forked from networknuts/terraform
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsentinel-samples
126 lines (104 loc) · 3.14 KB
/
sentinel-samples
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
###############################################
Policy to check tags on all aws instances
###############################################
import "tfplan"
main = rule {
all tfplan.resources.aws_instance as _, instances {
all instances as _, r {
(length(r.applied.tags) else 0) >= 1
}
}
}
##################################################
Policy to allow certain instance types
##################################################
# Imports mock data
import "tfplan/v2" as tfplan
# Get all AWS instances from all modules
ec2_instances = filter tfplan.resource_changes as _, rc {
rc.type is "aws_instance" and
(rc.change.actions contains "create" or rc.change.actions is ["update"])
}
# Mandatory Instance Tags
mandatory_tags = [
"Name",
]
# Allowed Types
allowed_types = [
"t2.micro",
"t2.small",
"t2.medium",
]
# Rule to enforce "Name" tag on all instances
mandatory_instance_tags = rule {
all ec2_instances as _, instance {
all mandatory_tags as mt {
instance.change.after.tags contains mt
}
}
}
# Rule to restrict instance types
instance_type_allowed = rule {
all ec2_instances as _, instance {
instance.change.after.instance_type in allowed_types
}
}
# Main rule that requires other rules to be true
main = rule {
(instance_type_allowed and mandatory_instance_tags) else true
}
#####################################
Policy to allow certain regions
#####################################
# This policy restricts the AWS region based on the region set for
# instances of the AWS provider in the root module of the workspace.
# It does not check providers in nested modules.
import "tfconfig"
import "tfplan"
import "strings"
# Initialize array of regions found in AWS providers
region_values = []
# Allowed Regions
allowed_regions = [
"us-east-1",
"ap-south-1",
"us-west-1",
"us-west-2",
]
# Iterate through all AWS providers in root module
if ((length(tfconfig.providers) else 0) > 0) {
providers = tfconfig.providers
if "aws" in keys(providers) {
aws = tfconfig.providers.aws
aliases = aws["alias"]
for aliases as alias, data {
print ( "alias is: ", alias )
region = data["config"]["region"]
if region matches "\\$\\{var\\.(.*)\\}" {
# AWS provider was configured with variable
print ( "region is a variable" )
region_variable = strings.trim_suffix(strings.trim_prefix(region, "${var."), "}")
print ( "region variable is: ", region_variable )
print ( "Value of region is: ", tfplan.variables[region_variable] )
region_value = tfplan.variables[region_variable]
region_values += [region_value]
} else {
print ( "region is a hard-coded value" )
print ( "Value of region is: ", region )
region_value = region
region_values += [region_value]
}
}
}
}
# Print all regions found in AWS providers
print ( "region_values is: ", region_values )
aws_region_valid = rule {
all region_values as rv {
rv in allowed_regions
}
}
main = rule {
(aws_region_valid) else true
}
##################################