Created
April 3, 2020 16:09
-
-
Save rberlind/be7f642db29fd881cf24bdd807a0d8ed to your computer and use it in GitHub Desktop.
restrict-acm-certificate-domains-2.sentinel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This policy uses the tfstate import to restrict ACM certificates | |
| # to have domains that are sub-domains of hashidemos.io | |
| # Import the v2 tfstate import, but use the alias "tfstate" | |
| import "tfstate/v2" as tfstate | |
| # Import common-functions/tfstate-functions.sentinel with alias "state" | |
| import "tfstate-functions" as state | |
| # Get all AWS ACM certs | |
| allACMCerts = state.find_datasources("aws_acm_certificate") | |
| # Function that validates ACM certs | |
| validate_certs = func(certs, parent_domain) { | |
| validated = true | |
| # Loop through the data source instances | |
| for certs as address, cert { | |
| # Validate that the domain is sub-domain of parent_domain | |
| # Use the matches operator | |
| domain = <expression> | |
| # Check if domain is sub-domain of parent domain, using strings import | |
| if <condition> { | |
| print(address, "has domain", domain, | |
| "that matches the regex", parent_domain) | |
| } else { | |
| print(address, "has domain", domain, | |
| "that does not match the regex", parent_domain, "or is missing") | |
| validated = false | |
| } | |
| } | |
| return validated | |
| } | |
| # Call the validation function | |
| # Pass it a list of ACM certs and a regex to match | |
| certs_validated = validate_certs(allACMCerts, "<regex>") | |
| # Main rule that evaluates the result of the validation function | |
| main = rule { | |
| certs_validated | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment