anishmoktan
diff --git a/‎governance/third-generation/README.md
Lines changed: 9 additions & 8 deletions b/‎governance/third-generation/README.md
Lines changed: 9 additions & 8 deletions
diff --git a/‎governance/third-generation/aws/aws-functions/aws-functions.sentinel
Lines changed: 1 addition & 1 deletion b/‎governance/third-generation/aws/aws-functions/aws-functions.sentinel
Lines changed: 1 addition & 1 deletion
diff --git a/‎governance/third-generation/aws/restrict-ingress-sg-rule-rdp.sentinel
Lines changed: 121 additions & 0 deletions b/‎governance/third-generation/aws/restrict-ingress-sg-rule-rdp.sentinel
Lines changed: 121 additions & 0 deletions
diff --git a/‎governance/third-generation/aws/restrict-ingress-sg-rule-ssh.sentinel
Lines changed: 121 additions & 0 deletions b/‎governance/third-generation/aws/restrict-ingress-sg-rule-ssh.sentinel
Lines changed: 121 additions & 0 deletions
@@ -5,23 +5,23 @@ Additionally, it contains [Policy Set](https://www.terraform.io/docs/cloud/senti
 
 These policies and the Terraform Sentinel v2 imports they use can only be used with Terraform 0.12 and above.
 
-These policies use the new Terraform Sentinel v2 imports. They also use a new feature called [Sentinel Modules](https://docs.hashicorp.com/sentinel/extending/modules) which allows Sentinel functions and rules to be defined in one file and used by Sentinel policies in other files.
+These policies use the Terraform Sentinel v2 imports. They also use [Sentinel Modules](https://docs.hashicorp.com/sentinel/extending/modules) which allow Sentinel functions and rules to be defined in one file and used by Sentinel policies in other files.
 
-To learn more about the new Terraform Sentinel v2 imports, see this [blog post](https://www.hashicorp.com/blog/terraform-sentinel-v2-imports-now-in-technology-preview).
+To learn more about the Terraform Sentinel v2 imports, see this [blog post](https://www.hashicorp.com/blog/terraform-sentinel-v2-imports-now-in-technology-preview).
 
 To learn more about Sentinel Modules, see this [blog post](https://discuss.hashicorp.com/t/sentinel-v0-15-0-introducing-modules/6579).
 
 ## Using These Policies with Terraform Cloud and Terraform Enterprise
 These policies and the common functions they use can be used as organized with the current version of Terraform Cloud (TFC) and with Terraform Enterprise (TFE) v202011-1 and higher. That version was released on November 10, 2020. It added the Sentinel 0.16.0 runtime which introduced the option of using HCL instead of JSON configuration files.
 
-All the JSON Sentinel configuration files were replaced with new HCL equivalent files on January 20, 2021. If you running a version of Terraform Enterprise (TFE) betweeen v202006-1 and v202010-2 and would like to use these policies, you should use the most recent version of this repository before January 20, 2021 which included the JSON configuration files.
+All the JSON Sentinel configuration files were replaced with HCL equivalent files on January 20, 2021. If you running a version of Terraform Enterprise (TFE) betweeen v202006-1 and v202010-2 and would like to use these policies, you should use the most recent version of this repository before January 20, 2021 which included the JSON configuration files.
 
 ## Important Characterizations of the New Policies
-These new third-generation policies have several important characteristics:
-1. As mentioned above, they use the new Terraform Sentinel v2 imports, which are more closely aligned with Terraform 0.12's data model and leverage the recently added [filter expression](https://docs.hashicorp.com/sentinel/language/collection-operations/#filter-expression), and make it easier to restrict policies to specific operations performed by Terraform against resources.
-1. The new policies use new, parameterized functions defined in four [Sentinel modules](https://docs.hashicorp.com/sentinel/extending/modules). Since they are defined in modules, their implementations do **not** need to be pasted into the policies. This is a **HUGE** improvement over the second-generation common functions!
+These third-generation policies have several important characteristics:
+1. As mentioned above, they use the Terraform Sentinel v2 imports, which are more closely aligned with Terraform 0.12's data model and leverage the recently added [filter expression](https://docs.hashicorp.com/sentinel/language/collection-operations/#filter-expression), and make it easier to restrict policies to specific operations performed by Terraform against resources.
+1. The policies use parameterized functions defined in four [Sentinel modules](https://docs.hashicorp.com/sentinel/extending/modules). Since they are defined in modules, their implementations do **not** need to be pasted into the policies. This is a **HUGE** improvement over the second-generation common functions!
 1. A related benefit of using functions from modules is that the policies themselves do not have any `for` loops or `if/else` conditionals. This makes it easier for users to understand the sample policies and to write their own policies that copy them.
-1. The new policies have been written in a way that causes all violations to be reported. This means a user who violates a policy will be informed about all of their violations in a single shot without having to run multiple Sentinel CLI tests or TFC/TFE plans.
+1. The policies have been written in a way that causes all violations to be reported. This means a user who violates a policy will be informed about all of their violations in a single shot without having to run multiple Sentinel CLI tests or TFC/TFE plans.
 1. The policies print out the full address of each resource instance that does violate a rule in the same format that is used in plan and apply logs, namely `module.<A>.module.<B>.<type>.<name>[<index>]`. (Note that `index` will only be present if multiple instances of a resource are defined either with the `count` or the `for_each` meta-arguments.) This allows writers of Terraform code to quickly determine the resources they need to fix even if the violations occur in modules that they did not write.
 1. They are written in a way that makes Sentinel's default output much less verbose. Users looking at Sentinel policy violations that occur during their runs will get all the information they need from the messages explicitly printed from the policies using Sentinel's `print` function. (Sentinel's default output that reports `TRUE` or `FALSE` for various rules and boolean expressions used by them along with Sentinel policy line numbers is really only useful to the policy's author.)
 1. The common function `evaluate_attribute`, which is in the tfplan-functions.sentinel and tfstate-functions.sentinel modules, can evaluate the values of any attribute of any resource even if it is deeply nested inside the resource. It does this by calling itself recursively.
@@ -88,10 +88,11 @@ The `tfconfig-functions` module has several types of functions:
   * `find_*_by_provider` functions that find resources or data sources created by a specific provider.
   * The `find_outputs_by_sensitivity` function that finds outputs based on their `sensitive` setting.
   * The `find_descendant_modules` function that finds all module addresses called directly or indirectly by a specific module including that module itself. Calling `find_descendant_modules("")` will return all module addresses within the Terraform configuration.
-  * Various filter functions such as `filter_attribute_not_in_list` and `filter_attribute_in_list` that are similar to the filter functions in the tfplan-functions module. However, these can only be used against top-level attributes of the items in the collection passed to them. Those collections can be any type of entity covered by the tfconfig/v2 import including resources, data sources, providers, provisioners, variables, outputs, and module calls. The filter functions return a map consisting of 2 items:
+  * Various filter functions such as `filter_attribute_not_in_list` and `filter_attribute_in_list` that are similar to the filter functions in the tfplan-functions module. However, these can only be used against top-level attributes of the items in the collection passed to them or against items directly under the `config` map of items. Those collections can be any type of entity covered by the tfconfig/v2 import including resources, data sources, providers, provisioners, variables, outputs, and module calls. The filter functions return a map consisting of 2 items:
     * `items`: a map consisting of items that violate a condition.
     * `messages`: a map of violation messages associated with the items.
   * The same `to_string` and `print_violations` functions that are in the tfplan-functions module.
+  * A `get_module_source` function that computes the source of a module from its address. This is used in the [restrict-resources-by-module-source.sentinel](./cloud-agnostic/restrict-resources-by-module-source.sentinel) policy to restrict creation of resources based on the actual module sources.
 
 Documentation for each individual function can be found in this directory:
   * [tfconfig-functions](./common-functions/tfconfig-functions/docs)
 
@@ -279,7 +279,7 @@ validate_provider_in_allowed_regions = func(p, regions) {
             module_segments = strings.split(p.module_address, ".")
             num_segments = length(module_segments)
             parent_module = strings.join(module_segments[0:num_segments-2], ".")
-            current_module_name = module_segments[num_segments -1]
+            current_module_name = module_segments[num_segments-1]
 
             # Find module call that called current module
             if parent_module is "" {
 
@@ -0,0 +1,121 @@
+# This policy uses the Sentinel tfplan/v2 import to validate that no security group
+# rules have the have SSH open to CIDR "0.0.0.0/0" for ingress rules.  It covers both the
+# aws_security_group and the aws_security_group_rule resources which can both
+# define rules.
+
+# Same targeting as terraform-foundational-policies-library/cis/
+# aws/networking/aws-cis-4.2-networking-deny-public-rdp-acl-rules
+# but provides greater detail of violations
+
+# Import the tfplan/v2 import, but use the alias "tfplan"
+import "tfplan/v2" as tfplan
+
+# Import common-functions/tfplan-functions/tfplan-functions.sentinel
+# with alias "plan"
+import "tfplan-functions" as plan
+
+# Import for looping through the Security Group Rules
+import "types"
+
+# Variables and print() can be edited to tailor this policy as needed
+forbidden_cidrs = ["0.0.0.0/0"]
+forbidden_port = 3389
+forbidden_to_port = 3389
+forbidden_from_port = 3389
+
+# Get all Security Group Ingress Rules
+aws_security_group_rules = filter tfplan.resource_changes as address, rc {
+  rc.type is "aws_security_group_rule" and
+  rc.mode is "managed" and rc.change.after.type is "ingress" and
+  (rc.change.actions contains "create" or rc.change.actions contains "update" or
+   rc.change.actions contains "read" or rc.change.actions contains "no-op")
+}
+
+# Validate Security Group Rules
+violatingSGRulesCount = 0
+for aws_security_group_rules as address, sgr {
+
+	# Validate that each SG rule does not have disallowed value
+	# Since cidr_blocks is optional and could be computed,
+	# We check that it is present and really a list
+	# before checking whether it contains "0.0.0.0/0"
+	if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is not null and
+		sgr.change.after.from_port <= forbidden_from_port and 
+		sgr.change.after.to_port else null is not null and
+		sgr.change.after.to_port >= forbidden_to_port{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(RDP) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule", "has from_port with value", sgr.change.after.from_port, 
+		"that is less than or equal to", forbidden_from_port)
+		print("  and Ingress Rule has to_port with value", sgr.change.after.to_port, 
+		"that is greater than or equal to", forbidden_to_port)
+	} else if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.to_port else null is not null and
+		sgr.change.after.to_port is forbidden_port{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+			"(RDP) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule", "has to_port with value", sgr.change.after.to_port)
+  }
+} // end of SG Rules
+
+# Get all Security Groups
+allSGs = plan.find_resources("aws_security_group")
+
+# Validate Security Groups
+violatingSGsCount = 0
+for allSGs as address, sg {
+
+	# Find the ingress rules of the current SG
+	ingressRules = plan.find_blocks(sg, "ingress")
+	
+	# Filter to violating CIDR blocks
+	# Warnings will not be printed for violations since the last parameter is false
+	violatingCidr = plan.filter_attribute_contains_items_from_list(ingressRules,
+					"cidr_blocks", forbidden_cidrs, false)
+	
+	# Filter to violating Service port
+	# Warnings will not be printed for violations since the last parameter is false
+	violatingToPort = plan.filter_attribute_is_value(ingressRules,
+						"to_port", forbidden_to_port, false)
+	
+	# Filter to violating Service port
+	# Warnings will not be printed for violations since the last parameter is false
+	violatingFromPortLess = plan.filter_attribute_less_than_equal_to_value(ingressRules,
+							"from_port", forbidden_from_port, false)
+	
+	# Filter to violating Service port
+	# Warnings will not be printed for violations since the last parameter is false
+	violatingToPortGreater = plan.filter_attribute_greater_than_equal_to_value(ingressRules,
+								"to_port", forbidden_to_port, false)
+	
+	# Print violation messages
+	if length(violatingCidr["messages"]) > 0 and length(violatingFromPortLess["messages"]) > 0 and 
+		length(violatingToPortGreater["messages"]) > 0{
+	violatingSGsCount += 1
+	print("SG Ingress Violation:", address, "has port", forbidden_port, 
+			"(RDP) open to", forbidden_cidrs, "that is not allowed")
+###Uncomment below if you want to show the CIDRs as a separate message as well
+#	plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
+	plan.print_violations(violatingFromPortLess["messages"], "  Ingress Rule")
+	plan.print_violations(violatingToPortGreater["messages"], "  and Ingress Rule")
+	} else if length(violatingCidr["messages"]) > 0 and length(violatingToPort["messages"]) > 0{
+	violatingSGsCount += 1
+    print("SG Ingress Violation:", address, "has port", forbidden_port, 
+			"(RDP) open to", forbidden_cidrs, "that is not allowed")
+###Uncomment below if you want to show the CIDRs as a separate message as well
+#   plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
+	plan.print_violations(violatingToPort["messages"], "  Ingress Rule")
+  }
+} // end for SGs
+
+validated = violatingSGsCount is 0 and violatingSGRulesCount is 0
+main = rule {
+  validated is true
+}
@@ -0,0 +1,121 @@
+# This policy uses the Sentinel tfplan/v2 import to validate that no security group
+# rules have the have SSH open to CIDR "0.0.0.0/0" for ingress rules.  It covers both the
+# aws_security_group and the aws_security_group_rule resources which can both
+# define rules.
+
+# Same targeting as terraform-foundational-policies-library/cis/
+# aws/networking/aws-cis-4.1-networking-deny-public-ssh-acl-rules
+# but provides greater detail of violations
+
+# Import the tfplan/v2 import, but use the alias "tfplan"
+import "tfplan/v2" as tfplan
+
+# Import common-functions/tfplan-functions/tfplan-functions.sentinel
+# with alias "plan"
+import "tfplan-functions" as plan
+
+# Import for looping through the Security Group Rules
+import "types"
+
+# Variables and print() can be edited to tailor this policy as needed
+forbidden_cidrs = ["0.0.0.0/0"]
+forbidden_port = 22
+forbidden_to_port = 22
+forbidden_from_port = 22
+
+# Get all Security Group Ingress Rules
+aws_security_group_rules = filter tfplan.resource_changes as address, rc {
+  rc.type is "aws_security_group_rule" and
+  rc.mode is "managed" and rc.change.after.type is "ingress" and
+  (rc.change.actions contains "create" or rc.change.actions contains "update" or
+   rc.change.actions contains "read" or rc.change.actions contains "no-op")
+}
+
+# Validate Security Group Rules
+violatingSGRulesCount = 0
+for aws_security_group_rules as address, sgr {
+
+	# Validate that each SG rule does not have disallowed value
+	# Since cidr_blocks is optional and could be computed,
+	# We check that it is present and really a list
+	# before checking whether it contains "0.0.0.0/0"
+	if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is not null and
+		sgr.change.after.from_port <= forbidden_from_port and 
+		sgr.change.after.to_port else null is not null and
+		sgr.change.after.to_port >= forbidden_to_port{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(SSH) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule", "has from_port with value", sgr.change.after.from_port, 
+		"that is less than or equal to", forbidden_from_port)
+		print("  and Ingress Rule has to_port with value", sgr.change.after.to_port, 
+		"that is greater than or equal to", forbidden_to_port)
+	} else if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.to_port else null is not null and
+		sgr.change.after.to_port is forbidden_port{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+			"(SSH) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule", "has to_port with value", sgr.change.after.to_port)
+  }
+} // end of SG Rules
+
+# Get all Security Groups
+allSGs = plan.find_resources("aws_security_group")
+
+# Validate Security Groups
+violatingSGsCount = 0
+for allSGs as address, sg {
+
+	# Find the ingress rules of the current SG
+	ingressRules = plan.find_blocks(sg, "ingress")
+	
+	# Filter to violating CIDR blocks
+	# Warnings will not be printed for violations since the last parameter is false
+	violatingCidr = plan.filter_attribute_contains_items_from_list(ingressRules,
+					"cidr_blocks", forbidden_cidrs, false)
+	
+	# Filter to violating Service port
+	# Warnings will not be printed for violations since the last parameter is false
+	violatingToPort = plan.filter_attribute_is_value(ingressRules,
+						"to_port", forbidden_to_port, false)
+	
+	# Filter to violating Service port
+	# Warnings will not be printed for violations since the last parameter is false
+	violatingFromPortLess = plan.filter_attribute_less_than_equal_to_value(ingressRules,
+							"from_port", forbidden_from_port, false)
+	
+	# Filter to violating Service port
+	# Warnings will not be printed for violations since the last parameter is false
+	violatingToPortGreater = plan.filter_attribute_greater_than_equal_to_value(ingressRules,
+								"to_port", forbidden_to_port, false)
+	
+	# Print violation messages
+	if length(violatingCidr["messages"]) > 0 and length(violatingFromPortLess["messages"]) > 0 and 
+		length(violatingToPortGreater["messages"]) > 0{
+	violatingSGsCount += 1
+	print("SG Ingress Violation:", address, "has port", forbidden_port, 
+			"(SSH) open to", forbidden_cidrs, "that is not allowed")
+###Uncomment below if you want to show the CIDRs as a separate message as well
+#	plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
+	plan.print_violations(violatingFromPortLess["messages"], "  Ingress Rule")
+	plan.print_violations(violatingToPortGreater["messages"], "  and Ingress Rule")
+	} else if length(violatingCidr["messages"]) > 0 and length(violatingToPort["messages"]) > 0{
+	violatingSGsCount += 1
+    print("SG Ingress Violation:", address, "has port", forbidden_port, 
+			"(SSH) open to", forbidden_cidrs, "that is not allowed")
+###Uncomment below if you want to show the CIDRs as a separate message as well
+#   plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
+	plan.print_violations(violatingToPort["messages"], "  Ingress Rule")
+  }
+} // end for SGs
+
+validated = violatingSGsCount is 0 and violatingSGRulesCount is 0
+main = rule {
+  validated is true
+}