add sec group egress policies

Author: rberlind

governance/third-generation/aws/restrict-egress-sg-rule-cidr-blocks.sentinel

@@ -0,0 +1,59 @@
+# This policy uses the Sentinel tfplan/v2 import to validate that no security group
+# rules have the CIDR "0.0.0.0/0" for egress rules.  It covers both the
+# aws_security_group and the aws_security_group_rule resources which can both
+# define rules.
+
+# Import the tfplan/v2 import, but use the alias "tfplan"
+import "tfplan/v2" as tfplan
+
+# Import common-functions/tfplan-functions/tfplan-functions.sentinel
+# with alias "plan"
+import "tfplan-functions" as plan
+
+# Forbidden CIDRs
+# Include "null" to forbid missing or computed values
+forbidden_cidrs = ["0.0.0.0/0"]
+
+# Get all Security Group Egress Rules
+SGEgressRules = filter tfplan.resource_changes as address, rc {
+  rc.type is "aws_security_group_rule" and
+  rc.mode is "managed" and rc.change.after.type is "egress" and
+  (rc.change.actions contains "create" or rc.change.actions contains "update" or
+   rc.change.actions contains "read" or rc.change.actions contains "no-op")
+}
+
+# Filter to Egress Security Group Rules with violations
+# Warnings will be printed for all violations since the last parameter is true
+violatingSGRules = plan.filter_attribute_contains_items_from_list(SGEgressRules,
+                  "cidr_blocks",forbidden_cidrs, true)
+
+# Get all Security Groups
+allSGs = plan.find_resources("aws_security_group")
+
+# Validate Security Groups
+violatingSGsCount = 0
+for allSGs as address, sg {
+
+  # Find the egress rules of the current SG
+  egressRules = plan.find_blocks(sg, "egress")
+
+  # Filter to violating CIDR blocks
+  # Warnings will not be printed for violations since the last parameter is false
+  violatingERs = plan.filter_attribute_contains_items_from_list(egressRules,
+                 "cidr_blocks", forbidden_cidrs, false)
+
+  # Print violation messages
+  if length(violatingERs["messages"]) > 0 {
+    violatingSGsCount += 1
+    print("SG Egress Violation:", address, "has at least one egress rule",
+          "with forbidden cidr blocks")
+    plan.print_violations(violatingERs["messages"], "Egress Rule")
+  }  // end if
+
+} // end for SGs
+
+# Main rule
+validated = length(violatingSGRules["messages"]) is 0 and violatingSGsCount is 0
+main = rule {
+  validated is true
+}

governance/third-generation/aws/restrict-ingress-sg-rule-cidr-blocks.sentinel

@@ -1,6 +1,7 @@
 # This policy uses the Sentinel tfplan/v2 import to validate that no security group
-# rules have the CIDR "0.0.0.0/0".  It covers both the aws_security_group and
-# the aws_security_group_rule resources which can both define rules.
+# rules have the CIDR "0.0.0.0/0" for ingress rules.  It covers both the
+# aws_security_group and the aws_security_group_rule resources which can both
+# define rules.
 
 # Import the tfplan/v2 import, but use the alias "tfplan"
 import "tfplan/v2" as tfplan

governance/third-generation/gcp/test/restrict-firewall-source-ranges/fail.json renamed to governance/third-generation/aws/test/restrict-egress-sg-rule-cidr-blocks/fail.json

@@ -0,0 +1,259 @@
+terraform_version = "0.12.24"
+
+variables = {}
+
+resource_changes = {
+	"aws_security_group.allow_tls": {
+		"address": "aws_security_group.allow_tls",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"description": "Allow TLS inbound traffic",
+				"egress": [
+					{
+						"cidr_blocks": [
+							"0.0.0.0/0",
+						],
+						"description":      "",
+						"from_port":        444,
+						"ipv6_cidr_blocks": [],
+						"prefix_list_ids":  [],
+						"protocol":         "tcp",
+						"security_groups":  [],
+						"self":             false,
+						"to_port":          444,
+					},
+					{
+						"cidr_blocks":      [],
+						"description":      "",
+						"from_port":        443,
+						"ipv6_cidr_blocks": [],
+						"prefix_list_ids":  [],
+						"protocol":         "tcp",
+						"security_groups":  [],
+						"self":             true,
+						"to_port":          443,
+					},
+				],
+				"name":                   "allow_tls",
+				"name_prefix":            null,
+				"revoke_rules_on_delete": false,
+				"tags": {
+					"Name": "allow_all",
+				},
+				"timeouts": null,
+			},
+			"after_unknown": {
+				"arn":    true,
+				"ingress": true,
+				"id":     true,
+				"egress": [
+					{
+						"cidr_blocks": [
+							false,
+						],
+						"ipv6_cidr_blocks": [],
+						"prefix_list_ids":  [],
+						"security_groups":  [],
+					},
+					{
+						"cidr_blocks":      [],
+						"ipv6_cidr_blocks": [],
+						"prefix_list_ids":  [],
+						"security_groups":  [],
+					},
+				],
+				"owner_id": true,
+				"tags":     {},
+				"vpc_id":   true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "allow_tls",
+		"provider_name":  "aws",
+		"type":           "aws_security_group",
+	},
+	"aws_security_group_rule.allow_all[0]": {
+		"address": "aws_security_group_rule.allow_all[0]",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"cidr_blocks":       null,
+				"description":       null,
+				"from_port":         0,
+				"ipv6_cidr_blocks":  null,
+				"prefix_list_ids":   null,
+				"protocol":          "tcp",
+				"security_group_id": "sg-008b502d0a24d0136",
+				"self":              true,
+				"to_port":           65535,
+				"type":              "egress",
+			},
+			"after_unknown": {
+				"id": true,
+				"source_security_group_id": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          0,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "allow_all",
+		"provider_name":  "aws",
+		"type":           "aws_security_group_rule",
+	},
+	"aws_security_group_rule.allow_all[1]": {
+		"address": "aws_security_group_rule.allow_all[1]",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"cidr_blocks":       null,
+				"description":       null,
+				"from_port":         0,
+				"ipv6_cidr_blocks":  null,
+				"prefix_list_ids":   null,
+				"protocol":          "tcp",
+				"security_group_id": "sg-008b502d0a24d0136",
+				"self":              true,
+				"to_port":           65535,
+				"type":              "egress",
+			},
+			"after_unknown": {
+				"id": true,
+				"source_security_group_id": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          1,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "allow_all",
+		"provider_name":  "aws",
+		"type":           "aws_security_group_rule",
+	},
+	"aws_security_group_rule.allow_ssh": {
+		"address": "aws_security_group_rule.allow_ssh",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"cidr_blocks": [
+					"0.0.0.0/0",
+				],
+				"description":       null,
+				"from_port":         22,
+				"ipv6_cidr_blocks":  null,
+				"prefix_list_ids":   null,
+				"protocol":          "tcp",
+				"security_group_id": "sg-008b502d0a24d0136",
+				"self":              false,
+				"to_port":           22,
+				"type":              "egress",
+			},
+			"after_unknown": {
+				"cidr_blocks": [
+					false,
+				],
+				"id": true,
+				"source_security_group_id": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "allow_ssh",
+		"provider_name":  "aws",
+		"type":           "aws_security_group_rule",
+	},
+	"module.more-sgrs.aws_security_group_rule.https": {
+		"address": "module.more-sgrs.aws_security_group_rule.https",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"cidr_blocks": [
+					"0.0.0.0/0",
+				],
+				"description":       null,
+				"from_port":         443,
+				"ipv6_cidr_blocks":  null,
+				"prefix_list_ids":   null,
+				"protocol":          "tcp",
+				"security_group_id": "sg-008b502d0a24d0136",
+				"self":              false,
+				"to_port":           443,
+				"type":              "egress",
+			},
+			"after_unknown": {
+				"cidr_blocks": [
+					false,
+				],
+				"id": true,
+				"source_security_group_id": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "module.more-sgrs",
+		"name":           "https",
+		"provider_name":  "aws",
+		"type":           "aws_security_group_rule",
+	},
+	"module.more-sgrs.module.even-more-sgrs.aws_security_group_rule.http": {
+		"address": "module.more-sgrs.module.even-more-sgrs.aws_security_group_rule.http",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"cidr_blocks": [
+					"0.0.0.0/0",
+				],
+				"description":       null,
+				"from_port":         80,
+				"ipv6_cidr_blocks":  null,
+				"prefix_list_ids":   null,
+				"protocol":          "tcp",
+				"security_group_id": "sg-008b502d0a24d0136",
+				"self":              false,
+				"to_port":           80,
+				"type":              "egress",
+			},
+			"after_unknown": {
+				"cidr_blocks": [
+					false,
+				],
+				"id": true,
+				"source_security_group_id": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "module.more-sgrs.module.even-more-sgrs",
+		"name":           "http",
+		"provider_name":  "aws",
+		"type":           "aws_security_group_rule",
+	},
+}
+
+output_changes = {}