scarolan/nsg.hcl

## nsg.hcl
resource "azurerm_network_security_group" "catapp-sg" {
  name                = "${var.prefix}-sg"
  location            = "${var.location}"
  resource_group_name = "${azurerm_resource_group.myresourcegroup.name}"

  security_rule {
    name                       = "HTTP"
    priority                   = 100
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "80"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "HTTPS"
    priority                   = 102
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "443"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }

  security_rule {
    name                       = "SSH"
    priority                   = 101
    direction                  = "Inbound"
    access                     = "Allow"
    protocol                   = "Tcp"
    source_port_range          = "*"
    destination_port_range     = "22"
    source_address_prefix      = "*"
    destination_address_prefix = "*"
  }
}

## sentinel.policy
import "tfplan"

get_sgs = func() {
    sgs = []
    for tfplan.module_paths as path {
        sgs += values(tfplan.module(path).resources.azurerm_network_security_group) else []
    }
    return sgs
}

network_sgs = get_sgs()

disallowed_cidr_blocks = [
  "0.0.0.0/0",
  "0.0.0.0",
  "*",
]

block_allow_all = rule {
  all network_sgs as _, instances {
    all instances as _, sg {
    	all sg.applied.security_rule as _, sr {
        not (sr.destination_port_range == "80" and sr.source_address_prefix not in disallowed_cidr_blocks) or (sr.access == "Deny")
    	}
    }
  }
}

main = rule {
  (block_allow_all) else true
 }
	resource "azurerm_network_security_group" "catapp-sg" {
	name = "${var.prefix}-sg"
	location = "${var.location}"
	resource_group_name = "${azurerm_resource_group.myresourcegroup.name}"

	security_rule {
	name = "HTTP"
	priority = 100
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = "80"
	source_address_prefix = "*"
	destination_address_prefix = "*"
	}

	security_rule {
	name = "HTTPS"
	priority = 102
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = "443"
	source_address_prefix = "*"
	destination_address_prefix = "*"
	}

	security_rule {
	name = "SSH"
	priority = 101
	direction = "Inbound"
	access = "Allow"
	protocol = "Tcp"
	source_port_range = "*"
	destination_port_range = "22"
	source_address_prefix = "*"
	destination_address_prefix = "*"
	}
	}
	import "tfplan"

	get_sgs = func() {
	sgs = []
	for tfplan.module_paths as path {
	sgs += values(tfplan.module(path).resources.azurerm_network_security_group) else []
	}
	return sgs
	}

	network_sgs = get_sgs()

	disallowed_cidr_blocks = [
	"0.0.0.0/0",
	"0.0.0.0",
	"*",
	]

	block_allow_all = rule {
	all network_sgs as _, instances {
	all instances as _, sg {
	all sg.applied.security_rule as _, sr {
	not (sr.destination_port_range == "80" and sr.source_address_prefix not in disallowed_cidr_blocks) or (sr.access == "Deny")
	}
	}
	}
	}

	main = rule {
	(block_allow_all) else true
	}