forked from GoogleCloudPlatform/policy-library
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gcp_compute_disk_resource_policies_v1.yaml
117 lines (105 loc) · 5.09 KB
/
gcp_compute_disk_resource_policies_v1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This template is for policies auditing Persistent Disk resource
# policies (eg. snapshot schedules). It supports allowlist or denylist
# modes, as well as exempting selected assets from the list.
apiVersion: templates.gatekeeper.sh/v1alpha1
kind: ConstraintTemplate
metadata:
name: gcp-compute-disk-resource-policies-v1
spec:
crd:
spec:
names:
kind: GCPComputeDiskResourcePoliciesConstraintV1
validation:
openAPIV3Schema:
properties:
mode:
type: string
enum: [denylist, allowlist]
description: "String identifying the operational mode, allowlist or denylist. In allowlist mode,
disk resource policies are only allowed in the policies specified in the 'resource_policies' parameter.
In denylist mode, all disk resources policies are allowed except those listed in the 'resource_policies'
parameter."
exemptions:
type: array
items:
type: string
description: "Array of disk assets to exempt from resource policies restriction. String values in the array
should correspond to the full name values of exempted policies."
resourcePolicies:
type: array
items:
type: string
description: "Array of resource policies to be allowed or denied. Should be the full URL syntax,
e.g. https://www.googleapis.com/compute/v1/projects/my-project/regions/europe-north1/resourcePolicies/snapshot-schedule."
targets:
validation.gcp.forsetisecurity.org:
rego: | #INLINE("validator/compute_disk_resource_policies.rego")
#
# Copyright 2020 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
package templates.gcp.GCPComputeDiskResourcePoliciesConstraintV1
import data.validator.gcp.lib as lib
#####################################
# Find Compute Persistent Disk Resource Policy Violations
#####################################
deny[{
"msg": message,
"details": metadata,
}] {
constraint := input.constraint
lib.get_constraint_params(constraint, params)
# Verify that resource is Disk or RegionDisk
asset := input.asset
{asset.asset_type} == {asset.asset_type} & {"compute.googleapis.com/Disk", "compute.googleapis.com/RegionDisk"}
# Check if resource is in exempt list
exempt_list := params.exemptions
matches := {asset.name} & cast_set(exempt_list)
count(matches) == 0
# Check that resource policy is in allowlist/denylist
asset_resource_policies := lib.get_default(asset.resource.data, "resourcePolicies", [""])
target_resource_policies := params.resourcePolicies
resource_policies_matches := cast_set(asset_resource_policies) & cast_set(target_resource_policies)
target_resource_policies_match_count(params.mode, desired_count)
count(resource_policies_matches) == desired_count
message := sprintf("%v has an empty or disallowed resource policy.", [asset.name])
metadata := {"resource": asset.name, "resource_policies": asset_resource_policies}
}
#################
# Rule Utilities
#################
# Determine the overlap between resource policies under test and constraint
# By default (allowlist), we violate if there isn't overlap
target_resource_policies_match_count(mode) = 0 {
mode != "denylist"
}
target_resource_policies_match_count(mode) = 1 {
mode == "denylist"
}
#ENDINLINE