blacklist providers and datasources

Author: rberlind

governance/second-generation/cloud-agnostic/blacklist-datasources.sentinel

@@ -0,0 +1,69 @@
+# This policy prevents the use of blacklisted datasources
+# using the tfconfig import
+
+##### Imports #####
+import "tfconfig"
+import "strings"
+
+##### Functions #####
+
+# Find all datasources of specific type from all modules
+# using the tfconfig import
+find_datasources_from_config = func(type) {
+
+  datasources = {}
+
+  # Iterate over all modules in the tfconfig import
+  for tfconfig.module_paths as path {
+    # Iterate over the named datasources of desired type in the module
+    for tfconfig.module(path).data[type] else {} as name, d {
+
+      # Get the address of the datasource
+      if length(path) == 0 {
+        # root module
+        address = type + "." + name
+      } else {
+        # non-root module
+        address = "module." + strings.join(path, ".module.") + "." +
+                  type + "." + name
+      }
+
+      # Add the datasource to datasources map, setting the key to the address
+      datasources[address] = d
+    }
+  }
+
+  return datasources
+}
+
+
+# Validate that blacklisted datasources are not present
+validate_datasources = func(blacklist) {
+  valid = true
+
+  for blacklist as type {
+    found_datasources = find_datasources_from_config(type)
+
+    for found_datasources as address, d {
+      print("Blacklisted datasource", address, "was found")
+      valid = false
+    }
+  }
+  return valid
+}
+
+##### Lists #####
+
+# List of blacklisted datasources
+blacklist = [
+  "external",
+  "http",
+]
+
+##### Rules #####
+
+# Main rule
+datasources_validated = validate_datasources(blacklist)
+main = rule {
+  datasources_validated
+}

governance/second-generation/cloud-agnostic/blacklist-providers.sentinel

@@ -0,0 +1,51 @@
+# This policy uses the tfconfig import to blacklist specified providers
+# across all modules
+
+##### Imports #####
+import "tfconfig"
+import "strings"
+
+##### Functions #####
+
+# Prevent providers in non-root modules
+validate_providers = func(blacklist) {
+
+  validated = true
+
+  # Iterate over all modules in the tfconfig import
+  for tfconfig.module_paths as path {
+    providers = tfconfig.module(path).providers
+    # Iterate over providers of the module
+    for providers as provider {
+      if provider in blacklist {
+        if length(path) is 0 {
+          print("The root module has provider", provider,
+                "from the blacklist:", blacklist )
+        } else {
+          print("The module module." + strings.join(path, ".module."),
+                "has provider", provider, "from the blacklist:", blacklist )
+        }
+
+        validated = false
+      } // end provider check
+    } // end providers loop
+  } // end module loop
+
+  return validated
+}
+
+##### Lists #####
+
+# List of blacklisted providers
+blacklist = [
+  "external",
+  "http",
+]
+
+##### Rules #####
+
+# Main rule
+providers_validated = validate_providers(blacklist)
+main = rule {
+  providers_validated
+}

governance/second-generation/cloud-agnostic/test/blacklist-datasources/fail-0.11.json

@@ -0,0 +1,8 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-0.11.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/cloud-agnostic/test/blacklist-datasources/fail-0.12.json

@@ -0,0 +1,8 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-0.12.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/cloud-agnostic/test/blacklist-datasources/mock-tfconfig-fail-0.11.sentinel

@@ -0,0 +1,95 @@
+import "strings"
+import "types"
+
+_modules = {
+	"root": {
+		"data": {
+			"external": {
+				"example": {
+					"config": {
+						"program": [
+							"./datasource-example.sh",
+						],
+					},
+					"provisioners": null,
+				},
+			},
+			"http": {
+				"example": {
+					"config": {
+						"url": "https://checkpoint-api.hashicorp.com/v1/check/terraform",
+					},
+					"provisioners": null,
+				},
+			},
+		},
+		"modules":   {},
+		"outputs":   {},
+		"providers": {},
+		"resources": {},
+		"variables": {},
+	},
+
+	"module.first": {
+		"data": {
+			"external": {
+				"example": {
+					"config": {
+						"program": [
+							"./datasource-example.sh",
+						],
+					},
+					"provisioners": null,
+				},
+			},
+		},
+		"modules": {},
+		"outputs": {},
+		"providers": {
+			"external": {
+				"alias": {
+					"": {
+						"config": {},
+						"version": "",
+					},
+				},
+				"config": {},
+				"version": "",
+			},
+		},
+		"resources": {},
+		"variables": {},
+	},
+}
+
+module_paths = [
+	[],
+	[
+		"first",
+	],
+]
+
+module = func(path) {
+	if types.type_of(path) is not "list" {
+		error("expected list, got", types.type_of(path))
+	}
+
+	if length(path) < 1 {
+		return _modules.root
+	}
+
+	addr = []
+	for path as p {
+		append(addr, "module")
+		append(addr, p)
+	}
+
+	return _modules[strings.join(addr, ".")]
+}
+
+data = _modules.root.data
+modules = _modules.root.modules
+providers = _modules.root.providers
+resources = _modules.root.resources
+variables = _modules.root.variables
+outputs = _modules.root.outputs

governance/second-generation/cloud-agnostic/test/blacklist-datasources/mock-tfconfig-fail-0.12.sentinel

@@ -0,0 +1,131 @@
+import "strings"
+import "types"
+
+_modules = {
+	"root": {
+		"data": {
+			"external": {
+				"example": {
+					"config": {
+						"program": [
+							"./datasource-example.sh",
+						],
+					},
+					"provisioners": null,
+					"references": {
+						"program": [],
+					},
+				},
+			},
+			"http": {
+				"example": {
+					"config": {
+						"url": "https://checkpoint-api.hashicorp.com/v1/check/terraform",
+					},
+					"provisioners": null,
+					"references": {
+						"url": [],
+					},
+				},
+			},
+		},
+		"modules": {},
+		"outputs": {},
+		"providers": {
+			"external": {
+				"alias": {
+					"": {
+						"config":     {},
+						"references": {},
+						"version":    "",
+					},
+				},
+				"config":     {},
+				"references": {},
+				"version":    "",
+			},
+			"http": {
+				"alias": {
+					"": {
+						"config":     {},
+						"references": {},
+						"version":    "",
+					},
+				},
+				"config":     {},
+				"references": {},
+				"version":    "",
+			},
+		},
+		"resources": {},
+		"variables": {},
+	},
+
+	"module.first": {
+		"data": {
+			"external": {
+				"example": {
+					"config": {
+						"program": [
+							"./datasource-example.sh",
+						],
+					},
+					"provisioners": null,
+					"references": {
+						"program": [],
+					},
+				},
+			},
+		},
+		"modules": {},
+		"outputs": {},
+		"providers": {
+			"external": {
+				"alias": {
+					"": {
+						"config": {},
+						"references": {},
+						"version": "",
+					},
+				},
+				"config": {},
+				"references": {},
+				"version": "",
+			},
+		},
+		"resources": {},
+		"variables": {},
+	},
+}
+
+module_paths = [
+	[],
+	[
+		"first",
+	],
+]
+
+module = func(path) {
+	if types.type_of(path) is not "list" {
+		error("expected list, got", types.type_of(path))
+	}
+
+	if length(path) < 1 {
+		return _modules.root
+	}
+
+	addr = []
+	for path as p {
+		append(addr, "module")
+		append(addr, p)
+	}
+
+	return _modules[strings.join(addr, ".")]
+}
+
+data = _modules.root.data
+modules = _modules.root.modules
+providers = _modules.root.providers
+resources = _modules.root.resources
+variables = _modules.root.variables
+outputs = _modules.root.outputs