adamgordonbell/main.py

## __main__.py
from pulumi_policy import PolicyPack, ResourceValidationPolicy, EnforcementLevel, ResourceValidationArgs, ReportViolation

# Policy 1: Discouraged Public Internet Access
def no_public_ingress_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
    if args.resource_type == "aws:ec2/securityGroup:SecurityGroup":
        ingress_rules = args.props.get("ingress", [])
        for rule in ingress_rules:
            cidr_blocks = rule.get("cidrBlocks", [])
            if "0.0.0.0/0" in cidr_blocks:
                report_violation("Ingress with 0.0.0.0/0 is discouraged.")

no_public_ingress = ResourceValidationPolicy(
    name="discouraged-public-internet",
    description="Ingress rules with public internet access are discouraged.",
    enforcement_level=EnforcementLevel.ADVISORY,
    validate=no_public_ingress_validator,
)

# Policy 2: VPC Sizing
def vpc_sizing_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
    if args.resource_type == "aws:ec2/vpc:Vpc":
        cidr_block = args.props.get("cidrBlock", "")
        if cidr_block:
            subnet_size = int(cidr_block.split('/')[1])
            if subnet_size < 22:
                report_violation(f"VPC CIDR block {cidr_block} is too large. Must be /22 or smaller.")

vpc_sizing = ResourceValidationPolicy(
    name="vpc-sizing",
    description="VPCs must be of appropriate size. Must be /22 or smaller.",
    enforcement_level=EnforcementLevel.ADVISORY,
    validate=vpc_sizing_validator,
)

# Policy 3: Prohibited Services
def prohibited_services_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
    if args.resource_type == "aws:iot/domainConfiguration:DomainConfiguration":
        report_violation(f"Use of {args.resource_type} is prohibited.")

prohibited_services = ResourceValidationPolicy(
    name="prohibited-services",
    description="Prohibit restricted services. Use of aws:iot/domainConfiguration:DomainConfiguration is prohibited.",
    enforcement_level=EnforcementLevel.ADVISORY,
    validate=prohibited_services_validator,
)

# Assemble the policies into a Policy Pack
PolicyPack(
    name="network-and-restrictions",
    policies=[no_public_ingress, vpc_sizing, prohibited_services],
)
	from pulumi_policy import PolicyPack, ResourceValidationPolicy, EnforcementLevel, ResourceValidationArgs, ReportViolation

	# Policy 1: Discouraged Public Internet Access
	def no_public_ingress_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
	if args.resource_type == "aws:ec2/securityGroup:SecurityGroup":
	ingress_rules = args.props.get("ingress", [])
	for rule in ingress_rules:
	cidr_blocks = rule.get("cidrBlocks", [])
	if "0.0.0.0/0" in cidr_blocks:
	report_violation("Ingress with 0.0.0.0/0 is discouraged.")

	no_public_ingress = ResourceValidationPolicy(
	name="discouraged-public-internet",
	description="Ingress rules with public internet access are discouraged.",
	enforcement_level=EnforcementLevel.ADVISORY,
	validate=no_public_ingress_validator,
	)

	# Policy 2: VPC Sizing
	def vpc_sizing_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
	if args.resource_type == "aws:ec2/vpc:Vpc":
	cidr_block = args.props.get("cidrBlock", "")
	if cidr_block:
	subnet_size = int(cidr_block.split('/')[1])
	if subnet_size < 22:
	report_violation(f"VPC CIDR block {cidr_block} is too large. Must be /22 or smaller.")

	vpc_sizing = ResourceValidationPolicy(
	name="vpc-sizing",
	description="VPCs must be of appropriate size. Must be /22 or smaller.",
	enforcement_level=EnforcementLevel.ADVISORY,
	validate=vpc_sizing_validator,
	)

	# Policy 3: Prohibited Services
	def prohibited_services_validator(args: ResourceValidationArgs, report_violation: ReportViolation):
	if args.resource_type == "aws:iot/domainConfiguration:DomainConfiguration":
	report_violation(f"Use of {args.resource_type} is prohibited.")

	prohibited_services = ResourceValidationPolicy(
	name="prohibited-services",
	description="Prohibit restricted services. Use of aws:iot/domainConfiguration:DomainConfiguration is prohibited.",
	enforcement_level=EnforcementLevel.ADVISORY,
	validate=prohibited_services_validator,
	)

	# Assemble the policies into a Policy Pack
	PolicyPack(
	name="network-and-restrictions",
	policies=[no_public_ingress, vpc_sizing, prohibited_services],
	)
No results found