - ], - "most_recent": { - "constant_value": true - }, - "owners": { - "constant_value": [ - "099720109477" - ] - } - }, - "schema_version": 0 - } - ] - } - } - }, - "tfrun": { - "workspace": { - "name": "opa-dev", - "description": null, - "auto_apply": false, - "working_directory": null, - "tags": {} - }, - "environment": { - "id": "env-t2daq8tprsifel8", - "name": "pg-opa-dev" - }, - "vcs": null, - "cost_estimate": { - "prior_monthly_cost": 0, - "proposed_monthly_cost": 8.39, - "delta_monthly_cost": 8.39 - }, - "credentials": { - "ec2": "cred-stsfnc76g3pknk8" - }, - "source": "cli", - "message": "Queued manually using Terraform", - "is_destroy": false, - "is_dry": true, - "created_by": { - "name": "", - "email": "xxxxx@scalr.com", - "username": "xxxxx@scalr.com" - } - } - } - } - } - diff --git a/aws/enforce_ebs_del_on_term.rego b/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term.rego similarity index 96% rename from aws/enforce_ebs_del_on_term.rego rename to aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term.rego index b257a9f..8a57d2a 100644 --- a/aws/enforce_ebs_del_on_term.rego +++ b/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term.rego @@ -4,7 +4,6 @@ package terraform import input.tfplan as tfplan -import input.tfrun as tfrun # Check root volume @@ -31,4 +30,4 @@ deny[reason] { "%-40s :: Device %s :: delete_on_termination must = true for 'ebs_block_device'", [r.address, ebd.device_name] ) -} \ No newline at end of file +} diff --git a/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_mock.json b/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_mock.json new file mode 100644 index 0000000..f4be068 --- /dev/null +++ b/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_mock.json @@ -0,0 +1,776 @@ +{ + "mock": { + "invalid": { + "tfplan": { + "format_version": "0.1", + "terraform_version": "0.12.28", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "aws_instance.web", + "mode": "managed", + "type": "aws_instance", + "name": "web", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "values": { + "ami": "ami-03f6f0014076ab3c5", + "credit_specification": [], + "disable_api_termination": null, + "ebs_block_device": [ + { + "delete_on_termination": false, + "device_name": "/dev/sda2" + }, + { + "delete_on_termination": true, + "device_name": "/dev/sda3" + } + ], + "ebs_optimized": null, + "get_password_data": false, + "hibernation": null, + "iam_instance_profile": null, + "instance_initiated_shutdown_behavior": null, + "instance_type": "t3.micro", + "monitoring": null, + "root_block_device": [ + { + "delete_on_termination": false + } + ], + "source_dest_check": true, + "tags": null, + "timeouts": null, + "user_data": null, + "user_data_base64": null + } + } + ] + } + }, + "resource_changes": [ + { + "address": "aws_instance.web", + "mode": "managed", + "type": "aws_instance", + "name": "web", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "ami": "ami-03f6f0014076ab3c5", + "credit_specification": [], + "disable_api_termination": null, + "ebs_block_device": [ + { + "delete_on_termination": false, + "device_name": "/dev/sda2" + }, + { + "delete_on_termination": true, + "device_name": "/dev/sda3" + } + ], + "ebs_optimized": null, + "get_password_data": false, + "hibernation": null, + "iam_instance_profile": null, + "instance_initiated_shutdown_behavior": null, + "instance_type": "t3.micro", + "monitoring": null, + "root_block_device": [ + { + "delete_on_termination": false + } + ], + "source_dest_check": true, + "tags": null, + "timeouts": null, + "user_data": null, + "user_data_base64": null + }, + "after_unknown": { + "arn": true, + "associate_public_ip_address": true, + "availability_zone": true, + "cpu_core_count": true, + "cpu_threads_per_core": true, + "credit_specification": [], + "ebs_block_device": [ + { + "encrypted": true, + "iops": true, + "kms_key_id": true, + "snapshot_id": true, + "volume_id": true, + "volume_size": true, + "volume_type": true + }, + { + "encrypted": true, + "iops": true, + "kms_key_id": true, + "snapshot_id": true, + "volume_id": true, + "volume_size": true, + "volume_type": true + } + ], + "ephemeral_block_device": true, + "host_id": true, + "id": true, + "instance_state": true, + "ipv6_address_count": true, + "ipv6_addresses": true, + "key_name": true, + "metadata_options": true, + "network_interface": true, + "outpost_arn": true, + "password_data": true, + "placement_group": true, + "primary_network_interface_id": true, + "private_dns": true, + "private_ip": true, + "public_dns": true, + "public_ip": true, + "root_block_device": [ + { + "device_name": true, + "encrypted": true, + "iops": true, + "kms_key_id": true, + "volume_id": true, + "volume_size": true, + "volume_type": true + } + ], + "secondary_private_ips": true, + "security_groups": true, + "subnet_id": true, + "tenancy": true, + "volume_tags": true, + "vpc_security_group_ids": true + } + } + } + ], + "prior_state": { + "format_version": "0.1", + "terraform_version": "0.12.28", + "values": { + "root_module": { + "resources": [ + { + "address": "data.aws_ami.ubuntu", + "mode": "data", + "type": "aws_ami", + "name": "ubuntu", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "architecture": "x86_64", + "arn": "arn:aws:ec2:us-east-1::image/ami-03f6f0014076ab3c5", + "block_device_mappings": [ + { + "device_name": "/dev/sda1", + "ebs": { + "delete_on_termination": "true", + "encrypted": "false", + "iops": "0", + "snapshot_id": "snap-02d61473d2745f9b7", + "volume_size": "8", + "volume_type": "gp2" + }, + "no_device": "", + "virtual_name": "" + }, + { + "device_name": "/dev/sdb", + "ebs": {}, + "no_device": "", + "virtual_name": "ephemeral0" + }, + { + "device_name": "/dev/sdc", + "ebs": {}, + "no_device": "", + "virtual_name": "ephemeral1" + } + ], + "creation_date": "2020-09-04T22:45:42.000Z", + "description": "Canonical, Ubuntu, 20.04 LTS, amd64 focal image build on 2020-09-03", + "executable_users": null, + "filter": [ + { + "name": "name", + "values": [ + "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*" + ] + }, + { + "name": "virtualization-type", + "values": [ + "hvm" + ] + } + ], + "hypervisor": "xen", + "id": "ami-03f6f0014076ab3c5", + "image_id": "ami-03f6f0014076ab3c5", + "image_location": "099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200903", + "image_owner_alias": null, + "image_type": "machine", + "kernel_id": null, + "most_recent": true, + "name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200903", + "name_regex": null, + "owner_id": "099720109477", + "owners": [ + "099720109477" + ], + "platform": null, + "product_codes": [], + "public": true, + "ramdisk_id": null, + "root_device_name": "/dev/sda1", + "root_device_type": "ebs", + "root_snapshot_id": "snap-02d61473d2745f9b7", + "sriov_net_support": "simple", + "state": "available", + "state_reason": { + "code": "UNSET", + "message": "UNSET" + }, + "tags": {}, + "virtualization_type": "hvm" + } + } + ] + } + } + }, + "configuration": { + "provider_config": { + "aws": { + "name": "aws", + "expressions": { + "region": { + "constant_value": "us-east-1" + } + } + } + }, + "root_module": { + "resources": [ + { + "address": "aws_instance.web", + "mode": "managed", + "type": "aws_instance", + "name": "web", + "provider_config_key": "aws", + "expressions": { + "ami": { + "references": [ + "data.aws_ami.ubuntu" + ] + }, + "ebs_block_device": [ + { + "delete_on_termination": { + "constant_value": false + }, + "device_name": { + "constant_value": "/dev/sda2" + } + }, + { + "delete_on_termination": { + "constant_value": true + }, + "device_name": { + "constant_value": "/dev/sda3" + } + } + ], + "instance_type": { + "constant_value": "t3.micro" + }, + "root_block_device": [ + { + "delete_on_termination": { + "constant_value": false + } + } + ] + }, + "schema_version": 1 + }, + { + "address": "data.aws_ami.ubuntu", + "mode": "data", + "type": "aws_ami", + "name": "ubuntu", + "provider_config_key": "aws", + "expressions": { + "filter": [ + { + "name": { + "constant_value": "name" + }, + "values": { + "constant_value": [ + "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*" + ] + } + }, + { + "name": { + "constant_value": "virtualization-type" + }, + "values": { + "constant_value": [ + "hvm" + ] + } + } + ], + "most_recent": { + "constant_value": true + }, + "owners": { + "constant_value": [ + "099720109477" + ] + } + }, + "schema_version": 0 + } + ] + } + } + }, + "tfrun": { + "workspace": { + "name": "opa-dev", + "description": null, + "auto_apply": false, + "working_directory": null, + "tags": {} + }, + "environment": { + "id": "env-t2daq8tprsifel8", + "name": "pg-opa-dev" + }, + "vcs": null, + "cost_estimate": { + "prior_monthly_cost": 0, + "proposed_monthly_cost": 8.39, + "delta_monthly_cost": 8.39 + }, + "credentials": { + "ec2": "cred-stsfnc76g3pknk8" + }, + "source": "cli", + "message": "Queued manually using Terraform", + "is_destroy": false, + "is_dry": true, + "created_by": { + "name": "", + "email": "xxxxx@scalr.com", + "username": "xxxxx@scalr.com" + } + } + }, + "valid": { + "tfplan": { + "format_version": "0.1", + "terraform_version": "0.12.28", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "aws_instance.web", + "mode": "managed", + "type": "aws_instance", + "name": "web", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 1, + "values": { + "ami": "ami-03f6f0014076ab3c5", + "credit_specification": [], + "disable_api_termination": null, + "ebs_block_device": [ + { + "delete_on_termination": true, + "device_name": "/dev/sda2" + }, + { + "delete_on_termination": true, + "device_name": "/dev/sda3" + } + ], + "ebs_optimized": null, + "get_password_data": false, + "hibernation": null, + "iam_instance_profile": null, + "instance_initiated_shutdown_behavior": null, + "instance_type": "t3.micro", + "monitoring": null, + "root_block_device": [ + { + "delete_on_termination": true + } + ], + "source_dest_check": true, + "tags": null, + "timeouts": null, + "user_data": null, + "user_data_base64": null + } + } + ] + } + }, + "resource_changes": [ + { + "address": "aws_instance.web", + "mode": "managed", + "type": "aws_instance", + "name": "web", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "ami": "ami-03f6f0014076ab3c5", + "credit_specification": [], + "disable_api_termination": null, + "ebs_block_device": [ + { + "delete_on_termination": true, + "device_name": "/dev/sda2" + }, + { + "delete_on_termination": true, + "device_name": "/dev/sda3" + } + ], + "ebs_optimized": null, + "get_password_data": false, + "hibernation": null, + "iam_instance_profile": null, + "instance_initiated_shutdown_behavior": null, + "instance_type": "t3.micro", + "monitoring": null, + "root_block_device": [ + { + "delete_on_termination": true + } + ], + "source_dest_check": true, + "tags": null, + "timeouts": null, + "user_data": null, + "user_data_base64": null + }, + "after_unknown": { + "arn": true, + "associate_public_ip_address": true, + "availability_zone": true, + "cpu_core_count": true, + "cpu_threads_per_core": true, + "credit_specification": [], + "ebs_block_device": [ + { + "encrypted": true, + "iops": true, + "kms_key_id": true, + "snapshot_id": true, + "volume_id": true, + "volume_size": true, + "volume_type": true + }, + { + "encrypted": true, + "iops": true, + "kms_key_id": true, + "snapshot_id": true, + "volume_id": true, + "volume_size": true, + "volume_type": true + } + ], + "ephemeral_block_device": true, + "host_id": true, + "id": true, + "instance_state": true, + "ipv6_address_count": true, + "ipv6_addresses": true, + "key_name": true, + "metadata_options": true, + "network_interface": true, + "outpost_arn": true, + "password_data": true, + "placement_group": true, + "primary_network_interface_id": true, + "private_dns": true, + "private_ip": true, + "public_dns": true, + "public_ip": true, + "root_block_device": [ + { + "device_name": true, + "encrypted": true, + "iops": true, + "kms_key_id": true, + "volume_id": true, + "volume_size": true, + "volume_type": true + } + ], + "secondary_private_ips": true, + "security_groups": true, + "subnet_id": true, + "tenancy": true, + "volume_tags": true, + "vpc_security_group_ids": true + } + } + } + ], + "prior_state": { + "format_version": "0.1", + "terraform_version": "0.12.28", + "values": { + "root_module": { + "resources": [ + { + "address": "data.aws_ami.ubuntu", + "mode": "data", + "type": "aws_ami", + "name": "ubuntu", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "values": { + "architecture": "x86_64", + "arn": "arn:aws:ec2:us-east-1::image/ami-03f6f0014076ab3c5", + "block_device_mappings": [ + { + "device_name": "/dev/sda1", + "ebs": { + "delete_on_termination": "true", + "encrypted": "false", + "iops": "0", + "snapshot_id": "snap-02d61473d2745f9b7", + "volume_size": "8", + "volume_type": "gp2" + }, + "no_device": "", + "virtual_name": "" + }, + { + "device_name": "/dev/sdb", + "ebs": {}, + "no_device": "", + "virtual_name": "ephemeral0" + }, + { + "device_name": "/dev/sdc", + "ebs": {}, + "no_device": "", + "virtual_name": "ephemeral1" + } + ], + "creation_date": "2020-09-04T22:45:42.000Z", + "description": "Canonical, Ubuntu, 20.04 LTS, amd64 focal image build on 2020-09-03", + "executable_users": null, + "filter": [ + { + "name": "name", + "values": [ + "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*" + ] + }, + { + "name": "virtualization-type", + "values": [ + "hvm" + ] + } + ], + "hypervisor": "xen", + "id": "ami-03f6f0014076ab3c5", + "image_id": "ami-03f6f0014076ab3c5", + "image_location": "099720109477/ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200903", + "image_owner_alias": null, + "image_type": "machine", + "kernel_id": null, + "most_recent": true, + "name": "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20200903", + "name_regex": null, + "owner_id": "099720109477", + "owners": [ + "099720109477" + ], + "platform": null, + "product_codes": [], + "public": true, + "ramdisk_id": null, + "root_device_name": "/dev/sda1", + "root_device_type": "ebs", + "root_snapshot_id": "snap-02d61473d2745f9b7", + "sriov_net_support": "simple", + "state": "available", + "state_reason": { + "code": "UNSET", + "message": "UNSET" + }, + "tags": {}, + "virtualization_type": "hvm" + } + } + ] + } + } + }, + "configuration": { + "provider_config": { + "aws": { + "name": "aws", + "expressions": { + "region": { + "constant_value": "us-east-1" + } + } + } + }, + "root_module": { + "resources": [ + { + "address": "aws_instance.web", + "mode": "managed", + "type": "aws_instance", + "name": "web", + "provider_config_key": "aws", + "expressions": { + "ami": { + "references": [ + "data.aws_ami.ubuntu" + ] + }, + "ebs_block_device": [ + { + "delete_on_termination": { + "constant_value": true + }, + "device_name": { + "constant_value": "/dev/sda2" + } + }, + { + "delete_on_termination": { + "constant_value": true + }, + "device_name": { + "constant_value": "/dev/sda3" + } + } + ], + "instance_type": { + "constant_value": "t3.micro" + }, + "root_block_device": [ + { + "delete_on_termination": { + "constant_value": true + } + } + ] + }, + "schema_version": 1 + }, + { + "address": "data.aws_ami.ubuntu", + "mode": "data", + "type": "aws_ami", + "name": "ubuntu", + "provider_config_key": "aws", + "expressions": { + "filter": [ + { + "name": { + "constant_value": "name" + }, + "values": { + "constant_value": [ + "ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-*" + ] + } + }, + { + "name": { + "constant_value": "virtualization-type" + }, + "values": { + "constant_value": [ + "hvm" + ] + } + } + ], + "most_recent": { + "constant_value": true + }, + "owners": { + "constant_value": [ + "099720109477" + ] + } + }, + "schema_version": 0 + } + ] + } + } + }, + "tfrun": { + "workspace": { + "name": "opa-dev", + "description": null, + "auto_apply": false, + "working_directory": null, + "tags": {} + }, + "environment": { + "id": "env-t2daq8tprsifel8", + "name": "pg-opa-dev" + }, + "vcs": null, + "cost_estimate": { + "prior_monthly_cost": 0, + "proposed_monthly_cost": 8.39, + "delta_monthly_cost": 8.39 + }, + "credentials": { + "ec2": "cred-stsfnc76g3pknk8" + }, + "source": "cli", + "message": "Queued manually using Terraform", + "is_destroy": false, + "is_dry": true, + "created_by": { + "name": "", + "email": "xxxxx@scalr.com", + "username": "xxxxx@scalr.com" + } + } + } + } +} diff --git a/aws/enforce_ebs_del_on_term.test.rego b/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_test.rego similarity index 100% rename from aws/enforce_ebs_del_on_term.test.rego rename to aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_test.rego diff --git a/aws/enforce_iam_instance_profiles.rego b/aws/enforce_iam_instance_profiles/enforce_iam_instance_profiles.rego similarity index 95% rename from aws/enforce_iam_instance_profiles.rego rename to aws/enforce_iam_instance_profiles/enforce_iam_instance_profiles.rego index cb44200..5131467 100644 --- a/aws/enforce_iam_instance_profiles.rego +++ b/aws/enforce_iam_instance_profiles/enforce_iam_instance_profiles.rego @@ -4,7 +4,6 @@ package terraform import input.tfplan as tfplan -import input.tfrun as tfrun allowed_iam_profiles = [ "my_iam_profile", @@ -31,4 +30,4 @@ deny[reason] { "%-40s :: iam_instance_profile '%s' is not allowed.", [resource.address, iam] ) -} \ No newline at end of file +} diff --git a/aws/enforce_iam_instance_profiles.mock.json b/aws/enforce_iam_instance_profiles/enforce_iam_instance_profiles_mock.json similarity index 100% rename from aws/enforce_iam_instance_profiles.mock.json rename to aws/enforce_iam_instance_profiles/enforce_iam_instance_profiles_mock.json diff --git a/aws/enforce_iam_instance_profiles.test.rego b/aws/enforce_iam_instance_profiles/enforce_iam_instance_profiles_test.rego similarity index 100% rename from aws/enforce_iam_instance_profiles.test.rego rename to aws/enforce_iam_instance_profiles/enforce_iam_instance_profiles_test.rego diff --git a/aws/enforce_instance_subnet.rego b/aws/enforce_instance_subnet/enforce_instance_subnet.rego similarity index 97% rename from aws/enforce_instance_subnet.rego rename to aws/enforce_instance_subnet/enforce_instance_subnet.rego index 7e11fd2..f4a02ad 100644 --- a/aws/enforce_instance_subnet.rego +++ b/aws/enforce_instance_subnet/enforce_instance_subnet.rego @@ -4,7 +4,6 @@ package terraform import input.tfplan as tfplan -import input.tfrun as tfrun # Add only private subnets to this list. # NOTE: OPA cannot validate that a subnet is private unless the terraform config is actaully creating the subnet. diff --git a/aws/enforce_instance_subnet.mock.json b/aws/enforce_instance_subnet/enforce_instance_subnet_mock.json similarity index 100% rename from aws/enforce_instance_subnet.mock.json rename to aws/enforce_instance_subnet/enforce_instance_subnet_mock.json diff --git a/aws/enforce_instance_subnet.test.rego b/aws/enforce_instance_subnet/enforce_instance_subnet_test.rego similarity index 100% rename from aws/enforce_instance_subnet.test.rego rename to aws/enforce_instance_subnet/enforce_instance_subnet_test.rego diff --git a/aws/enforce_kms_key_names.rego b/aws/enforce_kms_key_names/enforce_kms_key_names.rego similarity index 100% rename from aws/enforce_kms_key_names.rego rename to aws/enforce_kms_key_names/enforce_kms_key_names.rego diff --git a/aws/enforce_kms_key_names.mock.json b/aws/enforce_kms_key_names/enforce_kms_key_names_mock.json similarity index 100% rename from aws/enforce_kms_key_names.mock.json rename to aws/enforce_kms_key_names/enforce_kms_key_names_mock.json diff --git a/aws/enforce_kms_key_names.test.rego b/aws/enforce_kms_key_names/enforce_kms_key_names_test.rego similarity index 100% rename from aws/enforce_kms_key_names.test.rego rename to aws/enforce_kms_key_names/enforce_kms_key_names_test.rego diff --git a/aws/enforce_lb_subnets.rego b/aws/enforce_lb_subnets/enforce_lb_subnets.rego similarity index 96% rename from aws/enforce_lb_subnets.rego rename to aws/enforce_lb_subnets/enforce_lb_subnets.rego index a7e9432..a834ae0 100644 --- a/aws/enforce_lb_subnets.rego +++ b/aws/enforce_lb_subnets/enforce_lb_subnets.rego @@ -3,7 +3,6 @@ package terraform import input.tfplan as tfplan -import input.tfrun as tfrun # Add only private subnets to this list. # NOTE: OPA cannot validate that a subnet is private unless the terraform config is actaully creating the subnet. @@ -33,4 +32,4 @@ deny[reason] { "%-40s :: subnet_id '%s' is public and not allowed!", [r.address, sid] ) -} \ No newline at end of file +} diff --git a/aws/enforce_lb_subnets.mock.json b/aws/enforce_lb_subnets/enforce_lb_subnets_mock.json similarity index 100% rename from aws/enforce_lb_subnets.mock.json rename to aws/enforce_lb_subnets/enforce_lb_subnets_mock.json diff --git a/aws/enforce_lb_subnets.test.rego b/aws/enforce_lb_subnets/enforce_lb_subnets_test.rego similarity index 100% rename from aws/enforce_lb_subnets.test.rego rename to aws/enforce_lb_subnets/enforce_lb_subnets_test.rego diff --git a/aws/enforce_rds_subnets.rego b/aws/enforce_rds_subnets/enforce_rds_subnets.rego similarity index 96% rename from aws/enforce_rds_subnets.rego rename to aws/enforce_rds_subnets/enforce_rds_subnets.rego index c100428..e659da2 100644 --- a/aws/enforce_rds_subnets.rego +++ b/aws/enforce_rds_subnets/enforce_rds_subnets.rego @@ -3,7 +3,6 @@ package terraform import input.tfplan as tfplan -import input.tfrun as tfrun # Add only private subnets to this list. # NOTE: OPA cannot validate that a subnet is private unless the terraform config is actaully creating the subnet. diff --git a/aws/enforce_rds_subnets.mock.json b/aws/enforce_rds_subnets/enforce_rds_subnets_mock.json similarity index 100% rename from aws/enforce_rds_subnets.mock.json rename to aws/enforce_rds_subnets/enforce_rds_subnets_mock.json diff --git a/aws/enforce_rds_subnets.test.rego b/aws/enforce_rds_subnets/enforce_rds_subnets_test.rego similarity index 100% rename from aws/enforce_rds_subnets.test.rego rename to aws/enforce_rds_subnets/enforce_rds_subnets_test.rego diff --git a/aws/enforce_s3_buckets_encryption.rego b/aws/enforce_s3_buckets_encryption/enforce_s3_buckets_encryption.rego similarity index 100% rename from aws/enforce_s3_buckets_encryption.rego rename to aws/enforce_s3_buckets_encryption/enforce_s3_buckets_encryption.rego diff --git a/aws/enforce_s3_buckets_encryption_mock.json b/aws/enforce_s3_buckets_encryption/enforce_s3_buckets_encryption_mock.json similarity index 100% rename from aws/enforce_s3_buckets_encryption_mock.json rename to aws/enforce_s3_buckets_encryption/enforce_s3_buckets_encryption_mock.json diff --git a/aws/enforce_s3_buckets_encryption_test.rego b/aws/enforce_s3_buckets_encryption/enforce_s3_buckets_encryption_test.rego similarity index 100% rename from aws/enforce_s3_buckets_encryption_test.rego rename to aws/enforce_s3_buckets_encryption/enforce_s3_buckets_encryption_test.rego diff --git a/aws/enforce_s3_private.rego b/aws/enforce_s3_private/enforce_s3_private.rego similarity index 100% rename from aws/enforce_s3_private.rego rename to aws/enforce_s3_private/enforce_s3_private.rego diff --git a/aws/enforce_s3_private.mock.json b/aws/enforce_s3_private/enforce_s3_private_mock.json similarity index 100% rename from aws/enforce_s3_private.mock.json rename to aws/enforce_s3_private/enforce_s3_private_mock.json diff --git a/aws/enforce_s3_private.test.rego b/aws/enforce_s3_private/enforce_s3_private_test.rego similarity index 100% rename from aws/enforce_s3_private.test.rego rename to aws/enforce_s3_private/enforce_s3_private_test.rego diff --git a/aws/enforce_sec_group.rego b/aws/enforce_sec_group/enforce_sec_group.rego similarity index 96% rename from aws/enforce_sec_group.rego rename to aws/enforce_sec_group/enforce_sec_group.rego index 902cf94..330758d 100644 --- a/aws/enforce_sec_group.rego +++ b/aws/enforce_sec_group/enforce_sec_group.rego @@ -3,7 +3,6 @@ package terraform import input.tfplan as tfplan -import input.tfrun as tfrun required_sg := "sg-0434611e67ac24e27" @@ -32,4 +31,4 @@ deny[reason] { "%-40s :: security group '%s' must be included in list", [r.address,required_sg] ) -} \ No newline at end of file +} diff --git a/aws/enforce_sec_group.mock.json b/aws/enforce_sec_group/enforce_sec_group_mock.json similarity index 100% rename from aws/enforce_sec_group.mock.json rename to aws/enforce_sec_group/enforce_sec_group_mock.json diff --git a/aws/enforce_sec_group.test.rego b/aws/enforce_sec_group/enforce_sec_group_test.rego similarity index 100% rename from aws/enforce_sec_group.test.rego rename to aws/enforce_sec_group/enforce_sec_group_test.rego diff --git a/cost/limit_monthly_cost.rego b/cost/limit_monthly_cost/limit_monthly_cost.rego similarity index 100% rename from cost/limit_monthly_cost.rego rename to cost/limit_monthly_cost/limit_monthly_cost.rego diff --git a/cost/limit_monthly_cost_mock.json b/cost/limit_monthly_cost/limit_monthly_cost_mock.json similarity index 100% rename from cost/limit_monthly_cost_mock.json rename to cost/limit_monthly_cost/limit_monthly_cost_mock.json diff --git a/cost/limit_monthly_cost_test.rego b/cost/limit_monthly_cost/limit_monthly_cost_test.rego similarity index 100% rename from cost/limit_monthly_cost_test.rego rename to cost/limit_monthly_cost/limit_monthly_cost_test.rego diff --git a/cost/scalr-policy.hcl b/cost/limit_monthly_cost/scalr-policy.hcl similarity index 100% rename from cost/scalr-policy.hcl rename to cost/limit_monthly_cost/scalr-policy.hcl diff --git a/external_data/random_decision.rego b/external_data/random_decision/random_decision.rego similarity index 100% rename from external_data/random_decision.rego rename to external_data/random_decision/random_decision.rego diff --git a/external_data/random_decision_test.rego b/external_data/random_decision/random_decision_test.rego similarity index 100% rename from external_data/random_decision_test.rego rename to external_data/random_decision/random_decision_test.rego diff --git a/external_data/scalr-policy.hcl b/external_data/random_decision/scalr-policy.hcl similarity index 100% rename from external_data/scalr-policy.hcl rename to external_data/random_decision/scalr-policy.hcl diff --git a/gcp/enforce_gcs_private.rego b/gcp/enforce_gcs_private/enforce_gcs_private.rego similarity index 100% rename from gcp/enforce_gcs_private.rego rename to gcp/enforce_gcs_private/enforce_gcs_private.rego diff --git a/gcp/enforce_gcs_private.mock.json b/gcp/enforce_gcs_private/enforce_gcs_private_mock.json similarity index 100% rename from gcp/enforce_gcs_private.mock.json rename to gcp/enforce_gcs_private/enforce_gcs_private_mock.json diff --git a/gcp/enforce_gcs_private.test.rego b/gcp/enforce_gcs_private/enforce_gcs_private_test.rego similarity index 100% rename from gcp/enforce_gcs_private.test.rego rename to gcp/enforce_gcs_private/enforce_gcs_private_test.rego diff --git a/management/denied_provisioners.rego b/management/denied_provisioners/denied_provisioners.rego similarity index 100% rename from management/denied_provisioners.rego rename to management/denied_provisioners/denied_provisioners.rego diff --git a/management/denied_provisioners_mock.json b/management/denied_provisioners/denied_provisioners_mock.json similarity index 100% rename from management/denied_provisioners_mock.json rename to management/denied_provisioners/denied_provisioners_mock.json diff --git a/management/denied_provisioners_test.rego b/management/denied_provisioners/denied_provisioners_test.rego similarity index 100% rename from management/denied_provisioners_test.rego rename to management/denied_provisioners/denied_provisioners_test.rego diff --git a/management/enforce_ami_owners.rego b/management/enforce_ami_owners/enforce_ami_owners.rego similarity index 100% rename from management/enforce_ami_owners.rego rename to management/enforce_ami_owners/enforce_ami_owners.rego diff --git a/management/enforce_ami_owners_mock.json b/management/enforce_ami_owners/enforce_ami_owners_mock.json similarity index 100% rename from management/enforce_ami_owners_mock.json rename to management/enforce_ami_owners/enforce_ami_owners_mock.json diff --git a/management/enforce_ami_owners_test.rego b/management/enforce_ami_owners/enforce_ami_owners_test.rego similarity index 100% rename from management/enforce_ami_owners_test.rego rename to management/enforce_ami_owners/enforce_ami_owners_test.rego diff --git a/management/enforce_var_desc.mock.json b/management/enforce_var_desc/enforce_var_desc.mock.json similarity index 100% rename from management/enforce_var_desc.mock.json rename to management/enforce_var_desc/enforce_var_desc.mock.json diff --git a/management/enforce_var_desc.rego b/management/enforce_var_desc/enforce_var_desc.rego similarity index 100% rename from management/enforce_var_desc.rego rename to management/enforce_var_desc/enforce_var_desc.rego diff --git a/management/enforce_var_desc.test.rego b/management/enforce_var_desc/enforce_var_desc.test.rego similarity index 100% rename from management/enforce_var_desc.test.rego rename to management/enforce_var_desc/enforce_var_desc.test.rego diff --git a/management/instance_types.rego b/management/instance_types/instance_types.rego similarity index 100% rename from management/instance_types.rego rename to management/instance_types/instance_types.rego diff --git a/management/instance_types_mock.json b/management/instance_types/instance_types_mock.json similarity index 100% rename from management/instance_types_mock.json rename to management/instance_types/instance_types_mock.json diff --git a/management/instance_types_test.rego b/management/instance_types/instance_types_test.rego similarity index 100% rename from management/instance_types_test.rego rename to management/instance_types/instance_types_test.rego diff --git a/management/pull_requests.rego b/management/pull_requests/pull_requests.rego similarity index 100% rename from management/pull_requests.rego rename to management/pull_requests/pull_requests.rego diff --git a/management/pull_requests_mock.json b/management/pull_requests/pull_requests_mock.json similarity index 100% rename from management/pull_requests_mock.json rename to management/pull_requests/pull_requests_mock.json diff --git a/management/pull_requests_test.rego b/management/pull_requests/pull_requests_test.rego similarity index 100% rename from management/pull_requests_test.rego rename to management/pull_requests/pull_requests_test.rego diff --git a/management/resource_tags.rego b/management/resource_tags_mock/resource_tags.rego similarity index 100% rename from management/resource_tags.rego rename to management/resource_tags_mock/resource_tags.rego diff --git a/management/resource_tags_mock.json b/management/resource_tags_mock/resource_tags_mock.json similarity index 100% rename from management/resource_tags_mock.json rename to management/resource_tags_mock/resource_tags_mock.json diff --git a/management/resource_tags_test.rego b/management/resource_tags_mock/resource_tags_test.rego similarity index 100% rename from management/resource_tags_test.rego rename to management/resource_tags_mock/resource_tags_test.rego diff --git a/management/whitelist_ami.rego b/management/whitelist_ami_mock/whitelist_ami.rego similarity index 100% rename from management/whitelist_ami.rego rename to management/whitelist_ami_mock/whitelist_ami.rego diff --git a/management/whitelist_ami_mock.json b/management/whitelist_ami_mock/whitelist_ami_mock.json similarity index 100% rename from management/whitelist_ami_mock.json rename to management/whitelist_ami_mock/whitelist_ami_mock.json diff --git a/management/whitelist_ami_test.rego b/management/whitelist_ami_mock/whitelist_ami_test.rego similarity index 100% rename from management/whitelist_ami_test.rego rename to management/whitelist_ami_mock/whitelist_ami_test.rego diff --git a/management/workspace_destroy.rego b/management/workspace_destroy/workspace_destroy.rego similarity index 100% rename from management/workspace_destroy.rego rename to management/workspace_destroy/workspace_destroy.rego diff --git a/management/workspace_destroy_mock.json b/management/workspace_destroy/workspace_destroy_mock.json similarity index 100% rename from management/workspace_destroy_mock.json rename to management/workspace_destroy/workspace_destroy_mock.json diff --git a/management/workspace_destroy_test.rego b/management/workspace_destroy/workspace_destroy_test.rego similarity index 100% rename from management/workspace_destroy_test.rego rename to management/workspace_destroy/workspace_destroy_test.rego diff --git a/management/workspace_environment_type.rego b/management/workspace_environment_type/workspace_environment_type.rego similarity index 100% rename from management/workspace_environment_type.rego rename to management/workspace_environment_type/workspace_environment_type.rego diff --git a/management/workspace_environment_type_mock.json b/management/workspace_environment_type/workspace_environment_type_mock.json similarity index 100% rename from management/workspace_environment_type_mock.json rename to management/workspace_environment_type/workspace_environment_type_mock.json diff --git a/management/workspace_environment_type_test.rego b/management/workspace_environment_type/workspace_environment_type_test.rego similarity index 100% rename from management/workspace_environment_type_test.rego rename to management/workspace_environment_type/workspace_environment_type_test.rego diff --git a/management/workspace_name.rego b/management/workspace_name/workspace_name.rego similarity index 100% rename from management/workspace_name.rego rename to management/workspace_name/workspace_name.rego diff --git a/management/workspace_name_mock.json b/management/workspace_name/workspace_name_mock.json similarity index 100% rename from management/workspace_name_mock.json rename to management/workspace_name/workspace_name_mock.json diff --git a/management/workspace_name_test.rego b/management/workspace_name/workspace_name_test.rego similarity index 100% rename from management/workspace_name_test.rego rename to management/workspace_name/workspace_name_test.rego diff --git a/management/workspace_tags.rego b/management/workspace_tags/workspace_tags.rego similarity index 100% rename from management/workspace_tags.rego rename to management/workspace_tags/workspace_tags.rego diff --git a/management/workspace_tags_mock.json b/management/workspace_tags/workspace_tags_mock.json similarity index 100% rename from management/workspace_tags_mock.json rename to management/workspace_tags/workspace_tags_mock.json diff --git a/management/workspace_tags_test.rego b/management/workspace_tags/workspace_tags_test.rego similarity index 100% rename from management/workspace_tags_test.rego rename to management/workspace_tags/workspace_tags_test.rego diff --git a/modules/pin_module_version.rego b/modules/pin_module_version/pin_module_version.rego similarity index 100% rename from modules/pin_module_version.rego rename to modules/pin_module_version/pin_module_version.rego diff --git a/modules/pin_module_version_mock.json b/modules/pin_module_version/pin_module_version_mock.json similarity index 100% rename from modules/pin_module_version_mock.json rename to modules/pin_module_version/pin_module_version_mock.json diff --git a/modules/pin_module_version_test.rego b/modules/pin_module_version/pin_module_version_test.rego similarity index 100% rename from modules/pin_module_version_test.rego rename to modules/pin_module_version/pin_module_version_test.rego diff --git a/modules/required_modules.rego b/modules/required_modules/required_modules.rego similarity index 100% rename from modules/required_modules.rego rename to modules/required_modules/required_modules.rego diff --git a/modules/required_modules_mock.json b/modules/required_modules/required_modules_mock.json similarity index 100% rename from modules/required_modules_mock.json rename to modules/required_modules/required_modules_mock.json diff --git a/modules/required_modules_test.rego b/modules/required_modules/required_modules_test.rego similarity index 100% rename from modules/required_modules_test.rego rename to modules/required_modules/required_modules_test.rego diff --git a/placement/cloud_location.rego b/placement/cloud_location/cloud_location.rego similarity index 100% rename from placement/cloud_location.rego rename to placement/cloud_location/cloud_location.rego diff --git a/placement/cloud_location_mock.json b/placement/cloud_location/cloud_location_mock.json similarity index 100% rename from placement/cloud_location_mock.json rename to placement/cloud_location/cloud_location_mock.json diff --git a/placement/cloud_location_test.rego b/placement/cloud_location/cloud_location_test.rego similarity index 100% rename from placement/cloud_location_test.rego rename to placement/cloud_location/cloud_location_test.rego diff --git a/providers/blacklist_provider.rego b/providers/blacklist_provider/blacklist_provider.rego similarity index 100% rename from providers/blacklist_provider.rego rename to providers/blacklist_provider/blacklist_provider.rego diff --git a/providers/blacklist_provider/blacklist_provider_mock.json b/providers/blacklist_provider/blacklist_provider_mock.json new file mode 100644 index 0000000..9cf1be2 --- /dev/null +++ b/providers/blacklist_provider/blacklist_provider_mock.json @@ -0,0 +1,205 @@ +{ + "mock": { + "valid_input": { + "tfplan": { + "resource_changes": [ + { + "address": "aws_instance.scalr", + "mode": "managed", + "type": "aws_instance", + "name": "scalr", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "ami": "ami-2757f631", + "credit_specification": [], + "disable_api_termination": null, + "ebs_optimized": null, + "get_password_data": false, + "hibernation": null, + "iam_instance_profile": null, + "instance_initiated_shutdown_behavior": null, + "instance_type": "t2.nano", + "key_name": "mykey", + "monitoring": null, + "source_dest_check": true, + "subnet_id": "subnet-0ebb1058ad727asdf", + "tags": null, + "timeouts": null, + "user_data": null, + "user_data_base64": null, + "vpc_security_group_ids": [ + "sg-0880cfdc546b123ba" + ] + }, + "after_unknown": { + "arn": true, + "associate_public_ip_address": true, + "availability_zone": true, + "cpu_core_count": true, + "cpu_threads_per_core": true, + "credit_specification": [], + "ebs_block_device": true, + "ephemeral_block_device": true, + "host_id": true, + "id": true, + "instance_state": true, + "ipv6_address_count": true, + "ipv6_addresses": true, + "metadata_options": true, + "network_interface": true, + "network_interface_id": true, + "outpost_arn": true, + "password_data": true, + "placement_group": true, + "primary_network_interface_id": true, + "private_dns": true, + "private_ip": true, + "public_dns": true, + "public_ip": true, + "root_block_device": true, + "security_groups": true, + "tenancy": true, + "volume_tags": true, + "vpc_security_group_ids": [ + false + ] + } + } + } + ], + "configuration": { + "provider_config": { + "aws": { + "name": "aws", + "expressions": { + "region": { + "constant_value": "us-east-1" + } + } + } + }, + "root_module": { + "resources": [ + { + "address": "aws_instance.scalr", + "mode": "managed", + "type": "aws_instance", + "name": "scalr", + "provider_config_key": "aws", + "expressions": { + "ami": { + "constant_value": "ami-2757f631" + }, + "instance_type": { + "constant_value": "t2.nano" + }, + "key_name": { + "constant_value": "mykey" + }, + "subnet_id": { + "constant_value": "subnet-0ebb1058ad727asdf" + }, + "vpc_security_group_ids": { + "constant_value": [ + "sg-0880cfdc546b123ba" + ] + } + }, + "schema_version": 1 + } + ] + } + } + } + }, + "invalid_input": { + "tfplan": { + "resource_changes": [ + { + "address": "azurerm_resource_group.resource_group", + "mode": "managed", + "type": "azurerm_resource_group", + "name": "resource_group", + "provider_name": "registry.terraform.io/hashicorp/azurerm", + "change": { + "actions": [ + "create" + ], + "before": null, + "after": { + "location": "eastus", + "name": "testdevops", + "tags": null, + "timeouts": null + }, + "after_unknown": { + "id": true + } + } + } + ], + "output_changes": { + "azure_rg_id": { + "actions": [ + "create" + ], + "before": null, + "after_unknown": true + } + }, + "configuration": { + "provider_config": { + "azurerm": { + "name": "azurerm", + "expressions": { + "features": [ + {} + ] + } + } + }, + "root_module": { + "outputs": { + "azure_rg_id": { + "expression": { + "references": [ + "azurerm_resource_group.resource_group" + ] + }, + "description": "Azure Resource Group ID" + } + }, + "resources": [ + { + "address": "azurerm_resource_group.resource_group", + "mode": "managed", + "type": "azurerm_resource_group", + "name": "resource_group", + "provider_config_key": "azurerm", + "expressions": { + "location": { + "references": [ + "var.region" + ] + }, + "name": { + "references": [ + "var.name" + ] + } + }, + "schema_version": 0 + } + ] + } + } + } + } + } +} + diff --git a/providers/blacklist_provider_test.rego b/providers/blacklist_provider/blacklist_provider_test.rego similarity index 100% rename from providers/blacklist_provider_test.rego rename to providers/blacklist_provider/blacklist_provider_test.rego diff --git a/providers/blacklist_provider_mock.json b/providers/blacklist_provider_mock.json deleted file mode 100644 index 1acc25d..0000000 --- a/providers/blacklist_provider_mock.json +++ /dev/null @@ -1,205 +0,0 @@ -{ - "mock": { - "valid_input": { - "tfplan": { - "resource_changes": [ - { - "address": "aws_instance.scalr", - "mode": "managed", - "type": "aws_instance", - "name": "scalr", - "provider_name": "registry.terraform.io/hashicorp/aws", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "ami": "ami-2757f631", - "credit_specification": [], - "disable_api_termination": null, - "ebs_optimized": null, - "get_password_data": false, - "hibernation": null, - "iam_instance_profile": null, - "instance_initiated_shutdown_behavior": null, - "instance_type": "t2.nano", - "key_name": "mykey", - "monitoring": null, - "source_dest_check": true, - "subnet_id": "subnet-0ebb1058ad727asdf", - "tags": null, - "timeouts": null, - "user_data": null, - "user_data_base64": null, - "vpc_security_group_ids": [ - "sg-0880cfdc546b123ba" - ] - }, - "after_unknown": { - "arn": true, - "associate_public_ip_address": true, - "availability_zone": true, - "cpu_core_count": true, - "cpu_threads_per_core": true, - "credit_specification": [], - "ebs_block_device": true, - "ephemeral_block_device": true, - "host_id": true, - "id": true, - "instance_state": true, - "ipv6_address_count": true, - "ipv6_addresses": true, - "metadata_options": true, - "network_interface": true, - "network_interface_id": true, - "outpost_arn": true, - "password_data": true, - "placement_group": true, - "primary_network_interface_id": true, - "private_dns": true, - "private_ip": true, - "public_dns": true, - "public_ip": true, - "root_block_device": true, - "security_groups": true, - "tenancy": true, - "volume_tags": true, - "vpc_security_group_ids": [ - false - ] - } - } - } - ], - "configuration": { - "provider_config": { - "aws": { - "name": "aws", - "expressions": { - "region": { - "constant_value": "us-east-1" - } - } - } - }, - "root_module": { - "resources": [ - { - "address": "aws_instance.scalr", - "mode": "managed", - "type": "aws_instance", - "name": "scalr", - "provider_config_key": "aws", - "expressions": { - "ami": { - "constant_value": "ami-2757f631" - }, - "instance_type": { - "constant_value": "t2.nano" - }, - "key_name": { - "constant_value": "mykey" - }, - "subnet_id": { - "constant_value": "subnet-0ebb1058ad727asdf" - }, - "vpc_security_group_ids": { - "constant_value": [ - "sg-0880cfdc546b123ba" - ] - } - }, - "schema_version": 1 - } - ] - } - } - } - }, - "invalid_input": { - "tfplan": { - "resource_changes": [ - { - "address": "azurerm_resource_group.resource_group", - "mode": "managed", - "type": "azurerm_resource_group", - "name": "resource_group", - "provider_name": "registry.terraform.io/hashicorp/azurerm", - "change": { - "actions": [ - "create" - ], - "before": null, - "after": { - "location": "eastus", - "name": "testdevops", - "tags": null, - "timeouts": null - }, - "after_unknown": { - "id": true - } - } - } - ], - "output_changes": { - "azure_rg_id": { - "actions": [ - "create" - ], - "before": null, - "after_unknown": true - } - }, - "configuration": { - "provider_config": { - "azurerm": { - "name": "azurerm", - "expressions": { - "features": [ - {} - ] - } - } - }, - "root_module": { - "outputs": { - "azure_rg_id": { - "expression": { - "references": [ - "azurerm_resource_group.resource_group" - ] - }, - "description": "Azure Resource Group ID" - } - }, - "resources": [ - { - "address": "azurerm_resource_group.resource_group", - "mode": "managed", - "type": "azurerm_resource_group", - "name": "resource_group", - "provider_config_key": "azurerm", - "expressions": { - "location": { - "references": [ - "var.region" - ] - }, - "name": { - "references": [ - "var.name" - ] - } - }, - "schema_version": 0 - } - ] - } - } - } - } - } - } -} diff --git a/user/user.rego b/user/check_user/user.rego similarity index 100% rename from user/user.rego rename to user/check_user/user.rego diff --git a/user/user_mock.json b/user/check_user/user_mock.json similarity index 100% rename from user/user_mock.json rename to user/check_user/user_mock.json diff --git a/user/user_test.rego b/user/check_user/user_test.rego similarity index 100% rename from user/user_test.rego rename to user/check_user/user_test.rego From 5b4e37080fee1e610e41c51dc51f072a4ea04655 Mon Sep 17 00:00:00 2001 From: Viacheslav Lyzohub Date: Tue, 2 Jul 2024 14:03:23 +0300 Subject: [PATCH 3/4] SCALRCORE-31241: Fix CI --- .github/workflows/opa.yml | 53 ++++++++----------- .../scalr-policy.hcl | 6 +++ .../scalr-policy.hcl | 0 aws/enforce_cidr/scalr-policy.hcl | 6 +++ .../enforce_ebs_del_on_term.rego | 0 .../enforce_ebs_del_on_term_mock.json | 0 .../enforce_ebs_del_on_term_test.rego | 0 aws/enforce_ebs_del_on_term/scalr-policy.hcl | 6 +++ .../scalr-policy.hcl | 6 +++ aws/enforce_instance_subnet/scalr-policy.hcl | 6 +++ aws/enforce_kms_key_names/scalr-policy.hcl | 6 +++ aws/enforce_lb_subnets/scalr-policy.hcl | 6 +++ aws/enforce_rds_subnets/scalr-policy.hcl | 6 +++ .../scalr-policy.hcl | 6 +++ aws/enforce_s3_private/scalr-policy.hcl | 6 +++ aws/enforce_sec_group/scalr-policy.hcl | 6 +++ gcp/enforce_gcs_private/scalr-policy.hcl | 6 +++ .../denied_provisioners/scalr-policy.hcl | 6 +++ .../enforce_ami_owners/scalr-policy.hcl | 6 +++ management/enforce_var_desc/scalr-policy.hcl | 6 +++ management/instance_types/scalr-policy.hcl | 6 +++ management/pull_requests/scalr-policy.hcl | 6 +++ .../resource_tags_mock/scalr-policy.hcl | 6 +++ management/scalr-policy.hcl | 42 --------------- .../whitelist_ami_mock/scalr-policy.hcl | 6 +++ management/workspace_destroy/scalr-policy.hcl | 6 +++ .../scalr-policy.hcl | 6 +++ management/workspace_name/scalr-policy.hcl | 6 +++ management/workspace_tags/scalr-policy.hcl | 6 +++ .../{ => pin_module_version}/scalr-policy.hcl | 0 modules/required_modules/scalr-policy.hcl | 6 +++ .../{ => cloud_location}/scalr-policy.hcl | 0 .../{ => blacklist_provider}/scalr-policy.hcl | 0 user/{ => check_user}/scalr-policy.hcl | 2 +- 34 files changed, 166 insertions(+), 75 deletions(-) create mode 100644 aws/enforce_aws_iam_and_workspace/scalr-policy.hcl rename aws/{ => enforce_aws_resource}/scalr-policy.hcl (100%) create mode 100644 aws/enforce_cidr/scalr-policy.hcl rename aws/{enforce_ebs_del_on_term_mock => enforce_ebs_del_on_term}/enforce_ebs_del_on_term.rego (100%) rename aws/{enforce_ebs_del_on_term_mock => enforce_ebs_del_on_term}/enforce_ebs_del_on_term_mock.json (100%) rename aws/{enforce_ebs_del_on_term_mock => enforce_ebs_del_on_term}/enforce_ebs_del_on_term_test.rego (100%) create mode 100644 aws/enforce_ebs_del_on_term/scalr-policy.hcl create mode 100644 aws/enforce_iam_instance_profiles/scalr-policy.hcl create mode 100644 aws/enforce_instance_subnet/scalr-policy.hcl create mode 100644 aws/enforce_kms_key_names/scalr-policy.hcl create mode 100644 aws/enforce_lb_subnets/scalr-policy.hcl create mode 100644 aws/enforce_rds_subnets/scalr-policy.hcl create mode 100644 aws/enforce_s3_buckets_encryption/scalr-policy.hcl create mode 100644 aws/enforce_s3_private/scalr-policy.hcl create mode 100644 aws/enforce_sec_group/scalr-policy.hcl create mode 100644 gcp/enforce_gcs_private/scalr-policy.hcl create mode 100644 management/denied_provisioners/scalr-policy.hcl create mode 100644 management/enforce_ami_owners/scalr-policy.hcl create mode 100644 management/enforce_var_desc/scalr-policy.hcl create mode 100644 management/instance_types/scalr-policy.hcl create mode 100644 management/pull_requests/scalr-policy.hcl create mode 100644 management/resource_tags_mock/scalr-policy.hcl delete mode 100644 management/scalr-policy.hcl create mode 100644 management/whitelist_ami_mock/scalr-policy.hcl create mode 100644 management/workspace_destroy/scalr-policy.hcl create mode 100644 management/workspace_environment_type/scalr-policy.hcl create mode 100644 management/workspace_name/scalr-policy.hcl create mode 100644 management/workspace_tags/scalr-policy.hcl rename modules/{ => pin_module_version}/scalr-policy.hcl (100%) create mode 100644 modules/required_modules/scalr-policy.hcl rename placement/{ => cloud_location}/scalr-policy.hcl (100%) rename providers/{ => blacklist_provider}/scalr-policy.hcl (100%) rename user/{ => check_user}/scalr-policy.hcl (79%) diff --git a/.github/workflows/opa.yml b/.github/workflows/opa.yml index 2ebe0a4..40c5487 100644 --- a/.github/workflows/opa.yml +++ b/.github/workflows/opa.yml @@ -4,36 +4,25 @@ jobs: test: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2.0.0 - - name: OPA Test - uses: petroprotsakh/opa-test-action@v2.1 + - name: Check out repository code + uses: actions/checkout@v3 + + - name: Setup OPA + uses: open-policy-agent/setup-opa@v2 with: - options: -v - tests: | - cost - external_data - aws/enforce_aws_resource.rego;aws/enforce_aws_resource_test.rego;aws/enforce_aws_resource_mock.json - aws/enforce_aws_iam_and_workspace.rego;aws/enforce_aws_iam_and_workspace_test.rego;aws/enforce_aws_iam_and_workspace_mock.json - aws/enforce_s3_buckets_encryption.rego;aws/enforce_s3_buckets_encryption_test.rego;aws/enforce_s3_buckets_encryption_mock.json - aws/enforce_kms_key_names.rego;aws/enforce_kms_key_names.test.rego;aws/enforce_kms_key_names.mock.json - aws/enforce_iam_instance_profiles.rego;aws/enforce_iam_instance_profiles.test.rego;aws/enforce_iam_instance_profiles.mock.json - aws/enforce_ebs_del_on_term.rego;aws/enforce_ebs_del_on_term.test.rego;aws/enforce_ebs_del_on_term.mock.json - aws/enforce_instance_subnet.rego;aws/enforce_instance_subnet.test.rego;aws/enforce_instance_subnet.mock.json - aws/enforce_lb_subnets.rego;aws/enforce_lb_subnets.test.rego;aws/enforce_lb_subnets.mock.json - aws/enforce_rds_subnets.rego;aws/enforce_rds_subnets.test.rego;aws/enforce_rds_subnets.mock.json - management/denied_provisioners.rego;management/denied_provisioners_test.rego;management/denied_provisioners_mock.json - management/enforce_ami_owners.rego;management/enforce_ami_owners_test.rego;management/enforce_ami_owners_mock.json - management/instance_types.rego;management/instance_types_test.rego;management/instance_types_mock.json - management/resource_tags.rego;management/resource_tags_test.rego;management/resource_tags_mock.json - management/whitelist_ami.rego;management/whitelist_ami_test.rego;management/whitelist_ami_mock.json - management/workspace_name.rego;management/workspace_name_test.rego;management/workspace_name_mock.json - management/workspace_destroy.rego;management/workspace_destroy_test.rego;management/workspace_destroy_mock.json - management/pull_requests.rego;management/pull_requests_test.rego;management/pull_requests_mock.json - management/workspace_tags.rego;management/workspace_tags_test.rego;management/workspace_tags_mock.json - management/workspace_environment_type.rego;management/workspace_environment_type_еуіе.rego;management/workspace_environment_type_mock.json - modules/pin_module_version.rego;modules/pin_module_version_test.rego;modules/pin_module_version_mock.json; - modules/required_modules.rego;modules/required_modules_test.rego;modules/required_modules_mock.json; - placement - providers - user + version: latest + + - name: Run OPA Tests + run: | + dirs=$(find . -type f -name '*.rego' -exec dirname {} \; | sort -u) + echo "Directories to be tested:" + for dir in $dirs; do + echo "$dir" + done + for dir in $dirs; do + echo "Running tests in $dir" + if ! opa test $dir/ -v --format pretty; then + echo "Tests failed in $dir" + exit 1 + fi + done diff --git a/aws/enforce_aws_iam_and_workspace/scalr-policy.hcl b/aws/enforce_aws_iam_and_workspace/scalr-policy.hcl new file mode 100644 index 0000000..152bb67 --- /dev/null +++ b/aws/enforce_aws_iam_and_workspace/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_aws_iam_and_workspace" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/scalr-policy.hcl b/aws/enforce_aws_resource/scalr-policy.hcl similarity index 100% rename from aws/scalr-policy.hcl rename to aws/enforce_aws_resource/scalr-policy.hcl diff --git a/aws/enforce_cidr/scalr-policy.hcl b/aws/enforce_cidr/scalr-policy.hcl new file mode 100644 index 0000000..724f9f6 --- /dev/null +++ b/aws/enforce_cidr/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_cidr" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term.rego b/aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term.rego similarity index 100% rename from aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term.rego rename to aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term.rego diff --git a/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_mock.json b/aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term_mock.json similarity index 100% rename from aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_mock.json rename to aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term_mock.json diff --git a/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_test.rego b/aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term_test.rego similarity index 100% rename from aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_test.rego rename to aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term_test.rego diff --git a/aws/enforce_ebs_del_on_term/scalr-policy.hcl b/aws/enforce_ebs_del_on_term/scalr-policy.hcl new file mode 100644 index 0000000..5f99320 --- /dev/null +++ b/aws/enforce_ebs_del_on_term/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_ebs_del_on_term" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_iam_instance_profiles/scalr-policy.hcl b/aws/enforce_iam_instance_profiles/scalr-policy.hcl new file mode 100644 index 0000000..db20d56 --- /dev/null +++ b/aws/enforce_iam_instance_profiles/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_iam_instance_profiles" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_instance_subnet/scalr-policy.hcl b/aws/enforce_instance_subnet/scalr-policy.hcl new file mode 100644 index 0000000..8d13a0b --- /dev/null +++ b/aws/enforce_instance_subnet/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_instance_subnet" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_kms_key_names/scalr-policy.hcl b/aws/enforce_kms_key_names/scalr-policy.hcl new file mode 100644 index 0000000..e4eb446 --- /dev/null +++ b/aws/enforce_kms_key_names/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_kms_key_names" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_lb_subnets/scalr-policy.hcl b/aws/enforce_lb_subnets/scalr-policy.hcl new file mode 100644 index 0000000..20db842 --- /dev/null +++ b/aws/enforce_lb_subnets/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_lb_subnets" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_rds_subnets/scalr-policy.hcl b/aws/enforce_rds_subnets/scalr-policy.hcl new file mode 100644 index 0000000..fbb62ad --- /dev/null +++ b/aws/enforce_rds_subnets/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_rds_subnets" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_s3_buckets_encryption/scalr-policy.hcl b/aws/enforce_s3_buckets_encryption/scalr-policy.hcl new file mode 100644 index 0000000..77b5b62 --- /dev/null +++ b/aws/enforce_s3_buckets_encryption/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_s3_buckets_encryption" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_s3_private/scalr-policy.hcl b/aws/enforce_s3_private/scalr-policy.hcl new file mode 100644 index 0000000..d4eeff9 --- /dev/null +++ b/aws/enforce_s3_private/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_s3_private" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_sec_group/scalr-policy.hcl b/aws/enforce_sec_group/scalr-policy.hcl new file mode 100644 index 0000000..b984235 --- /dev/null +++ b/aws/enforce_sec_group/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_sec_group" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/gcp/enforce_gcs_private/scalr-policy.hcl b/gcp/enforce_gcs_private/scalr-policy.hcl new file mode 100644 index 0000000..6d5fafd --- /dev/null +++ b/gcp/enforce_gcs_private/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_gcs_private" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/denied_provisioners/scalr-policy.hcl b/management/denied_provisioners/scalr-policy.hcl new file mode 100644 index 0000000..e6cae56 --- /dev/null +++ b/management/denied_provisioners/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "denied_provisioners" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/enforce_ami_owners/scalr-policy.hcl b/management/enforce_ami_owners/scalr-policy.hcl new file mode 100644 index 0000000..d35493b --- /dev/null +++ b/management/enforce_ami_owners/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_ami_owners" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/enforce_var_desc/scalr-policy.hcl b/management/enforce_var_desc/scalr-policy.hcl new file mode 100644 index 0000000..4e5bce7 --- /dev/null +++ b/management/enforce_var_desc/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_var_desc" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/instance_types/scalr-policy.hcl b/management/instance_types/scalr-policy.hcl new file mode 100644 index 0000000..d89ea45 --- /dev/null +++ b/management/instance_types/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "instance_types" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/pull_requests/scalr-policy.hcl b/management/pull_requests/scalr-policy.hcl new file mode 100644 index 0000000..ca0e1cf --- /dev/null +++ b/management/pull_requests/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "pull_requests" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/resource_tags_mock/scalr-policy.hcl b/management/resource_tags_mock/scalr-policy.hcl new file mode 100644 index 0000000..75457c1 --- /dev/null +++ b/management/resource_tags_mock/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "resource_tags_mock" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/scalr-policy.hcl b/management/scalr-policy.hcl deleted file mode 100644 index 4b580d4..0000000 --- a/management/scalr-policy.hcl +++ /dev/null @@ -1,42 +0,0 @@ -version = "v1" - - -policy "enforce_ami_owners" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "workspace_destroy" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "instance_types" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "resource_tags" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "whitelist_ami" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "workspace_name" { - enabled = true - enforcement_level = "soft-mandatory" -} - -policy "workspace_tags" { - enabled = true - enforcement_level = "soft-mandatory" -} - -policy "denied_provisioners" { - enabled = true - enforcement_level = "hard-mandatory" -} diff --git a/management/whitelist_ami_mock/scalr-policy.hcl b/management/whitelist_ami_mock/scalr-policy.hcl new file mode 100644 index 0000000..13ac1ff --- /dev/null +++ b/management/whitelist_ami_mock/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "whitelist_ami_mock" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/workspace_destroy/scalr-policy.hcl b/management/workspace_destroy/scalr-policy.hcl new file mode 100644 index 0000000..6796782 --- /dev/null +++ b/management/workspace_destroy/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "workspace_destroy" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/workspace_environment_type/scalr-policy.hcl b/management/workspace_environment_type/scalr-policy.hcl new file mode 100644 index 0000000..1a59477 --- /dev/null +++ b/management/workspace_environment_type/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "workspace_environment_type" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/workspace_name/scalr-policy.hcl b/management/workspace_name/scalr-policy.hcl new file mode 100644 index 0000000..d59bd4d --- /dev/null +++ b/management/workspace_name/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "workspace_name" { + enabled = true + enforcement_level = "soft-mandatory" +} diff --git a/management/workspace_tags/scalr-policy.hcl b/management/workspace_tags/scalr-policy.hcl new file mode 100644 index 0000000..857c4db --- /dev/null +++ b/management/workspace_tags/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "workspace_tags" { + enabled = true + enforcement_level = "soft-mandatory" +} diff --git a/modules/scalr-policy.hcl b/modules/pin_module_version/scalr-policy.hcl similarity index 100% rename from modules/scalr-policy.hcl rename to modules/pin_module_version/scalr-policy.hcl diff --git a/modules/required_modules/scalr-policy.hcl b/modules/required_modules/scalr-policy.hcl new file mode 100644 index 0000000..5ab7bc2 --- /dev/null +++ b/modules/required_modules/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "required_modules" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/placement/scalr-policy.hcl b/placement/cloud_location/scalr-policy.hcl similarity index 100% rename from placement/scalr-policy.hcl rename to placement/cloud_location/scalr-policy.hcl diff --git a/providers/scalr-policy.hcl b/providers/blacklist_provider/scalr-policy.hcl similarity index 100% rename from providers/scalr-policy.hcl rename to providers/blacklist_provider/scalr-policy.hcl diff --git a/user/scalr-policy.hcl b/user/check_user/scalr-policy.hcl similarity index 79% rename from user/scalr-policy.hcl rename to user/check_user/scalr-policy.hcl index ef9e01d..0b16c01 100644 --- a/user/scalr-policy.hcl +++ b/user/check_user/scalr-policy.hcl @@ -1,6 +1,6 @@ version = "v1" -policy "user" { +policy "check_user" { enabled = true enforcement_level = "hard-mandatory" } From 5bcb60f76c3657a2d224de451503df9bf27771eb Mon Sep 17 00:00:00 2001 From: Viacheslav Lyzohub Date: Tue, 2 Jul 2024 14:20:37 +0300 Subject: [PATCH 4/4] SCALRCORE-31241: Fix README.md --- README.md | 64 +++++++++++++++++++++++++++---------------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 30069ac..1c43bb9 100644 --- a/README.md +++ b/README.md @@ -39,36 +39,36 @@ Many policies contain arrays of values that are checked against resources. The a | Policy | Description | | -------------------------------------- | ------------------------------------------------------------------------ | -| [aws/enforce_aws_iam_and_workspace.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_aws_iam_and_workspace.rego) | Checks valid IAM roles for provider and workspace. | -| [aws/enforce_aws_resource.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_aws_resource.rego) | Check resource types against an allowed list. | -| [aws/enforce_cidr.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_cidr.rego) | Check security group CIDR blocks contain allowed CIDR's. | -| [aws/enforce_ebs_del_on_term.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_ebs_del_on_term.rego) | Check `delete_on_termination = true` is set for EBS volumes. | -| [aws/enforce_iam_instance_profiles.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_iam_instance_profiles.rego) | Check IAM instance profile is in allowed list. | -| [aws/enforce_instance_subnets.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_instance_subnets.rego) | Check instances are using allowed subnets | -| [aws/enforce_kms_key_names.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_kms_key_names.rego) | Check KMS keys (by name) against allowed list. | -| [aws/enforce_lb_subnets.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_lb_subnets.rego) | Check Loadbalancers are using allowed subnets | -| [aws/enforce_s3_buckets_encryption.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_s3_buckets_encryption.rego) | Check encryption is set for S3 buckets. | -| [aws/enforce_s3_private.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_s3_private.rego) | Check S3 buckets are not public. | -| [aws/enforce_sec_group.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_sec_group.rego) | Check security groups have been specified and are in allowed list. | -| [aws/enforce_rds_subnets.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_rds_subnets.rego) | Check RDS clusters are using allowed subnets | -| [cost/limit_monthly_cost.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/cost/limit_monthly_cost.rego) | Check estimated cost against an upper limit. | -| [external_data/random_decision.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/external_data/random_decision.rego) | Example of using external data (HTTP GET) in a policy. | -| [gcp/enforce_gcs_private.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/gcp/enforce_gcs_private.rego) | Check GCS buckets are not public. | -| [management/denied_provisioners.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/denied_provisioners.rego) | Checks provisioner types against an allowed list. | -| [management/enforce_ami_owners.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/enforce_ami_owners.rego) | Checks AMI's being used belong to allowed list of AMI owners. | -| [management/enforce_var_desc.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/enforce_var_desc.rego) | Checks variables have descriptions. | -| [management/instance_types.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/instance_types.rego) | Checks instance types/sizes against allowed list. AWS, Azure and GCP. | -| [management/resource_tags.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/resource_tags.rego) | Checks required tags are configured for all clouds. | -| [management/whitelist_ami.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/whitelist_ami.rego) | Checks AMI against allowed list or configured from data source. | -| [management/workspace_name.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_name.rego) | Simple example of using `tfrun` data and validating a workspace name. | -| [management/workspace_environment.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_environment_type.rego) | Checks workspace environment type and enforces cost limits based on environment. | -| [management/workspace_destroy.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_destroy.rego) | Checks workspace has an active state and denies its destroy, if active state is present. | -| [management/workspace_tags.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_tags.rego) | Checks workspace is tagged with provider name. | -| [modules/pin_module_version.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/modules/pin_module_version.rego) | Enforces use of specific module versions. | -| [modules/required_modules.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/modules/required_modules.rego) | Checks resources are only be created via specific modules. | -| [placement/cloud_location.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/placement/cloud_location.rego) | Checks resources are deployed to specific regions in each cloud. | -| [providers/blacklist_provider.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/providers/blacklist_provider.rego) | Implements a provider blacklist. | -| [user/user.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/user/user.rego) | Restricts which users can trigger terraform runs. Works for CLI and VCS. | +| [aws/enforce_aws_iam_and_workspace.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_aws_iam_and_workspace/enforce_aws_iam_and_workspace.rego) | Checks valid IAM roles for provider and workspace. | +| [aws/enforce_aws_resource.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_aws_resource/enforce_aws_resource.rego) | Check resource types against an allowed list. | +| [aws/enforce_cidr.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_cidr/enforce_cidr.rego) | Check security group CIDR blocks contain allowed CIDR's. | +| [aws/enforce_ebs_del_on_term.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term.rego) | Check `delete_on_termination = true` is set for EBS volumes. | +| [aws/enforce_iam_instance_profiles.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_iam_instance_profiles/enforce_iam_instance_profiles.rego) | Check IAM instance profile is in allowed list. | +| [aws/enforce_instance_subnets.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_instance_subnet/enforce_instance_subnet.rego) | Check instances are using allowed subnets | +| [aws/enforce_kms_key_names.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_kms_key_names/enforce_kms_key_names.rego) | Check KMS keys (by name) against allowed list. | +| [aws/enforce_lb_subnets.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_lb_subnets/enforce_lb_subnets.rego) | Check Loadbalancers are using allowed subnets | +| [aws/enforce_s3_buckets_encryption.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_s3_buckets_encryption/enforce_s3_buckets_encryption.rego) | Check encryption is set for S3 buckets. | +| [aws/enforce_s3_private.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_s3_private/enforce_s3_private.rego) | Check S3 buckets are not public. | +| [aws/enforce_sec_group.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_sec_group/enforce_sec_group.rego) | Check security groups have been specified and are in allowed list. | +| [aws/enforce_rds_subnets.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/aws/enforce_rds_subnets/enforce_rds_subnets.rego) | Check RDS clusters are using allowed subnets | +| [cost/limit_monthly_cost.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/cost/limit_monthly_cost/limit_monthly_cost.rego) | Check estimated cost against an upper limit. | +| [external_data/random_decision.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/external_data/random_decision/random_decision.rego) | Example of using external data (HTTP GET) in a policy. | +| [gcp/enforce_gcs_private.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/gcp/enforce_gcs_private/enforce_gcs_private.rego) | Check GCS buckets are not public. | +| [management/denied_provisioners.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/denied_provisioners/denied_provisioners.rego) | Checks provisioner types against an allowed list. | +| [management/enforce_ami_owners.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/enforce_ami_owners/enforce_ami_owners.rego) | Checks AMI's being used belong to allowed list of AMI owners. | +| [management/enforce_var_desc.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/enforce_var_desc/enforce_var_desc.rego) | Checks variables have descriptions. | +| [management/instance_types.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/instance_types/instance_types.rego) | Checks instance types/sizes against allowed list. AWS, Azure and GCP. | +| [management/resource_tags.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/resource_tags_mock/resource_tags.rego) | Checks required tags are configured for all clouds. | +| [management/whitelist_ami.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/whitelist_ami_mock/whitelist_ami.rego) | Checks AMI against allowed list or configured from data source. | +| [management/workspace_name.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_name/workspace_name.rego) | Simple example of using `tfrun` data and validating a workspace name. | +| [management/workspace_environment.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_environment_type/workspace_environment_type.rego) | Checks workspace environment type and enforces cost limits based on environment. | +| [management/workspace_destroy.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_destroy/workspace_destroy.rego) | Checks workspace has an active state and denies its destroy, if active state is present. | +| [management/workspace_tags.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_tags/workspace_tags.rego) | Checks workspace is tagged with provider name. | +| [modules/pin_module_version.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/modules/pin_module_version/pin_module_version.rego) | Enforces use of specific module versions. | +| [modules/required_modules.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/modules/required_modules/required_modules.rego) | Checks resources are only be created via specific modules. | +| [placement/cloud_location.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/placement/cloud_location/cloud_location.rego) | Checks resources are deployed to specific regions in each cloud. | +| [providers/blacklist_provider.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/providers/blacklist_provider/blacklist_provider.rego) | Implements a provider blacklist. | +| [user/user.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/user/check_user/user.rego) | Restricts which users can trigger terraform runs. Works for CLI and VCS. | ## Contributions @@ -100,8 +100,8 @@ Better still have a go at fixing bug or implementing new policy examples yoursel If you submit a new policy you must include the following files. * The `*.rego` file with the policy code. -* `*.mock.json` containing test data mocks. You should include data for both valid and invalid evaluation of each rule in the policy. -* `*.test.rego` defining the tests to be run and expected results when the PR checks are performed. +* `*_mock.json` containing test data mocks. You should include data for both valid and invalid evaluation of each rule in the policy. +* `*_test.rego` defining the tests to be run and expected results when the PR checks are performed. To submit a PR follow the standard process.