improve restrict-remote-state policy

Author: rberlind

governance/third-generation/cloud-agnostic/restrict-remote-state.sentinel

@@ -1,7 +1,7 @@
-# This policy uses the Sentinel tfstate import to restrict the
+# This policy uses the Sentinel tfstate and tfrun imports to restrict the
 # workspaces from which remote state can be retrieved using the
 # terraform_remote_state data source. It provides a map between
-# substrings of names of workspaces that want to read remote state
+# prefixes and suffixes of names of workspaces that want to read remote state
 # and specific workspaces from which they can read it.
 
 
@@ -12,41 +12,44 @@ import "tfstate-functions" as state
 # Use standard tfrun import
 import "tfrun"
 
-# workspace mapping
-# We use "invalid-workspace-name" to represent workspaces with names that do not
-# match any of the allowed workspace naming patterns. These workspace names are
-# allowed, but the workspaces with these names are not allowed to access remote
-# state.
+# Mapping between environments and lists of workspaces from which remote state
+# can be retrieved. The keys should be strings which will be the prefixes or
+# suffixes of workspace names.
+# Be sure to include the key "invalid" to represent workspaces with names that
+# do not match any of the allowed workspace naming patterns and to set its value
+# to the empty list, []. These workspace names are allowed, but the workspaces
+# with these names are not allowed to access remote state.
 param allowed_workspaces default {
   "dev": ["vpc-dev", "s3-dev", "sec-group-dev"],
   "qa": ["vpc-qa", "s3-qa", "sec-group-qa"],
   "prod": ["vpc-prod", "s3-prod", "sec-group-prod"],
-  "invalid-workspace-name": [],
+  "invalid": [],
 }
 
-# Get workspace name
+# Get the workspace name from the tfrun import
 workspace_name = tfrun.workspace.name
-# print("workspace_name:", workspace_name)
 
-# Determine environment of workspace name
-# If workspace does not start or end with "dev", "qa", or "prod", then set it
-# to "invalid-workspace-name"
+# Determine the workspace environment (key of allowed_workspaces list)
+matching_env_found = false
 workspace_env = ""
-case {
-  when workspace_name matches "^(.+)-dev$" or workspace_name matches "^dev-(.+)$":
-    workspace_env = "dev"
-  when workspace_name matches "^(.+)-qa$" or workspace_name matches "^qa-(.+)$":
-    workspace_env = "qa"
-  when workspace_name matches "^(.+)-prod$" or workspace_name matches "^prod-(.+)$":
-    workspace_env = "prod"
-  else:
-    workspace_env = "invalid-workspace-name"
+for allowed_workspaces as env, workspaces {
+  if workspace_name matches "(.+)-" + env + "$" or
+     workspace_name matches "^" + env + "-(.+)$" {
+    workspace_env = env
+    matching_env_found = true
+    break
+  }
+}
+
+# Deal with workspaces names that do not match patterns
+if not matching_env_found {
+  workspace_env = "invalid"
 }
 
 # Find instances of remote state data sources
 remoteStates = state.find_datasources("terraform_remote_state")
 
-# Filter remote state data sources
+# Filter remote state data sources to violations
 violatingRemoteStates = state.filter_attribute_not_in_list(remoteStates,
                         "config.workspaces.name",
                         allowed_workspaces[workspace_env], false)
@@ -55,8 +58,19 @@ violatingRemoteStates = state.filter_attribute_not_in_list(remoteStates,
 validated = true
 if length(violatingRemoteStates["messages"]) is not 0 {
   validated = false
+  # Special processing for workspace names that do not match an environment
+  if workspace_env is "invalid" {
+    # delete the "invalid" key from allowed_workspaces to improve message
+    delete(allowed_workspaces, "invalid")
+    print("The current workspace", workspace_name, "is not allowed to access",
+          "remote state from other workspaces because its name does not match",
+          "any of the allowed regular expressions in", keys(allowed_workspaces))
+  }
+  # Print generic violation message
   print("This workspace tried to access remote state from workspaces",
         "it is not allowed to access.")
+  # Print specific violation messages for instances of the terraform_remote_state
+  # data source
   state.print_violations(violatingRemoteStates["messages"], "Data source")
 }
 

governance/third-generation/cloud-agnostic/test/restrict-remote-state/mock-tfstate-fail-dev.sentinel

@@ -19,14 +19,14 @@ outputs = {
 }
 
 resources = {
-	"terraform_remote_state.pets": {
-		"address":        "terraform_remote_state.pets",
+	"terraform_remote_state.ec2-dev": {
+		"address":        "terraform_remote_state.ec2-dev",
 		"depends_on":     [],
 		"deposed_key":    "",
 		"index":          null,
 		"mode":           "data",
 		"module_address": "",
-		"name":           "pets",
+		"name":           "ec2-dev",
 		"provider_name":  "terraform.io/builtin/terraform",
 		"tainted":        false,
 		"type":           "terraform_remote_state",

governance/third-generation/cloud-agnostic/test/restrict-remote-state/mock-tfstate-fail-invalid-workspace-name.sentinel

@@ -19,14 +19,14 @@ outputs = {
 }
 
 resources = {
-	"terraform_remote_state.pets": {
-		"address":        "terraform_remote_state.pets",
+	"terraform_remote_state.ec2-for-production": {
+		"address":        "terraform_remote_state.ec2-for-production",
 		"depends_on":     [],
 		"deposed_key":    "",
 		"index":          null,
 		"mode":           "data",
 		"module_address": "",
-		"name":           "pets",
+		"name":           "ec2-for-production",
 		"provider_name":  "terraform.io/builtin/terraform",
 		"tainted":        false,
 		"type":           "terraform_remote_state",

governance/third-generation/cloud-agnostic/test/restrict-remote-state/mock-tfstate-fail-prod.sentinel

@@ -19,14 +19,14 @@ outputs = {
 }
 
 resources = {
-	"terraform_remote_state.pets": {
-		"address":        "terraform_remote_state.pets",
+	"terraform_remote_state.ec2-prod": {
+		"address":        "terraform_remote_state.ec2-prod",
 		"depends_on":     [],
 		"deposed_key":    "",
 		"index":          null,
 		"mode":           "data",
 		"module_address": "",
-		"name":           "pets",
+		"name":           "ec2-prod",
 		"provider_name":  "terraform.io/builtin/terraform",
 		"tainted":        false,
 		"type":           "terraform_remote_state",

governance/third-generation/cloud-agnostic/test/restrict-remote-state/mock-tfstate-fail-qa.sentinel

@@ -19,14 +19,14 @@ outputs = {
 }
 
 resources = {
-	"terraform_remote_state.pets": {
-		"address":        "terraform_remote_state.pets",
+	"terraform_remote_state.ec2-qa": {
+		"address":        "terraform_remote_state.ec2-qa",
 		"depends_on":     [],
 		"deposed_key":    "",
 		"index":          null,
 		"mode":           "data",
 		"module_address": "",
-		"name":           "pets",
+		"name":           "ec2-qa",
 		"provider_name":  "terraform.io/builtin/terraform",
 		"tainted":        false,
 		"type":           "terraform_remote_state",

governance/third-generation/cloud-agnostic/test/restrict-remote-state/mock-tfstate-pass-dev.sentinel

@@ -19,14 +19,14 @@ outputs = {
 }
 
 resources = {
-	"terraform_remote_state.pets": {
-		"address":        "terraform_remote_state.pets",
+	"terraform_remote_state.ec2-dev": {
+		"address":        "terraform_remote_state.ec2-dev",
 		"depends_on":     [],
 		"deposed_key":    "",
 		"index":          null,
 		"mode":           "data",
 		"module_address": "",
-		"name":           "pets",
+		"name":           "ec2-dev",
 		"provider_name":  "terraform.io/builtin/terraform",
 		"tainted":        false,
 		"type":           "terraform_remote_state",

governance/third-generation/cloud-agnostic/test/restrict-remote-state/mock-tfstate-pass-prod.sentinel

@@ -19,14 +19,14 @@ outputs = {
 }
 
 resources = {
-	"terraform_remote_state.pets": {
-		"address":        "terraform_remote_state.pets",
+	"terraform_remote_state.ec2-prod": {
+		"address":        "terraform_remote_state.ec2-prod",
 		"depends_on":     [],
 		"deposed_key":    "",
 		"index":          null,
 		"mode":           "data",
 		"module_address": "",
-		"name":           "pets",
+		"name":           "ec2-prod",
 		"provider_name":  "terraform.io/builtin/terraform",
 		"tainted":        false,
 		"type":           "terraform_remote_state",

governance/third-generation/cloud-agnostic/test/restrict-remote-state/mock-tfstate-pass-qa.sentinel

@@ -19,14 +19,14 @@ outputs = {
 }
 
 resources = {
-	"terraform_remote_state.pets": {
-		"address":        "terraform_remote_state.pets",
+	"terraform_remote_state.ec2-qa": {
+		"address":        "terraform_remote_state.ec2-qa",
 		"depends_on":     [],
 		"deposed_key":    "",
 		"index":          null,
 		"mode":           "data",
 		"module_address": "",
-		"name":           "pets",
+		"name":           "ec2-qa",
 		"provider_name":  "terraform.io/builtin/terraform",
 		"tainted":        false,
 		"type":           "terraform_remote_state",