Merge pull request hashicorp#173 from hashicorp/restict-assumedrole-by-workspace

add restrict-assumed-role-by-workspace

Author: rberlind

governance/second-generation/aws/restrict-assumed-role-by-workspace.sentinel

@@ -0,0 +1,175 @@
+# This policy restricts accounts that can be assumed by the AWS provider
+# It includes a map that maps roles to lists of regex expressions
+# that match one or more workspace names
+# It assumes that the role_arn is either a hard-coded value or a reference
+# to a Terraform variable
+
+#### Imports #####
+import "tfconfig"
+import "tfplan"
+import "tfrun"
+import "strings"
+
+##### Functions #####
+
+# Find all providers aliases of given type using the tfconfig import
+find_provider_aliases = func(type) {
+
+  # We will find all provider aliases og given type from tfconfig,
+  # meaning providers.TYPE.alias.ALIAS
+  providers = {}
+
+  # Iterate over all modules in the tfconfig import
+  for tfconfig.module_paths as path {
+    # Iterate over providers of given type in module
+    aliases = tfconfig.module(path).providers[type]["alias"] else {}
+    for aliases as alias, data {
+      # Change default alias ("") to "default"
+      if alias is "" {
+        alias = "default"
+      }
+
+      # Get the address of the provider alias
+      if length(path) == 0 {
+        # root module
+        address =  type + "." + alias
+      } else {
+        # non-root module
+        address = "module." + strings.join(path, ".module.") + "." +
+                  type + "." + alias
+      }
+
+      providers[address] = data
+
+    } // end aliases loop
+  } // end module_paths loop
+
+  return providers
+}
+
+
+# Determine role_arn of a provider from its data
+determine_role_arn = func(data) {
+
+  # Return empty string if provider does not assume a role
+  role_arn_value = ""
+
+  # Check for role_arn in config
+  if (length(data["config"]) else 0) > 0 and
+     (length(data["config"]["assume_role"]) else 0) > 0 {
+    config_assume_role = data["config"]["assume_role"]
+    if config_assume_role[0]["role_arn"] else null is not null {
+      role_arn = config_assume_role[0]["role_arn"]
+      # This would only happen for Terraform 0.11 since a reference
+      # to a variable in Terraform 0.12 would end up in
+      # the references value
+      if role_arn matches "\\$\\{var\\.(.*)\\}" {
+        # role_arn of AWS provider was a Terraform 0.11 style variable
+        role_arn_variable = strings.trim_suffix(strings.trim_prefix(role_arn, "${var."), "}")
+        role_arn_value = tfplan.variables[role_arn_variable]
+      } else {
+        # role_arn of AWS provider was hard-coded role_arn
+        role_arn_value = role_arn
+      } // end determination of role_arn type
+    } // end role_arn in config test
+  } // end config test
+
+  # Check for role_arn in references
+  if (length(data["references"]) else 0) > 0 and
+     (length(data["references"]["assume_role"]) else 0) > 0 {
+    references_assume_role = data["references"]["assume_role"]
+    if references_assume_role[0]["role_arn"] else null is not null and
+       length(references_assume_role[0]["role_arn"]) > 0 {
+      role_arn = references_assume_role[0]["role_arn"][0]
+      if role_arn matches "\\$\\{var\\.(.*)\\}" {
+        # role_arn of AWS provider was a Terraform 0.11 style variable
+        role_arn_variable = strings.trim_suffix(strings.trim_prefix(role_arn, "${var."), "}")
+        role_arn_value = tfplan.variables[role_arn_variable]
+      } else if role_arn matches "var\\.(.*)" {
+        # role_arn of AWS provider was a Terraform 0.12 style variable
+        role_arn_variable = strings.trim_prefix(role_arn, "var.")
+        role_arn_value = tfplan.variables[role_arn_variable]
+      } // end determination of role_arn type
+    } // end role_arn in references test
+  } // end references test
+
+  return role_arn_value
+}
+
+# Get assumed roles from all AWS providers
+get_assumed_roles = func() {
+
+  # Initialize empty map of roles indexed by aliases
+  assumed_roles = {}
+
+  # Get all AWS provider aliases
+  aws_providers = find_provider_aliases("aws")
+
+  # Iterate through all AWS provider aliases
+  for aws_providers as alias, data {
+    assumed_roles[alias] = determine_role_arn(data)
+  } // end aws_providers
+
+  return assumed_roles
+
+}
+
+# Validate that all assumed roles are allowed
+validate_assumed_roles = func(allowed_roles_map) {
+
+  validated = true
+
+  assumed_roles = get_assumed_roles()
+
+  # Iterate over all assumed roles used by providers
+  for assumed_roles as alias, role {
+    # Validate that each assumed role is in map
+    if role is not "" {
+      if role not in keys(allowed_roles_map) {
+        print("AWS provider with alias", alias, "has assumed role",
+              role, "that is not allowed.")
+        validated = false
+      } else {
+
+        # Get workspace name
+        workspace_name = tfrun.workspace.name
+
+        # Validate that role is allowed for current workspace
+        matched = false
+        for allowed_roles_map[role] as workspace_regex {
+          if workspace_name matches workspace_regex {
+            matched = true
+          }
+        } // end for workspace_regex
+        if not matched {
+          print("Workspace", workspace_name, "is not allowed to use role", role)
+          print("It used that role in the AWS provider with alias", alias)
+          validated = false
+        } // end matched check
+      } // end else role in allowed_roles_map
+    } // end if role is not ""
+  } // end assumed_roles loop
+  return validated
+}
+
+###### Allowed Roles #####
+allowed_roles_map = {
+  "arn:aws:iam::123412341234:role/role-dev": [
+    "(.*)-dev$",
+    "^dev-(.*)",
+  ],
+  "arn:aws:iam::567856785678:role/role-qa": [
+    "(.*)-qa$",
+    "^qa-(.*)",
+  ],
+  "arn:aws:iam::909012349090:role/role-prod": [
+    "(.*)-prod$",
+    "^prod-(.*)",
+  ],
+}
+
+##### Rules #####
+roles_validated = validate_assumed_roles(allowed_roles_map)
+main = rule {
+  roles_validated
+}

governance/second-generation/aws/restrict-assumed-role.sentinel

@@ -21,25 +21,22 @@ find_provider_aliases = func(type) {
     # Iterate over providers of given type in module
     aliases = tfconfig.module(path).providers[type]["alias"] else {}
     for aliases as alias, data {
-        #print("alias:", alias)
-        # Change default alias ("") to "default"
-        if alias is "" {
-          #print("found default alias")
-          alias = "default"
-        }
-
-        # Get the address of the provider alias
-        if length(path) == 0 {
-          # root module
-          address =  type + "." + alias
-        } else {
-          # non-root module
-          address = "module." + strings.join(path, ".module.") + "." +
-                    type + "." + alias
-        }
-        #print("address:", address)
-
-        providers[address] = data
+      # Change default alias ("") to "default"
+      if alias is "" {
+        alias = "default"
+      }
+
+      # Get the address of the provider alias
+      if length(path) == 0 {
+        # root module
+        address =  type + "." + alias
+      } else {
+        # non-root module
+        address = "module." + strings.join(path, ".module.") + "." +
+                  type + "." + alias
+      }
+
+      providers[address] = data
 
     } // end aliases loop
   } // end module_paths loop
@@ -51,30 +48,24 @@ find_provider_aliases = func(type) {
 # Determine role_arn of a provider from its data
 determine_role_arn = func(data) {
 
+  # Return empty string if provider does not assume a role
   role_arn_value = ""
 
   # Check for role_arn in config
   if (length(data["config"]) else 0) > 0 and
      (length(data["config"]["assume_role"]) else 0) > 0 {
     config_assume_role = data["config"]["assume_role"]
-    #print ( "config_assume_role is: ", config_assume_role )
     if config_assume_role[0]["role_arn"] else null is not null {
       role_arn = config_assume_role[0]["role_arn"]
       # This would only happen for Terraform 0.11 since a reference
       # to a variable in Terraform 0.12 would end up in
       # the references value
-      #print("role_arn in config:", role_arn)
       if role_arn matches "\\$\\{var\\.(.*)\\}" {
         # role_arn of AWS provider was a Terraform 0.11 style variable
-        #print ( "role_arn is a Terraform 0.11 style variable" )
         role_arn_variable = strings.trim_suffix(strings.trim_prefix(role_arn, "${var."), "}")
-        #print ( "role_arn variable is: ", role_arn_variable )
-        #print ( "Value of role_arn is: ", tfplan.variables[role_arn_variable] )
         role_arn_value = tfplan.variables[role_arn_variable]
       } else {
         # role_arn of AWS provider was hard-coded role_arn
-        #print ( "role_arn is a hard-coded value" )
-        #print ( "Value of role_arn is: ", role_arn )
         role_arn_value = role_arn
       } // end determination of role_arn type
     } // end role_arn in config test
@@ -84,24 +75,16 @@ determine_role_arn = func(data) {
   if (length(data["references"]) else 0) > 0 and
      (length(data["references"]["assume_role"]) else 0) > 0 {
     references_assume_role = data["references"]["assume_role"]
-    #print ( "references_assume_role is: ", references_assume_role )
     if references_assume_role[0]["role_arn"] else null is not null and
        length(references_assume_role[0]["role_arn"]) > 0 {
       role_arn = references_assume_role[0]["role_arn"][0]
-      #print("role_arn in references:", role_arn)
       if role_arn matches "\\$\\{var\\.(.*)\\}" {
         # role_arn of AWS provider was a Terraform 0.11 style variable
-        #print ( "role_arn is a Terraform 0.11 style variable" )
         role_arn_variable = strings.trim_suffix(strings.trim_prefix(role_arn, "${var."), "}")
-        #print ( "role_arn variable is: ", role_arn_variable )
-        #print ( "Value of role_arn is: ", tfplan.variables[role_arn_variable] )
         role_arn_value = tfplan.variables[role_arn_variable]
       } else if role_arn matches "var\\.(.*)" {
         # role_arn of AWS provider was a Terraform 0.12 style variable
-        #print ( "role_arn is a Terraform 0.12 style variable" )
         role_arn_variable = strings.trim_prefix(role_arn, "var.")
-        #print ( "role_arn variable is: ", role_arn_variable )
-        #print ( "Value of role_arn is: ", tfplan.variables[role_arn_variable] )
         role_arn_value = tfplan.variables[role_arn_variable]
       } // end determination of role_arn type
     } // end role_arn in references test
@@ -118,12 +101,10 @@ get_assumed_roles = func() {
 
   # Get all AWS provider aliases
   aws_providers = find_provider_aliases("aws")
-  #print("aws providers:", aws_providers)
 
   # Iterate through all AWS provider aliases
   for aws_providers as alias, data {
-        #print("alias:", alias)
-        assumed_roles[alias] = determine_role_arn(data)
+    assumed_roles[alias] = determine_role_arn(data)
   } // end aws_providers
 
   return assumed_roles
@@ -136,7 +117,6 @@ validate_assumed_roles = func(allowed_roles) {
   validated = true
 
   assumed_roles = get_assumed_roles()
-  #print("assumed roles:", assumed_roles)
 
   for assumed_roles as alias, role {
     if role is not "" and role not in allowed_roles {
@@ -151,7 +131,7 @@ validate_assumed_roles = func(allowed_roles) {
 
 ###### Allowed Roles #####
 allowed_roles = [
-  "arn:aws:iam::753646501470:role/roger-terraform-assumed-role",
+  "arn:aws:iam::123412341234:role/terraform-assumed-role",
 ]
 
 ##### Rules #####

governance/second-generation/aws/test/restrict-assumed-role-by-workspace/fail-bad-role-0.11.json

@@ -0,0 +1,10 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-bad-role-0.11.sentinel",
+    "tfplan": "mock-tfplan-fail-bad-role-0.11.sentinel",
+    "tfrun": "mock-tfrun-dev.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/aws/test/restrict-assumed-role-by-workspace/fail-bad-role-0.12.json

@@ -0,0 +1,10 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-bad-role-0.12.sentinel",
+    "tfplan": "mock-tfplan-fail-bad-role-0.12.sentinel",
+    "tfrun": "mock-tfrun-dev.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/aws/test/restrict-assumed-role-by-workspace/fail-dev-0.11.json

@@ -0,0 +1,10 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-dev-0.11.sentinel",
+    "tfplan": "mock-tfplan-fail-dev-0.11.sentinel",
+    "tfrun": "mock-tfrun-dev.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/aws/test/restrict-assumed-role-by-workspace/fail-dev-0.12.json

@@ -0,0 +1,10 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-dev-0.12.sentinel",
+    "tfplan": "mock-tfplan-fail-dev-0.12.sentinel",
+    "tfrun": "mock-tfrun-dev.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/aws/test/restrict-assumed-role-by-workspace/fail-prod-0.11.json

@@ -0,0 +1,10 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-prod-0.11.sentinel",
+    "tfplan": "mock-tfplan-fail-prod-0.11.sentinel",
+    "tfrun": "mock-tfrun-prod.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/aws/test/restrict-assumed-role-by-workspace/fail-prod-0.12.json

@@ -0,0 +1,10 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-prod-0.12.sentinel",
+    "tfplan": "mock-tfplan-fail-prod-0.12.sentinel",
+    "tfrun": "mock-tfrun-prod.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/aws/test/restrict-assumed-role-by-workspace/fail-qa-0.11.json

@@ -0,0 +1,10 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-qa-0.11.sentinel",
+    "tfplan": "mock-tfplan-fail-qa-0.11.sentinel",
+    "tfrun": "mock-tfrun-qa.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/aws/test/restrict-assumed-role-by-workspace/fail-qa-0.12.json

@@ -0,0 +1,10 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-qa-0.12.sentinel",
+    "tfplan": "mock-tfplan-fail-qa-0.12.sentinel",
+    "tfrun": "mock-tfrun-qa.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}