Last active
June 15, 2021 18:35
-
-
Save iloveicedgreentea/91de45a55e852e0bfcf66d4833bdba51 to your computer and use it in GitHub Desktop.
main rego
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import input as tfplan | |
# Restrict all resources to one project | |
required_project = "myproject" | |
# Ban ports | |
banned_ports = ["80", "22"] | |
# check if array contains element | |
array_contains(arr, elem) { | |
# iterate over arr, assert it contains elem | |
arr[_] = elem | |
} | |
# Deny if project does not match | |
deny[msg] { | |
resource := tfplan.resource_changes[_] | |
project_id := resource.change.after.project | |
not project_id == required_project | |
msg := sprintf("%q: Project %q is not allowed. Must be %q", [resource.address, project_id, required_project]) | |
} | |
# Block protocols that aren't TCP | |
deny[msg] { | |
resource := tfplan.resource_changes[_] | |
allow := resource.change.after.allow[_] | |
not allow.protocol == "tcp" | |
msg := sprintf("%q: Protocol %q is not allowed. Must be tcp", [resource.address, allow.protocol]) | |
} | |
# Block banned ports | |
deny[msg] { | |
resource := tfplan.resource_changes[_] | |
allow := resource.change.after.allow[_] | |
port := allow.ports[_] | |
array_contains(banned_ports, port) | |
msg := sprintf("%q: Port %q is not allowed.", [resource.address, port]) | |
} | |
# Require targeting a service account | |
deny[msg] { | |
resource := tfplan.resource_changes[_] | |
accounts := resource.change.after.target_service_accounts | |
accounts == null | |
msg := sprintf("%q: A service account must be used as a target.", [resource.address]) | |
} | |
# block provisioners | |
deny[msg] { | |
config := tfplan.configuration[_] | |
# root_module := config.root_module[_] | |
resources := config.resources[_] | |
provisioners := resources.provisioners[_] | |
# Check if provisioners is true | |
provisioners | |
msg := sprintf("%s: Provisioners are not allowed - Provisioner: %q", [resources.address, provisioners.type]) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment