Skip to content

updated #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 28 commits into from
Feb 22, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
28 commits
Select commit Hold shift + click to select a range
4edcca2
Update tfplan-functions.sentinel
ja5onhughe5 Feb 13, 2021
e3f4832
Created new 3rd Gen policy for restricting SSH with test mock
ja5onhughe5 Feb 13, 2021
20a7e27
Created new 3rd Gen policy for restricting RDP with test mock
ja5onhughe5 Feb 13, 2021
09d3fe1
add restrict-sagemaker-notebooks.sentinel
rberlind Feb 16, 2021
1e1931c
Merge pull request #262 from hashicorp/add-sagemaker-policy
rberlind Feb 16, 2021
f21cf43
add create-policy-set-version.sh script
rberlind Feb 17, 2021
c276b5e
Merge pull request #263 from hashicorp/add-policy-set-version-script
abbasrsyed Feb 17, 2021
8500922
Merge pull request #1 from hashicorp/master
ja5onhughe5 Feb 17, 2021
abef7f1
Update sentinel.hcl
ja5onhughe5 Feb 17, 2021
986d450
Merge branch 'master' of https://github.com/ja5onhughe5/terraform-guides
ja5onhughe5 Feb 17, 2021
59138b6
add restrict-s3-bucket-policies.sentinel policy
rberlind Feb 18, 2021
9b81784
Merge pull request #264 from hashicorp/add-restrict-bucket-policies-p…
rberlind Feb 18, 2021
0e80f51
Add back messages when null
rberlind Feb 18, 2021
8a99c48
Merge pull request #261 from ja5onhughe5/master
rberlind Feb 18, 2021
dad9564
update sentinel.hcl files to add policies
rberlind Feb 18, 2021
638ea88
Merge pull request #265 from hashicorp/add-new-policies-to-aws-sentin…
rberlind Feb 18, 2021
613d1ab
improve policy-set example for script
rberlind Feb 18, 2021
9c72881
Merge pull request #266 from hashicorp/fix-policy-set-example
rberlind Feb 18, 2021
94cec4d
add Terraform code for two Sentinel policies
rberlind Feb 18, 2021
40e05c8
Merge pull request #267 from hashicorp/add-tf-code-used-to-generate-S…
rberlind Feb 18, 2021
8ebda6b
add restrict-resources-by-module-source.sentinel
rberlind Feb 19, 2021
1aef8ea
Merge pull request #268 from hashicorp/restrict-resources-by-module-s…
rberlind Feb 19, 2021
72b8ffd
updated 3g README.md tfconfig-functions
rberlind Feb 19, 2021
3b209ae
Merge pull request #269 from hashicorp/update-3gen-readme-functions
rberlind Feb 19, 2021
8b670fa
add restrict-resources-by-module-source to sentinel.hcl
rberlind Feb 19, 2021
e537f11
Merge pull request #270 from hashicorp/update-sentinel-hcl
rberlind Feb 19, 2021
a0506d3
minor fixes for restrict-resources-by-module-source.sentinel
rberlind Feb 19, 2021
b09698f
Merge pull request #271 from hashicorp/minor-sentinel-fixes
rberlind Feb 19, 2021
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
add restrict-resources-by-module-source.sentinel
  • Loading branch information
rberlind committed Feb 19, 2021
commit 8ebda6b19f517621b9a1db5d832a5521ecb3467b
Original file line number Diff line number Diff line change
Expand Up @@ -279,7 +279,7 @@ validate_provider_in_allowed_regions = func(p, regions) {
module_segments = strings.split(p.module_address, ".")
num_segments = length(module_segments)
parent_module = strings.join(module_segments[0:num_segments-2], ".")
current_module_name = module_segments[num_segments -1]
current_module_name = module_segments[num_segments-1]

# Find module call that called current module
if parent_module is "" {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -69,7 +69,7 @@ for allIAMPolicyDocuments as address, pd {
statements, "actions", restricted_s3_actions, false)
if length(statementsWithS3actions["resources"]) is 0 {
# No statements included restricted S3 actions, so policy document is ok.
break
continue
}

# Test each restricted S3 action separately to make sure some statement
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
# This policy restricts resources of specific types to only be created in
# modules with sources in a given list.
# If you want to allow creation of the resources in the root module, include
# "root" in the `allowed_module_sources` list. But you generally would not
# want to allow "root" since that sacrifices most control over creation of
# the resource types in `restricted_resources`.

##### Imports #####

# Import common-functions/tfconfig-functions/tfconfig-functions.sentinel
# with alias "config"
import "tfconfig-functions" as config

##### Parameters #####
param restricted_resources default [
"aws_s3_bucket",
"aws_s3_bucket_object",
"azurerm_storage_account",
"azurerm_storage_container",
"azurerm_storage_blob",

]

param allowed_module_sources default [
"app.terraform.io/Cloud-Operations/s3-bucket/aws",
"localterraform.com/Cloud-Operations/s3-bucket/aws",
"app.terraform.io/Cloud-Operations/caf/azurerm",
"localterraform.com/Cloud-Operations/caf/azurerm",
"app.terraform.io/Cloud-Operations/cloud-storage/google",
"localterraform.com/Cloud-Operations/cloud-storage/google",
]

# Initialize validated
validated = true

# Iterate over restricted resource types
for restricted_resources as _, type {
# Find all resources of the given type
all_resources = config.find_resources_by_type(type)

# Iterate over the resources to find module source
for all_resources as address, r {
module_address = r.module_address
# Get module source
module_source = config.get_module_source(module_address)
# Check module_source
if module_source not in allowed_module_sources {
print("resource", address, "has module source", module_source,
"that is not in the allowed list:", allowed_module_sources)
validated = false
} // end if module_source in allowed_module_sources
} // end for all_resources
} // end restricted_resources

# Main rule
main = rule {
validated
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
module "tfconfig-functions" {
source = "../../../common-functions/tfconfig-functions/tfconfig-functions.sentinel"
}

mock "tfconfig/v2" {
module {
source = "mock-tfconfig-fail.sentinel"
}
}

test {
rules = {
main = false
}
}
Loading