add restrict-resources-by-module-source.sentinel

governance/third-generation/aws/aws-functions/aws-functions.sentinel

@@ -279,7 +279,7 @@ validate_provider_in_allowed_regions = func(p, regions) {
             module_segments = strings.split(p.module_address, ".")
             num_segments = length(module_segments)
             parent_module = strings.join(module_segments[0:num_segments-2], ".")
-            current_module_name = module_segments[num_segments -1]
+            current_module_name = module_segments[num_segments-1]
 
             # Find module call that called current module
             if parent_module is "" {

governance/third-generation/aws/restrict-s3-bucket-policies.sentinel

@@ -69,7 +69,7 @@ for allIAMPolicyDocuments as address, pd {
                             statements, "actions", restricted_s3_actions, false)
   if length(statementsWithS3actions["resources"]) is 0 {
     # No statements included restricted S3 actions, so policy document is ok.
-    break
+    continue
   }
 
   # Test each restricted S3 action separately to make sure some statement

governance/third-generation/cloud-agnostic/restrict-resources-by-module-source.sentinel

@@ -0,0 +1,58 @@
+# This policy restricts resources of specific types to only be created in
+# modules with sources in a given list.
+# If you want to allow creation of the resources in the root module, include
+# "root" in the `allowed_module_sources` list. But you generally would not
+# want to allow "root" since that sacrifices most control over creation of
+# the resource types in `restricted_resources`.
+
+##### Imports #####
+
+# Import common-functions/tfconfig-functions/tfconfig-functions.sentinel
+# with alias "config"
+import "tfconfig-functions" as config
+
+##### Parameters #####
+param restricted_resources default [
+  "aws_s3_bucket",
+  "aws_s3_bucket_object",
+  "azurerm_storage_account",
+  "azurerm_storage_container",
+  "azurerm_storage_blob",
+
+]
+
+param allowed_module_sources default [
+  "app.terraform.io/Cloud-Operations/s3-bucket/aws",
+  "localterraform.com/Cloud-Operations/s3-bucket/aws",
+  "app.terraform.io/Cloud-Operations/caf/azurerm",
+  "localterraform.com/Cloud-Operations/caf/azurerm",
+  "app.terraform.io/Cloud-Operations/cloud-storage/google",
+  "localterraform.com/Cloud-Operations/cloud-storage/google",
+]
+
+# Initialize validated
+validated = true
+
+# Iterate over restricted resource types
+for restricted_resources as _, type {
+  # Find all resources of the given type
+  all_resources = config.find_resources_by_type(type)
+
+  # Iterate over the resources to find module source
+  for all_resources as address, r {
+    module_address = r.module_address
+    # Get module source
+    module_source = config.get_module_source(module_address)
+    # Check module_source
+    if module_source not in allowed_module_sources {
+      print("resource", address, "has module source", module_source,
+            "that is not in the allowed list:", allowed_module_sources)
+      validated = false
+    } // end if module_source in allowed_module_sources
+  } // end for all_resources
+} // end restricted_resources
+
+# Main rule
+main = rule {
+  validated
+}

governance/third-generation/cloud-agnostic/test/restrict-resources-by-module-source/fail.hcl

@@ -0,0 +1,15 @@
+module "tfconfig-functions" {
+  source = "../../../common-functions/tfconfig-functions/tfconfig-functions.sentinel"
+}
+
+mock "tfconfig/v2" {
+  module {
+    source = "mock-tfconfig-fail.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = false
+  }
+}