enhance provider policies

Author: rberlind

governance/third-generation/cloud-agnostic/allowed-providers.sentinel

@@ -1,10 +1,19 @@
 # This policy uses the tfconfig/v2 import to restrict providers to those
 # in an allowed list.
 
+# It used to only use the providers collection of the tfconfig/v2 import, but
+# that did not process resources and data sources from allowed providers
+# when no provider block was included in the Terraform configuration. So, it now
+# also explicitly allows resources and data sources from allowed providers using
+# the resources collection of the tfconfig/v2 import.
+
 # Import common-functions/tfconfig-functions/tfconfig-functions.sentinel
 # with alias "config"
 import "tfconfig-functions" as config
 
+# Standard strings import
+import "strings"
+
 # List of allowed providers
 allowed_list = ["aws", "local", "null", "random", "terraform", "tfe"]
 
@@ -17,9 +26,55 @@ violatingProviders = config.filter_attribute_not_in_list(allProviders,
                      "name", allowed_list, false)
 
 # Print any violations
-config.print_violations(violatingProviders["messages"], "Provider")
+prohibitedProvidersCount = length(violatingProviders["messages"])
+if prohibitedProvidersCount > 0 {
+  config.print_violations(violatingProviders["messages"], "Provider")
+}
+
+# Initialize resource and data source counts
+prohibitedResourcesCount = 0
+prohibitedDataSourcesCount = 0
+
+# Find all resources
+allResources = config.find_all_resources()
+
+# Filter to disallowed resources
+prohibitedResources = filter allResources as address, r {
+  strings.split(r.type, "_")[0] not in allowed_list
+}
+
+# Print violations and increment counts for resources
+if length(prohibitedResources) > 0 {
+  print("Resources from providers are not allowed unless they are in", allowed_list)
+  prohibitedResourcesCount += length(prohibitedResources)
+  for prohibitedResources as address, r {
+    print("Resource", address, "from provider", strings.split(r.type, "_")[0],
+          "is not allowed.")
+  } // end for prohibitedResources
+} // end if
+
+
+# Find all data sources
+allDataSources = config.find_all_datasources()
+
+# Filter to disallowed data sources
+prohibitedDataSources = filter allDataSources as address, r {
+  strings.split(r.type, "_")[0] not in allowed_list
+}
+
+# Print violations and increment counts for data sources
+if length(prohibitedDataSources) > 0 {
+  print("Data sources from providers are not allowed unless they are in", allowed_list)
+  prohibitedDataSourcesCount += length(prohibitedDataSources)
+  for prohibitedDataSources as address, r {
+    print("Data source", address, "from provider", strings.split(r.type, "_")[0],
+          "is not allowed.")
+  } // end for prohibitedDataSources
+} // end if
 
 # Main rule
+violations = prohibitedProvidersCount + prohibitedResourcesCount +
+             prohibitedDataSourcesCount
 main = rule {
- length(violatingProviders["messages"]) is 0
+  violations is 0
 }

governance/third-generation/cloud-agnostic/prohibited-providers.sentinel

@@ -1,14 +1,20 @@
 # This policy uses the tfconfig/v2 import to prohibit providers
 # from a prohibited list
 
+# It used to only use the providers collection of the tfconfig/v2 import, but
+# that did not block use of resources and data sources from prohibited providers
+# when no provider block was included in the Terraform configuration. So, it now
+# also blocks resources and data sources from prohibited providers using the
+# resources collection of the tfconfig/v2 import.
+
 # Import common-functions/tfconfig-functions/tfconfig-functions.sentinel
 # with alias "config"
 import "tfconfig-functions" as config
 
 # List of prohibited providers
-prohibited_list = ["external", "http"]
+prohibited_list = ["external", "http", "null"]
 
-# Get all providers
+# Get all providers from providers collection
 allProviders = config.find_all_providers()
 
 # Filter to providers with violations
@@ -17,9 +23,44 @@ violatingProviders = config.filter_attribute_in_list(allProviders,
                      "name", prohibited_list, false)
 
 # Print any violations
-config.print_violations(violatingProviders["messages"], "Provider")
+prohibitedProvidersCount = length(violatingProviders["messages"])
+if prohibitedProvidersCount > 0 {
+  config.print_violations(violatingProviders["messages"], "Provider")
+}
+
+# Initialize resource and data source counts
+prohibitedResourcesCount = 0
+prohibitedDataSourcesCount = 0
+
+# Iterate over prohibited providers to find resources and data sources
+for prohibited_list as p {
+
+  # Process resources for current provider
+  prohibitedResources = config.find_resources_by_provider(p)
+  if length(prohibitedResources) > 0 {
+    print("Resources from provider", p, "are not allowed.")
+    prohibitedResourcesCount += length(prohibitedResources)
+    for prohibitedResources as address, r {
+      print("Resource", address, "from provider", p, "is not allowed.")
+    } // end for prohibitedResources
+  } // end if
+
+  # Process data sources for current provider
+
+  prohibitedDataSources = config.find_datasources_by_provider(p)
+  if length(prohibitedDataSources) > 0 {
+    print("Data sources from provider", p, "are not allowed.")
+    prohibitedDataSourcesCount += length(prohibitedDataSources)
+    for prohibitedDataSources as address, r {
+      print("Data source", address, "from provider", p, "is not allowed.")
+    } // end for prohibitedDataSources
+  } // end if
+
+} // end for providers
 
 # Main rule
+violations = prohibitedProvidersCount + prohibitedResourcesCount +
+             prohibitedDataSourcesCount
 main = rule {
- length(violatingProviders["messages"]) is 0
+  violations is 0
 }

governance/third-generation/cloud-agnostic/test/allowed-providers/fail.hcl renamed to governance/third-generation/cloud-agnostic/test/allowed-providers/fail-with-provider-blocks.hcl

@@ -4,7 +4,7 @@ module "tfconfig-functions" {
 
 mock "tfconfig/v2" {
   module {
-    source = "mock-tfconfig-fail.sentinel"
+    source = "mock-tfconfig-fail-with-provider-blocks.sentinel"
   }
 }
 

governance/third-generation/cloud-agnostic/test/allowed-providers/fail-without-provider-blocks.hcl

@@ -0,0 +1,15 @@
+module "tfconfig-functions" {
+  source = "../../../common-functions/tfconfig-functions/tfconfig-functions.sentinel"
+}
+
+mock "tfconfig/v2" {
+  module {
+    source = "mock-tfconfig-fail-without-provider-blocks.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = false
+  }
+}

governance/third-generation/cloud-agnostic/test/allowed-providers/mock-tfconfig-fail.sentinel renamed to governance/third-generation/cloud-agnostic/test/allowed-providers/mock-tfconfig-fail-with-provider-blocks.sentinel

@@ -0,0 +1,84 @@
+import "strings"
+
+providers = {}
+
+resources = {
+	"google_compute_instance.demo": {
+		"address": "google_compute_instance.demo",
+		"config": {
+			"boot_disk": {
+				"constant_value": null,
+			},
+			"machine_type": {
+				"references": [
+					"var.machine_type",
+				],
+			},
+			"name": {
+				"references": [
+					"var.instance_name",
+				],
+			},
+			"network_interface": {
+				"constant_value": null,
+			},
+			"zone": {
+				"references": [
+					"var.gcp_zone",
+				],
+			},
+		},
+		"count":               {},
+		"depends_on":          [],
+		"for_each":            {},
+		"mode":                "managed",
+		"module_address":      "",
+		"name":                "demo",
+		"provider_config_key": "google",
+		"provisioners":        [],
+		"type":                "google_compute_instance",
+	},
+	"data.external.example": {
+		"address": "data.external.example",
+		"config": {
+			"program": {
+				"references": [
+					"random_id.random",
+				],
+			},
+		},
+		"count":               {},
+		"depends_on":          [],
+		"for_each":            {},
+		"mode":                "data",
+		"module_address":      "",
+		"name":                "example",
+		"provider_config_key": "external",
+		"provisioners":        [],
+		"type":                "external",
+	},
+}
+
+provisioners = {}
+
+variables = {
+	"aws_region": {
+		"default":        "us-east-1",
+		"description":    "AWS region",
+		"module_address": "",
+		"name":           "aws_region",
+	},
+}
+
+outputs = {}
+
+module_calls = {}
+
+strip_index = func(addr) {
+	s = strings.split(addr, ".")
+	for s as i, v {
+		s[i] = strings.split(v, "[")[0]
+	}
+
+	return strings.join(s, ".")
+}

governance/third-generation/cloud-agnostic/test/allowed-providers/mock-tfconfig-fail-without-provider-blocks.sentinel

@@ -0,0 +1,101 @@
+import "strings"
+
+providers = {}
+
+resources = {
+	"aws_instance.web": {
+		"address": "aws_instance.web",
+		"config": {
+			"ami": {
+				"references": [
+					"data.aws_ami.ubuntu",
+				],
+			},
+			"instance_type": {
+				"constant_value": "t2.medium",
+			},
+			"tags": {
+				"constant_value": {
+					"Name": "HelloWorld",
+				},
+			},
+		},
+		"count":               {},
+		"depends_on":          [],
+		"for_each":            {},
+		"mode":                "managed",
+		"module_address":      "",
+		"name":                "web",
+		"provider_config_key": "aws",
+		"provisioners":        [],
+		"type":                "aws_instance",
+	},
+	"data.aws_ami.ubuntu": {
+		"address": "data.aws_ami.ubuntu",
+		"config": {
+			"filter": [
+				{
+					"name": {
+						"constant_value": "name",
+					},
+					"values": {
+						"constant_value": [
+							"ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-*",
+						],
+					},
+				},
+				{
+					"name": {
+						"constant_value": "virtualization-type",
+					},
+					"values": {
+						"constant_value": [
+							"hvm",
+						],
+					},
+				},
+			],
+			"most_recent": {
+				"constant_value": true,
+			},
+			"owners": {
+				"references": [
+					"var.owners",
+				],
+			},
+		},
+		"count":               {},
+		"depends_on":          [],
+		"for_each":            {},
+		"mode":                "data",
+		"module_address":      "",
+		"name":                "ubuntu",
+		"provider_config_key": "aws",
+		"provisioners":        [],
+		"type":                "aws_ami",
+	},
+}
+
+provisioners = {}
+
+variables = {
+	"aws_region": {
+		"default":        "us-east-1",
+		"description":    "AWS region",
+		"module_address": "",
+		"name":           "aws_region",
+	},
+}
+
+outputs = {}
+
+module_calls = {}
+
+strip_index = func(addr) {
+	s = strings.split(addr, ".")
+	for s as i, v {
+		s[i] = strings.split(v, "[")[0]
+	}
+
+	return strings.join(s, ".")
+}

governance/third-generation/cloud-agnostic/test/allowed-providers/mock-tfconfig-pass.sentinel renamed to governance/third-generation/cloud-agnostic/test/allowed-providers/mock-tfconfig-pass-with-provider-blocks.sentinel

@@ -4,7 +4,7 @@ module "tfconfig-functions" {
 
 mock "tfconfig/v2" {
   module {
-    source = "mock-tfconfig-pass.sentinel"
+    source = "mock-tfconfig-pass-with-provider-blocks.sentinel"
   }
 }
 

governance/third-generation/cloud-agnostic/test/allowed-providers/mock-tfconfig-pass-without-provider-blocks.sentinel

@@ -0,0 +1,15 @@
+module "tfconfig-functions" {
+  source = "../../../common-functions/tfconfig-functions/tfconfig-functions.sentinel"
+}
+
+mock "tfconfig/v2" {
+  module {
+    source = "mock-tfconfig-pass-without-provider-blocks.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = true
+  }
+}

governance/third-generation/cloud-agnostic/test/allowed-providers/pass.hcl renamed to governance/third-generation/cloud-agnostic/test/allowed-providers/pass-with-provider-blocks.hcl

@@ -4,7 +4,7 @@ module "tfconfig-functions" {
 
 mock "tfconfig/v2" {
   module {
-    source = "mock-tfconfig-fail.sentinel"
+    source = "mock-tfconfig-fail-with-provider-blocks.sentinel"
   }
 }