iloveicedgreentea/blog_main.yaml

## blog_main.yaml
rules:
- id: wrong-project
  patterns:
    - pattern-inside: resource "google_compute_firewall" "..." {...}
    - pattern-inside: project="..."
    - pattern-not: project = "myproject"
  languages:
    - generic
  paths:
    include:
    - 'main.tf'
  message: |
    Firewall rule must use myproject as the target project.
  severity: ERROR

- id: banned-protocol
  patterns:
    - pattern-inside: allow { ... }
    - pattern-not-inside: allow { ... protocol = "tcp" ... }
  languages:
    - generic
  paths:
    include:
    - 'main.tf'
  message: |
    Firewall rule must use TCP as protocol
  severity: ERROR

- id: banned-80
  patterns:
    - pattern-inside: allow { ... }
    - pattern: "80"
  languages:
    - generic
  paths:
    include:
    - 'main.tf'
  message: |
    Firewall rule must not allow port 80
  severity: ERROR

- id: banned-22
  patterns:
    - pattern-inside: allow { ... }
    - pattern: "22"
  languages:
    - generic
  paths:
    include:
    - 'main.tf'
  message: |
    Firewall rule must not allow port 22
  severity: ERROR

- id: no-serviceaccount
  patterns:
    - pattern-inside: resource "google_compute_firewall" "..." {...}
    - pattern-not-inside: resource "google_compute_firewall" "..." {... target_service_accounts=[...] ... }
  languages:
    - generic
  paths:
    include:
    - 'main.tf'
  message: |
    Firewall rule must use a service account as the target.
  severity: ERROR

- id: no-provisioners
  patterns:
    - pattern-inside: provisioner "..."
  languages:
    - generic
  paths:
    include:
    - 'main.tf'
  message: |
    Provisioners are not allowed.
  severity: ERROR
	rules:
	- id: wrong-project
	patterns:
	- pattern-inside: resource "google_compute_firewall" "..." {...}
	- pattern-inside: project="..."
	- pattern-not: project = "myproject"
	languages:
	- generic
	paths:
	include:
	- 'main.tf'
	message: \|
	Firewall rule must use myproject as the target project.
	severity: ERROR

	- id: banned-protocol
	patterns:
	- pattern-inside: allow { ... }
	- pattern-not-inside: allow { ... protocol = "tcp" ... }
	languages:
	- generic
	paths:
	include:
	- 'main.tf'
	message: \|
	Firewall rule must use TCP as protocol
	severity: ERROR

	- id: banned-80
	patterns:
	- pattern-inside: allow { ... }
	- pattern: "80"
	languages:
	- generic
	paths:
	include:
	- 'main.tf'
	message: \|
	Firewall rule must not allow port 80
	severity: ERROR

	- id: banned-22
	patterns:
	- pattern-inside: allow { ... }
	- pattern: "22"
	languages:
	- generic
	paths:
	include:
	- 'main.tf'
	message: \|
	Firewall rule must not allow port 22
	severity: ERROR

	- id: no-serviceaccount
	patterns:
	- pattern-inside: resource "google_compute_firewall" "..." {...}
	- pattern-not-inside: resource "google_compute_firewall" "..." {... target_service_accounts=[...] ... }
	languages:
	- generic
	paths:
	include:
	- 'main.tf'
	message: \|
	Firewall rule must use a service account as the target.
	severity: ERROR

	- id: no-provisioners
	patterns:
	- pattern-inside: provisioner "..."
	languages:
	- generic
	paths:
	include:
	- 'main.tf'
	message: \|
	Provisioners are not allowed.
	severity: ERROR