migrate additional first-gen VMware policies

Author: rberlind

governance/third-generation/common-functions/tfconfig-functions/tfconfig-functions.sentinel

@@ -398,7 +398,8 @@ filter_attribute_does_not_match_regex = func(items, attr, expr, prtmsg) {
     if val is null {
       # Add the item and a warning message to the violators list
       message = to_string(index) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It is supposed to " +
+                "match the regex " + to_string(expr)
       violators[index] = item
 			messages[index] = message
       if prtmsg {

governance/third-generation/common-functions/tfplan-functions/tfplan-functions.sentinel

@@ -323,7 +323,7 @@ filter_attribute_not_contains_list = func(resources, attr, required, prtmsg) {
        not (types.type_of(v) is "list" or types.type_of(v) is "map") {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is missing, null, or is not a map or a list" + "\nIt should have had these tags: " + to_string(required)
+                " that is missing, null, or is not a map or a list. " + "It should have had these items: " + to_string(required)
       violators[address] = rc
       messages[address] = message
       if prtmsg {
@@ -486,7 +486,8 @@ filter_attribute_is_not_value = func(resources, attr, value, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It is supposed to be " +
+                to_string(value)
       violators[address] = rc
 			messages[address] = message
       if prtmsg {
@@ -523,7 +524,7 @@ filter_attribute_is_value = func(resources, attr, value, prtmsg) {
     if v is value {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) + " with value " +
-                to_string(v) + " that is equal to " + to_string(value)
+                to_string(v) + " that is not allowed."
       violators[address] = rc
 			messages[address] = message
       if prtmsg {
@@ -547,7 +548,8 @@ filter_attribute_greater_than_value = func(resources, attr, value, prtmsg) {
     if float(v) else null is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It is supposed to be less " +
+                "than or equal to " + to_string(value)
       violators[address] = rc
 			messages[address] = message
       if prtmsg {
@@ -580,7 +582,8 @@ filter_attribute_less_than_value = func(resources, attr, value, prtmsg) {
     if float(v) else null is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It is supposed to be greater " +
+                "than or equal to " + to_string(value)
       violators[address] = rc
 			messages[address] = message
       if prtmsg {
@@ -669,7 +672,8 @@ filter_attribute_does_not_have_prefix = func(resources, attr, prefix, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It must have a value that " +
+                "starts with " + to_string(prefix)
       violators[address] = rc
 			messages[address] = message
       if prtmsg {
@@ -702,7 +706,8 @@ filter_attribute_has_prefix = func(resources, attr, prefix, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It must have a value that " +
+                "does not start with " + to_string(prefix)
       violators[address] = rc
 			messages[address] = message
       if prtmsg {
@@ -735,7 +740,8 @@ filter_attribute_does_not_have_suffix = func(resources, attr, suffix, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It must have a value that " +
+                "ends with " + to_string(prefix)
       violators[address] = rc
 			messages[address] = message
       if prtmsg {
@@ -768,7 +774,8 @@ filter_attribute_has_suffix = func(resources, attr, suffix, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It must have a value that " +
+                "does not end with " + to_string(suffix)
       violators[address] = rc
 			messages[address] = message
       if prtmsg {

governance/third-generation/common-functions/tfstate-functions/tfstate-functions.sentinel

@@ -287,7 +287,7 @@ filter_attribute_not_contains_list = func(resources, attr, required, prtmsg) {
        not (types.type_of(v) is "list" or types.type_of(v) is "map") {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is missing, null, or is not a map or a list"
+                " that is missing, null, or is not a map or a list. " + "It should have had these items: " + to_string(required)
       violators[address] = r
       messages[address] = message
       if prtmsg {
@@ -450,7 +450,8 @@ filter_attribute_is_not_value = func(resources, attr, value, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It is supposed to be " +
+                to_string(value)
       violators[address] = r
 			messages[address] = message
       if prtmsg {
@@ -487,7 +488,7 @@ filter_attribute_is_value = func(resources, attr, value, prtmsg) {
     if v is value {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) + " with value " +
-                to_string(v) + " that is equal to " + to_string(value)
+                to_string(v) + " that is not allowed."
       violators[address] = r
 			messages[address] = message
       if prtmsg {
@@ -511,7 +512,8 @@ filter_attribute_greater_than_value = func(resources, attr, value, prtmsg) {
     if float(v) else null is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It is supposed to be less " +
+                "than or equal to " + to_string(value)
       violators[address] = r
 			messages[address] = message
       if prtmsg {
@@ -544,7 +546,8 @@ filter_attribute_less_than_value = func(resources, attr, value, prtmsg) {
     if float(v) else null is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It is supposed to be greater " +
+                "than or equal to " + to_string(value)
       violators[address] = r
 			messages[address] = message
       if prtmsg {
@@ -633,7 +636,8 @@ filter_attribute_does_not_have_prefix = func(resources, attr, prefix, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It must have a value that " +
+                "starts with " + to_string(prefix)
       violators[address] = r
 			messages[address] = message
       if prtmsg {
@@ -666,7 +670,8 @@ filter_attribute_has_prefix = func(resources, attr, prefix, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It must have a value that " +
+                "does not start with " + to_string(prefix)
       violators[address] = r
 			messages[address] = message
       if prtmsg {
@@ -699,7 +704,8 @@ filter_attribute_does_not_have_suffix = func(resources, attr, suffix, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It must have a value that " +
+                "ends with " + to_string(prefix)
       violators[address] = r
 			messages[address] = message
       if prtmsg {
@@ -732,7 +738,8 @@ filter_attribute_has_suffix = func(resources, attr, suffix, prtmsg) {
     if v is null {
       # Add the resource and a warning message to the violators list
       message = to_string(address) + " has " + to_string(attr) +
-                " that is null or undefined"
+                " that is null or undefined. " + "It must have a value that " +
+                "does not end with " + to_string(suffix)
       violators[address] = r
 			messages[address] = message
       if prtmsg {

governance/third-generation/vmware/require-storage-drs.sentinel

@@ -0,0 +1,21 @@
+# This policy uses the Sentinel tfplan/v2 import to require that
+# all VMware datastore clusters enable storage DRS
+
+# Import common-functions/tfplan-functions/tfplan-functions.sentinel
+# with alias "plan"
+import "tfplan-functions" as plan
+
+# Get all datastore clusters
+allDatastoreClusters = plan.find_resources("vsphere_datastore_cluster")
+
+# Filter to datastore clusters that do not enable storage DRS
+# Warnings will be printed for all violations since the last parameter is true
+datastoreClustersWithoutDRS = plan.filter_attribute_is_not_value(
+                              allDatastoreClusters, "sdrs_enabled", true, true)
+
+# Main rule
+validated = length(datastoreClustersWithoutDRS["messages"]) is 0
+
+main = rule {
+  validated
+}

governance/third-generation/vmware/require_nfs41_and_kerberos.sentinel

@@ -0,0 +1,27 @@
+# This policy uses the Sentinel tfplan/v2 import to require that NAS
+# Datastores be type NFS41 and use Kerberos for security
+
+# Import common-functions/tfplan-functions/tfplan-functions.sentinel
+# with alias "plan"
+import "tfplan-functions" as plan
+
+# Get all NAS Datastores
+allDatastores = plan.find_resources("vsphere_nas_datastore")
+
+# Filter to Datastores that are not NFS
+# Warnings will be printed for all violations since the last parameter is true
+nonNFSDatastores = plan.filter_attribute_is_not_value(allDatastores,
+             "type", "NFS41", true)
+
+# Filter to Datastores that do not use Kerberos
+# Warnings will be printed for all violations since the last parameter is true
+nonKerberosDatastores = plan.filter_attribute_not_in_list(allDatastores,
+                "security_type", ["SEC_KRB5", "SEC_KRB5I"] , true)
+
+# Main rule
+validated = length(nonNFSDatastores["messages"]) is 0 and
+            length(nonKerberosDatastores["messages"]) is 0
+
+main = rule {
+  validated
+}

governance/third-generation/vmware/restrict-virtual-disk-size-and-type.sentinel

@@ -0,0 +1,30 @@
+# This policy uses the Sentinel tfplan/v2 import to limit the size
+# of VMware virtual disks and require thin disks
+
+# Import common-functions/tfplan-functions/tfplan-functions.sentinel
+# with alias "plan"
+import "tfplan-functions" as plan
+
+# Max Disk Size Limit (in GB)
+maxSize = 100
+
+# Get all Virtual Disks
+allVDs = plan.find_resources("vsphere_virtual_disk")
+
+# Filter to disks with large size
+# Warnings will be printed for all violations since the last parameter is true
+largeVDs = plan.filter_attribute_greater_than_value(allVDs,
+             "size", maxSize, true)
+
+# Filter to disks that are not thin
+# Warnings will be printed for all violations since the last parameter is true
+nonThinVDs = plan.filter_attribute_is_not_value(allVDs,
+                "type", "thin", true)
+
+# Main rule
+validated = length(largeVDs["messages"]) is 0 and
+            length(nonThinVDs["messages"]) is 0
+
+main = rule {
+  validated
+}

governance/third-generation/vmware/test/require-storage-drs/fail.json

@@ -0,0 +1,13 @@
+{
+  "modules": {
+    "tfplan-functions": {
+      "path": "../../../common-functions/tfplan-functions/tfplan-functions.sentinel"
+    }
+  },
+  "mock": {
+    "tfplan/v2": "mock-tfplan-fail.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/third-generation/vmware/test/require-storage-drs/mock-tfplan-fail.sentinel

@@ -0,0 +1,101 @@
+terraform_version = "0.13.5"
+
+variables = {}
+
+resource_changes = {
+	"vsphere_datastore_cluster.datastore_cluster_1": {
+		"address": "vsphere_datastore_cluster.datastore_cluster_1",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"custom_attributes":                        null,
+				"datacenter_id":                            "datacenter-2",
+				"folder":                                   null,
+				"name":                                     "terraform-datastore-cluster-test-1",
+				"sdrs_advanced_options":                    null,
+				"sdrs_automation_level":                    "manual",
+				"sdrs_default_intra_vm_affinity":           true,
+				"sdrs_enabled":                             false,
+				"sdrs_free_space_threshold":                50,
+				"sdrs_free_space_threshold_mode":           "utilization",
+				"sdrs_free_space_utilization_difference":   5,
+				"sdrs_io_balance_automation_level":         null,
+				"sdrs_io_latency_threshold":                15,
+				"sdrs_io_load_balance_enabled":             true,
+				"sdrs_io_load_imbalance_threshold":         5,
+				"sdrs_io_reservable_iops_threshold":        null,
+				"sdrs_io_reservable_percent_threshold":     60,
+				"sdrs_io_reservable_threshold_mode":        "automated",
+				"sdrs_load_balance_interval":               480,
+				"sdrs_policy_enforcement_automation_level": null,
+				"sdrs_rule_enforcement_automation_level":   null,
+				"sdrs_space_balance_automation_level":      null,
+				"sdrs_space_utilization_threshold":         80,
+				"sdrs_vm_evacuation_automation_level":      null,
+				"tags": null,
+			},
+			"after_unknown": {
+				"id": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "datastore_cluster_1",
+		"provider_name":  "registry.terraform.io/hashicorp/vsphere",
+		"type":           "vsphere_datastore_cluster",
+	},
+	"vsphere_datastore_cluster.datastore_cluster_2": {
+		"address": "vsphere_datastore_cluster.datastore_cluster_2",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"custom_attributes":                        null,
+				"datacenter_id":                            "datacenter-2",
+				"folder":                                   null,
+				"name":                                     "terraform-datastore-cluster-test-2",
+				"sdrs_advanced_options":                    null,
+				"sdrs_automation_level":                    "manual",
+				"sdrs_default_intra_vm_affinity":           true,
+				"sdrs_enabled":                             null,
+				"sdrs_free_space_threshold":                50,
+				"sdrs_free_space_threshold_mode":           "utilization",
+				"sdrs_free_space_utilization_difference":   5,
+				"sdrs_io_balance_automation_level":         null,
+				"sdrs_io_latency_threshold":                15,
+				"sdrs_io_load_balance_enabled":             true,
+				"sdrs_io_load_imbalance_threshold":         5,
+				"sdrs_io_reservable_iops_threshold":        null,
+				"sdrs_io_reservable_percent_threshold":     60,
+				"sdrs_io_reservable_threshold_mode":        "automated",
+				"sdrs_load_balance_interval":               480,
+				"sdrs_policy_enforcement_automation_level": null,
+				"sdrs_rule_enforcement_automation_level":   null,
+				"sdrs_space_balance_automation_level":      null,
+				"sdrs_space_utilization_threshold":         80,
+				"sdrs_vm_evacuation_automation_level":      null,
+				"tags": null,
+			},
+			"after_unknown": {
+				"id": true,
+				"sdrs_enabled": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "datastore_cluster_2",
+		"provider_name":  "registry.terraform.io/hashicorp/vsphere",
+		"type":           "vsphere_datastore_cluster",
+	},
+}
+
+output_changes = {}