forked from GoogleCloudPlatform/policy-library
-
Notifications
You must be signed in to change notification settings - Fork 0
/
gcp_compute_zone_v1.yaml
118 lines (106 loc) · 4.71 KB
/
gcp_compute_zone_v1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This template is for policies restricting the locations
# of compute (VM instance / persistent disk) resources to
# specific zones in GCP. It supports allowlist or denylist
# modes, as well as exempting selected assets from the list.
apiVersion: templates.gatekeeper.sh/v1alpha1
kind: ConstraintTemplate
metadata:
name: gcp-compute-zone-v1
spec:
crd:
spec:
names:
kind: GCPComputeZoneConstraintV1
validation:
openAPIV3Schema:
properties:
mode:
type: string
enum: [denylist, allowlist]
description: "String identifying the operational mode, allowlist or denylist. In allowlist mode,
resources are only allowed in the zones specified in the 'zones' parameter. In denylist mode, resources
are allowed in all zones except those listed in the 'zones' parameter."
exemptions:
type: array
items:
type: string
description: "Array of compute assets to exempt from zonal restriction. String values in the array should
correspond to the full name values of exempted devices."
zones:
type: array
items:
type: string
description: "Array of zone names to be allowed or denied. Should be the simple form of the zone name,
e.g. asia-east1-b."
targets:
validation.gcp.forsetisecurity.org:
rego: | #INLINE("validator/compute_zone.rego")
#
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
package templates.gcp.GCPComputeZoneConstraintV1
import data.validator.gcp.lib as lib
#####################################
# Find Compute Asset Zone Violations
#####################################
deny[{
"msg": message,
"details": metadata,
}] {
constraint := input.constraint
lib.get_constraint_params(constraint, params)
# Verify that resource is Instance or Disk
asset := input.asset
{asset.asset_type} == {asset.asset_type} & {"compute.googleapis.com/Instance", "compute.googleapis.com/Disk"}
# Check if resource is in exempt list
exempt_list := params.exemptions
matches := {asset.name} & cast_set(exempt_list)
count(matches) == 0
# Check that zone is in allowlist/denylist
target_zones := params.zones
asset_zone_tokens := split(asset.resource.data.zone, "/")
asset_zone := asset_zone_tokens[minus(count(asset_zone_tokens), 1)]
zone_matches := {asset_zone} & cast_set(target_zones)
target_zone_match_count(params.mode, desired_count)
count(zone_matches) == desired_count
message := sprintf("%v is in a disallowed zone.", [asset.name])
metadata := {"zone": asset_zone}
}
#################
# Rule Utilities
#################
# Determine the overlap between zones under test and constraint
# By default (allowlist), we violate if there isn't overlap
target_zone_match_count(mode) = 0 {
mode != "denylist"
}
target_zone_match_count(mode) = 1 {
mode == "denylist"
}
#ENDINLINE