Merge pull request hashicorp#68 from hashicorp/more-sentinel-policies

added some policies and updated README.md files

Author: rberlind

governance/README.md

@@ -1,2 +1,2 @@
 # Governance with Terraform Sentinel Policies
-The files under this directory provide some sample Sentinel policies for several clouds including AWS, Microsoft Azure, and Google Cloud Platform (GCP), as well as some for VMware. Sentinel gives operations teams the governance capabilities they need to ensure that all infrastructure provisioned with Terraform Enterprise complies with their organization's provisioning rules.
+Sentinel gives operations teams the governance capabilities they need to ensure that all infrastructure provisioned with Terraform Enterprise complies with their organization's provisioning rules. The files under this directory provide some sample Sentinel policies for several clouds including AWS, Microsoft Azure, Google Cloud Platform (GCP), and VMware. The external directory also includes an example of an external data source and a Sentinel policy which checks the result of that data source.

governance/aws/README.md

@@ -1,2 +1,2 @@
 # Sentinel Policies for AWS
-The sample Sentinel policy files in this directory can be used with Terraform Enterprise to ensure that provisioned AWS VPCs and EC2 instances comply with your organization's provisioning rules.
+The sample Sentinel policy files in this directory can be used with Terraform Enterprise to ensure that provisioned AWS VPCs, EC2 instances, S3 buckets, Lambda functions, and other resources comply with your organization's provisioning rules. There are also policies that restrict AMI owner IDs and the region or availability zones into which resources can be provisioned.

governance/aws/require-private-acl-and-kms-for-s3-buckets.sentinel

@@ -0,0 +1,42 @@
+import "tfplan"
+
+# Get all S3 buckets from all modules
+get_s3_buckets = func() {
+    buckets = []
+    for tfplan.module_paths as path {
+        buckets += values(tfplan.module(path).resources.aws_s3_bucket) else []
+    }
+    return buckets
+}
+
+s3_buckets = get_s3_buckets()
+
+# Allowed S3 ACLs
+# Don't allow public-read-write
+allowed_acls = [
+  "private",
+]
+
+# Rule to restrict S3 bucket ACLs
+acl_allowed = rule {
+    all s3_buckets as _, instances {
+      all instances as index, r {
+  	   r.applied.acl in allowed_acls
+      }
+    }
+}
+
+# Rule to require server-side encryption
+require_encryption = rule {
+    all s3_buckets as _, instances {
+      all instances as index, r {
+        (length(r.applied.server_side_encryption_configuration) > 0 and r.applied.server_side_encryption_configuration[0]["rule"][0].apply_server_side_encryption_by_default[0].sse_algorithm is "aws:kms") else false
+      }
+   }
+}
+
+# Main rule that requires other rules to be true
+main = rule {
+  (acl_allowed and require_encryption) else true
+}
+

governance/aws/require-vpc-and-kms-for-lambda-functions.sentinel

@@ -0,0 +1,38 @@
+import "tfplan"
+
+# Get all Lambda functions from all modules
+get_lambda_functions = func() {
+    lambdas = []
+    for tfplan.module_paths as path {
+        lambdas += values(tfplan.module(path).resources.aws_lambda_function) else []
+    }
+    return lambdas
+}
+
+lambda_functions = get_lambda_functions()
+
+# Rule to require KMS key
+require_kms_key = rule {
+    all lambda_functions as _, instances {
+      all instances as index, r {
+  	   (r.applied.kms_key_arn is not "") else false
+      }
+    }
+}
+
+# Rule to require VPC
+require_vpc = rule {
+    all lambda_functions as _, instances {
+      all instances as index, r {
+        (length(r.applied.vpc_config) > 0 and
+         length(r.applied.vpc_config[0].security_group_ids) > 0 and
+         length(r.applied.vpc_config[0].subnet_ids) > 0) else false
+      }
+   }
+}
+
+# Main rule that requires other rules to be true
+main = rule {
+  (require_kms_key and require_vpc) else true
+}
+

governance/azure/README.md

@@ -1,2 +1,4 @@
 # Sentinel Policies for Azure
 The sample Sentinel policy files in this directory can be used with Terraform Enterprise to ensure that provisioned Azure security groups, VMs, and ACS clusters comply with your organization's provisioning rules.
+
+The restrict-current-azure-vms.sentinel policy is interesting because it actually checks VMs that have already been provisioned using the tfstate import and because it only prints the VMs that are not from an allowed publisher. It achieves the latter by using double negation (two nots) and "any" instead of "all".  (For those familiar with logic, we are using one of De Morgan's laws: `not(P or Q) <-> (not P) and (not Q)`.)

governance/azure/restrict-current-azure-vms.sentinel

@@ -0,0 +1,38 @@
+import "tfstate"
+
+# Get VMs that already exist in the state of this workspace
+get_vms = func() {
+    vms = []
+    for tfstate.module_paths as path {
+        vms += values(tfstate.module(path).resources.azurerm_virtual_machine) else []
+    }
+    return vms
+}
+
+# List of allowed publishers
+allowed_publishers = [
+  "RedHat",
+  "Canonical",
+]
+
+vms = get_vms()
+
+# This rule uses a double negative expression (two nots) so that
+# only VMs that are NOT in the list of approved publishers
+# will be printed.
+# If we had used all instead of any and left out the nots,
+# only the valid VMs would have been printed.
+# Or, if we had done that and put the print() statement before
+# testing the VM's publisher, all VMs would have been printed.
+vm_publisher_allowed = rule {
+  not (
+    any vms as _, instances {
+      any instances as index, r {
+         (r.attr.storage_image_reference[0].publisher not in allowed_publishers) and print("Existing VM publisher ", r.attr.storage_image_reference[0].publisher, "for VM ", r.attr.name, "is invalid")
+      }
+    })
+}
+
+main = rule {
+  (vm_publisher_allowed) else true
+}

governance/external/README.md

@@ -0,0 +1,3 @@
+This repository contains an example of using a data source that calls a function together with a Sentinel policy that checks the result returned by the function call. While the example here just trivially runs a shell script that returns different values based on the account number passed to it by the Terraform code, a customer could actually call an external API to capture real data and then have Sentinel check the result.
+
+There is a commented out line, `#(length(check_account_balance) > 0) and`, which if uncommented would require the check_balance data source to be present in every single workspace in the current organization. Enable this with caution since any workspace that did not have this data source would cause hard-mandatory failure of this policy.

governance/external/check_account.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+
+#set -e
+
+CODE=$1
+
+case $CODE in
+     1)
+        BALANCE=100
+        ;;
+     2)
+        BALANCE=0
+        ;;
+     *)
+        BALANCE=0
+        ;;
+esac
+
+echo "{ \"balance\": \"$BALANCE\" }"

governance/external/check_account.tf

@@ -0,0 +1,25 @@
+terraform {
+  required_version = ">= 0.11.7"
+}
+
+variable "account_code" {
+   description = "code of cloud account: can be 1 or 2"
+}
+
+
+# Add fake resource to make sure that TFE runs this each time
+resource "null_resource" "fake" {
+   triggers {
+      uuid = "${uuid()}"
+   }
+}
+
+data "external" "check_balance" {
+  program = ["./check_account.sh", "${var.account_code}"]
+}
+
+output "balance" {
+  value = "${data.external.check_balance.result["balance"]}"
+}
+
+

governance/external/check_account_balance.sentinel

@@ -0,0 +1,19 @@
+import "tfplan"
+
+# Get instances of  from root module
+check_account_balance = tfplan.state.data.external.check_balance
+
+# Rule to validate that account has balance > 50
+balance_test = rule {
+  # If you wanted every single workspace to include the check_balance
+  # data source, you could uncomment the following line.  Use caution!
+  #(length(check_account_balance) > 0) and
+  all check_account_balance as _, r {
+      print( r.attr.result.balance ) and (int(r.attr.result.balance) else 0) > 50
+  }
+}
+
+# Main rule that requires other rules to be true
+main = rule {
+  (balance_test) else true
+}