Created
August 20, 2020 18:44
-
-
Save mikegreen/b98508973b21642b827e24b300d80b5e to your computer and use it in GitHub Desktop.
TFE Sentinel Policy Check Output sample
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "data": { | |
| "id": "polchk-K7hoj4fHrp17TZw9", | |
| "type": "policy-checks", | |
| "attributes": { | |
| "result": { | |
| "result": true, | |
| "passed": 2, | |
| "total-failed": 0, | |
| "hard-failed": 0, | |
| "soft-failed": 0, | |
| "advisory-failed": 0, | |
| "duration-ms": 0, | |
| "sentinel": { | |
| "schema-version": 1, | |
| "data": { | |
| "sentinel-basics": { | |
| "can-override": false, | |
| "error": null, | |
| "policies": [ | |
| { | |
| "allowed-failure": false, | |
| "error": null, | |
| "policy": "sentinel-basics/aws-cis-4.1-networking-deny-public-ssh-acl-rules", | |
| "result": true, | |
| "trace": { | |
| "description": "", | |
| "error": null, | |
| "print": "CIS 4.1: Ensure no AWS security groups allow ingress from 0.0.0.0/0 to port 22\ndeny_all_open_protocol_security_group_rules: true\n", | |
| "result": true, | |
| "rules": { | |
| "deny-all-open-protocol-security-group-rules": { | |
| "ident": "deny_all_open_protocol_security_group_rules", | |
| "root": { | |
| "children": null, | |
| "expression": "all protocol_security_group_rules as _, psgr {\n\tpsgr.change.after.cidr_blocks not contains \"0.0.0.0/0\"\n}", | |
| "value": "true" | |
| }, | |
| "string": "Rule \"deny_all_open_protocol_security_group_rules\" (byte offset 1985) = true\n" | |
| }, | |
| "deny-all-open-protocol-security-groups": { | |
| "ident": "deny_all_open_protocol_security_groups", | |
| "root": { | |
| "children": null, | |
| "expression": "all protocol_security_groups as _, psg {\n\tall psg.change.after.ingress as _, ingress {\n\t\tingress.cidr_blocks not contains \"0.0.0.0/0\"\n\t}\n}", | |
| "value": "true" | |
| }, | |
| "string": "Rule \"deny_all_open_protocol_security_groups\" (byte offset 1790) = true\n" | |
| }, | |
| "deny-public-ssh-security-group-rules": { | |
| "ident": "deny_public_ssh_security_group_rules", | |
| "root": { | |
| "children": null, | |
| "expression": "all ssh_security_group_rules as _, ssgr {\n\tssgr.change.after.cidr_blocks not contains \"0.0.0.0/0\"\n}", | |
| "value": "true" | |
| }, | |
| "string": "Rule \"deny_public_ssh_security_group_rules\" (byte offset 1638) = true\n" | |
| }, | |
| "deny-public-ssh-security-groups": { | |
| "ident": "deny_public_ssh_security_groups", | |
| "root": { | |
| "children": null, | |
| "expression": "all ssh_security_groups as _, ssg {\n\tall ssg.change.after.ingress as _, ingress {\n\t\tingress.cidr_blocks not contains \"0.0.0.0/0\"\n\t}\n}", | |
| "value": "true" | |
| }, | |
| "string": "Rule \"deny_public_ssh_security_groups\" (byte offset 1455) = true\n" | |
| }, | |
| "main": { | |
| "ident": "main", | |
| "root": { | |
| "children": [ | |
| { | |
| "children": [ | |
| { | |
| "children": [ | |
| { | |
| "children": [ | |
| { | |
| "children": null, | |
| "expression": "all ssh_security_groups as _, ssg {\n\tall ssg.change.after.ingress as _, ingress {\n\t\tingress.cidr_blocks not contains \"0.0.0.0/0\"\n\t}\n}", | |
| "value": "true" | |
| } | |
| ], | |
| "expression": "deny_public_ssh_security_groups", | |
| "value": "true" | |
| }, | |
| { | |
| "children": [ | |
| { | |
| "children": null, | |
| "expression": "all ssh_security_group_rules as _, ssgr {\n\tssgr.change.after.cidr_blocks not contains \"0.0.0.0/0\"\n}", | |
| "value": "true" | |
| } | |
| ], | |
| "expression": "deny_public_ssh_security_group_rules", | |
| "value": "true" | |
| } | |
| ], | |
| "expression": "deny_public_ssh_security_groups and deny_public_ssh_security_group_rules", | |
| "value": "true" | |
| }, | |
| { | |
| "children": [ | |
| { | |
| "children": null, | |
| "expression": "all protocol_security_groups as _, psg {\n\tall psg.change.after.ingress as _, ingress {\n\t\tingress.cidr_blocks not contains \"0.0.0.0/0\"\n\t}\n}", | |
| "value": "true" | |
| } | |
| ], | |
| "expression": "deny_all_open_protocol_security_groups", | |
| "value": "true" | |
| } | |
| ], | |
| "expression": "deny_public_ssh_security_groups and deny_public_ssh_security_group_rules and deny_all_open_protocol_security_groups", | |
| "value": "true" | |
| }, | |
| { | |
| "children": null, | |
| "expression": "deny_all_open_protocol_security_group_rules", | |
| "value": "true" | |
| } | |
| ], | |
| "expression": "deny_public_ssh_security_groups and deny_public_ssh_security_group_rules and deny_all_open_protocol_security_groups and deny_all_open_protocol_security_group_rules", | |
| "value": "true" | |
| }, | |
| "string": "Rule \"main\" (byte offset 2249) = true\n true (offset 2264): deny_public_ssh_security_groups and deny_public_ssh_security_group_rules and deny_all_open_protocol_security_groups\n true (offset 2264): deny_public_ssh_security_groups and deny_public_ssh_security_group_rules\n true (offset 2264): deny_public_ssh_security_groups\n true (offset 1497): all ssh_security_groups as _, ssg {\n\tall ssg.change.after.ingress as _, ingress {\n\t\tingress.cidr_blocks not contains \"0.0.0.0/0\"\n\t}\n}\n true (offset 2301): deny_public_ssh_security_group_rules\n true (offset 1685): all ssh_security_group_rules as _, ssgr {\n\tssgr.change.after.cidr_blocks not contains \"0.0.0.0/0\"\n}\n true (offset 2343): deny_all_open_protocol_security_groups\n true (offset 1839): all protocol_security_groups as _, psg {\n\tall psg.change.after.ingress as _, ingress {\n\t\tingress.cidr_blocks not contains \"0.0.0.0/0\"\n\t}\n}\n true (offset 2387): deny_all_open_protocol_security_group_rules\n" | |
| } | |
| } | |
| } | |
| }, | |
| { | |
| "allowed-failure": false, | |
| "error": null, | |
| "policy": "sentinel-basics/enforce-mandatory-tags", | |
| "result": true, | |
| "trace": { | |
| "description": "Modified from https://github.com/hashicorp/terraform-guides/blob/master/governance/third-generation/aws/enforce-mandatory-tags.sentinel\nThis policy uses the Sentinel tfplan/v2 import to require that\nall EC2 instances have all mandatory tags", | |
| "error": null, | |
| "print": "", | |
| "result": true, | |
| "rules": { | |
| "main": { | |
| "ident": "main", | |
| "root": { | |
| "children": null, | |
| "expression": "validated is true", | |
| "value": "true" | |
| }, | |
| "string": "Rule \"main\" (byte offset 3661) = true\n" | |
| } | |
| } | |
| } | |
| } | |
| ], | |
| "result": true | |
| } | |
| } | |
| } | |
| }, | |
| "status": "passed", | |
| "status-timestamps": { | |
| "passed-at": "2020-08-18T21:16:23+00:00", | |
| "queued-at": "2020-08-18T21:16:21+00:00" | |
| }, | |
| "permissions": { | |
| "can-override": true | |
| }, | |
| "actions": { | |
| "is-overridable": false | |
| }, | |
| "scope": "organization" | |
| }, | |
| "links": { | |
| "output": "/api/v2/policy-checks/polchk-K7hoj4fHrp17TZw9/output" | |
| } | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment