From 750ffed0ab7fac6290bbdad5caf2caa9156c4818 Mon Sep 17 00:00:00 2001 From: worm Date: Tue, 14 Nov 2023 09:25:34 -0800 Subject: [PATCH] nuke + pave thank you industry standard version control --- .gitignore | 1 + README.md | 7 + terraform_v1.4.0/CloudTrail/main.tf | 33 ++ v1.4.0/CloudTrail.1.sentinel | 25 + ...rail-multiregion-mock-tfconfig-v2.sentinel | 86 ++++ ...dtrail-multiregion-mock-tfplan-v2.sentinel | 487 ++++++++++++++++++ ...cloudtrail-multiregion-mock-tfrun.sentinel | 50 ++ ...trail-multiregion-mock-tfstate-v2.sentinel | 40 ++ ...ail-singleregion-mock-tfconfig-v2.sentinel | 60 +++ ...trail-singleregion-mock-tfplan-v2.sentinel | 216 ++++++++ ...loudtrail-singleregion-mock-tfrun.sentinel | 50 ++ ...rail-singleregion-mock-tfstate-v2.sentinel | 5 + v1.4.0/mocks/sentinel.hcl | 59 +++ v1.4.0/test/CloudTrail.1/fail.hcl | 11 + v1.4.0/test/CloudTrail.1/pass.hcl | 11 + 15 files changed, 1141 insertions(+) create mode 100644 .gitignore create mode 100644 README.md create mode 100644 terraform_v1.4.0/CloudTrail/main.tf create mode 100644 v1.4.0/CloudTrail.1.sentinel create mode 100644 v1.4.0/mocks/cloudtrail-multiregion-mock-tfconfig-v2.sentinel create mode 100644 v1.4.0/mocks/cloudtrail-multiregion-mock-tfplan-v2.sentinel create mode 100644 v1.4.0/mocks/cloudtrail-multiregion-mock-tfrun.sentinel create mode 100644 v1.4.0/mocks/cloudtrail-multiregion-mock-tfstate-v2.sentinel create mode 100644 v1.4.0/mocks/cloudtrail-singleregion-mock-tfconfig-v2.sentinel create mode 100644 v1.4.0/mocks/cloudtrail-singleregion-mock-tfplan-v2.sentinel create mode 100644 v1.4.0/mocks/cloudtrail-singleregion-mock-tfrun.sentinel create mode 100644 v1.4.0/mocks/cloudtrail-singleregion-mock-tfstate-v2.sentinel create mode 100644 v1.4.0/mocks/sentinel.hcl create mode 100644 v1.4.0/test/CloudTrail.1/fail.hcl create mode 100644 v1.4.0/test/CloudTrail.1/pass.hcl diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..27c9372 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +terraform_v1.4.0/.terraform* diff --git a/README.md b/README.md new file mode 100644 index 0000000..5f88444 --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +This repository is intended to provide example sentinel policies that meet the requirements of the Center for Internet Security (CIS) Foundations Benchmarks. Initial work will include support for v1.4.0. + +AWS outlines the requirements here: +https://docs.aws.amazon.com/securityhub/latest/userguide/cis-aws-foundations-benchmark.html + +The CIS guidelines for AWS available here: +https://www.cisecurity.org/benchmark/amazon_web_services diff --git a/terraform_v1.4.0/CloudTrail/main.tf b/terraform_v1.4.0/CloudTrail/main.tf new file mode 100644 index 0000000..b54ff0f --- /dev/null +++ b/terraform_v1.4.0/CloudTrail/main.tf @@ -0,0 +1,33 @@ +terraform { + cloud { + organization = "sean-env" + + workspaces { + name = "cis-sentinel-resources" + } + } + + required_providers { + aws = { + source = "hashicorp/aws" + version = "~>5.0" + } + } +} + + provider "aws" { + region = "us-west-2" + } + + resource "aws_cloudtrail" "example" { + name = "example" + s3_bucket_name = "stm-cloudtrail-sentinel" + include_global_service_events = false + } + + resource "aws_cloudtrail" "example-multi-region" { + name = "example-multi-region" + s3_bucket_name = "stm-cloudtrail-sentinel" + include_global_service_events = true + is_multi_region_trail = true + } diff --git a/v1.4.0/CloudTrail.1.sentinel b/v1.4.0/CloudTrail.1.sentinel new file mode 100644 index 0000000..007ac9a --- /dev/null +++ b/v1.4.0/CloudTrail.1.sentinel @@ -0,0 +1,25 @@ +#CloudTrail should be enabled and configured with at least one multi-Region trail that includes read and write management events +# TODO: Address the ideal way to determine when this policy is appropriate to run +# TODO: check how the reading and writing of management events works and write configuration to include it: +#https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudtrail.html#include_management_events +import "tfplan/v2" as tfplan + +param actions default [ + ["no-op"], + ["create"], + ["update"], +] + +aws_cloudtrails = filter tfplan.resource_changes as _, rc { + rc.type is "aws_cloudtrail" and + rc.mode is "managed" and + rc.change.actions in actions +} + +multiregion_trails_exist = any aws_cloudtrails as ct { + aws_cloudtrails[ct].change.after.is_multi_region_trail is true +} + +main = rule { + multiregion_trails_exist +} diff --git a/v1.4.0/mocks/cloudtrail-multiregion-mock-tfconfig-v2.sentinel b/v1.4.0/mocks/cloudtrail-multiregion-mock-tfconfig-v2.sentinel new file mode 100644 index 0000000..f8fd77a --- /dev/null +++ b/v1.4.0/mocks/cloudtrail-multiregion-mock-tfconfig-v2.sentinel @@ -0,0 +1,86 @@ +import "strings" + +providers = { + "aws": { + "alias": "", + "config": { + "region": { + "constant_value": "us-west-2", + }, + }, + "full_name": "registry.terraform.io/hashicorp/aws", + "module_address": "", + "name": "aws", + "provider_config_key": "aws", + "version_constraint": "~> 5.0", + }, +} + +resources = { + "aws_cloudtrail.example": { + "address": "aws_cloudtrail.example", + "config": { + "include_global_service_events": { + "constant_value": false, + }, + "name": { + "constant_value": "example", + }, + "s3_bucket_name": { + "constant_value": "stm-cloudtrail-sentinel", + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_cloudtrail", + }, + "aws_cloudtrail.example-multi-region": { + "address": "aws_cloudtrail.example-multi-region", + "config": { + "include_global_service_events": { + "constant_value": true, + }, + "is_multi_region_trail": { + "constant_value": true, + }, + "name": { + "constant_value": "example-multi-region", + }, + "s3_bucket_name": { + "constant_value": "stm-cloudtrail-sentinel", + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example-multi-region", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_cloudtrail", + }, +} + +provisioners = {} + +variables = {} + +outputs = {} + +module_calls = {} + +strip_index = func(addr) { + s = strings.split(addr, ".") + for s as i, v { + s[i] = strings.split(v, "[")[0] + } + + return strings.join(s, ".") +} diff --git a/v1.4.0/mocks/cloudtrail-multiregion-mock-tfplan-v2.sentinel b/v1.4.0/mocks/cloudtrail-multiregion-mock-tfplan-v2.sentinel new file mode 100644 index 0000000..8b16f01 --- /dev/null +++ b/v1.4.0/mocks/cloudtrail-multiregion-mock-tfplan-v2.sentinel @@ -0,0 +1,487 @@ +terraform_version = "1.6.3" + +planned_values = { + "outputs": {}, + "resources": { + "aws_cloudtrail.example": { + "address": "aws_cloudtrail.example", + "depends_on": [], + "deposed_key": "", + "index": null, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "tainted": false, + "type": "aws_cloudtrail", + "values": { + "advanced_event_selector": [], + "arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example", + "cloud_watch_logs_group_arn": "", + "cloud_watch_logs_role_arn": "", + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "home_region": "us-west-2", + "id": "example", + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": "", + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": "", + "sns_topic_name": "", + "tags": {}, + "tags_all": {}, + }, + }, + "aws_cloudtrail.example-multi-region": { + "address": "aws_cloudtrail.example-multi-region", + "depends_on": [], + "deposed_key": "", + "index": null, + "mode": "managed", + "module_address": "", + "name": "example-multi-region", + "provider_name": "registry.terraform.io/hashicorp/aws", + "tainted": false, + "type": "aws_cloudtrail", + "values": { + "advanced_event_selector": [], + "cloud_watch_logs_group_arn": null, + "cloud_watch_logs_role_arn": null, + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "include_global_service_events": true, + "insight_selector": [], + "is_multi_region_trail": true, + "is_organization_trail": false, + "kms_key_id": null, + "name": "example-multi-region", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": null, + "sns_topic_name": null, + "tags": null, + }, + }, + }, +} + +variables = {} + +resource_changes = { + "aws_cloudtrail.example": { + "address": "aws_cloudtrail.example", + "change": { + "actions": [ + "no-op", + ], + "after": { + "advanced_event_selector": [], + "arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example", + "cloud_watch_logs_group_arn": "", + "cloud_watch_logs_role_arn": "", + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "home_region": "us-west-2", + "id": "example", + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": "", + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": "", + "sns_topic_name": "", + "tags": {}, + "tags_all": {}, + }, + "after_unknown": {}, + "before": { + "advanced_event_selector": [], + "arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example", + "cloud_watch_logs_group_arn": "", + "cloud_watch_logs_role_arn": "", + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "home_region": "us-west-2", + "id": "example", + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": "", + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": "", + "sns_topic_name": "", + "tags": {}, + "tags_all": {}, + }, + }, + "deposed": "", + "index": null, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "type": "aws_cloudtrail", + }, + "aws_cloudtrail.example-multi-region": { + "address": "aws_cloudtrail.example-multi-region", + "change": { + "actions": [ + "create", + ], + "after": { + "advanced_event_selector": [], + "cloud_watch_logs_group_arn": null, + "cloud_watch_logs_role_arn": null, + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "include_global_service_events": true, + "insight_selector": [], + "is_multi_region_trail": true, + "is_organization_trail": false, + "kms_key_id": null, + "name": "example-multi-region", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": null, + "sns_topic_name": null, + "tags": null, + }, + "after_unknown": { + "advanced_event_selector": [], + "arn": true, + "event_selector": [], + "home_region": true, + "id": true, + "insight_selector": [], + "tags_all": true, + }, + "before": null, + }, + "deposed": "", + "index": null, + "mode": "managed", + "module_address": "", + "name": "example-multi-region", + "provider_name": "registry.terraform.io/hashicorp/aws", + "type": "aws_cloudtrail", + }, +} + +output_changes = {} + +raw = { + "configuration": { + "provider_config": { + "aws": { + "expressions": { + "region": { + "constant_value": "us-west-2", + }, + }, + "full_name": "registry.terraform.io/hashicorp/aws", + "name": "aws", + "version_constraint": "~> 5.0", + }, + }, + "root_module": { + "resources": [ + { + "address": "aws_cloudtrail.example", + "expressions": { + "include_global_service_events": { + "constant_value": false, + }, + "name": { + "constant_value": "example", + }, + "s3_bucket_name": { + "constant_value": "stm-cloudtrail-sentinel", + }, + }, + "mode": "managed", + "name": "example", + "provider_config_key": "aws", + "schema_version": 0, + "type": "aws_cloudtrail", + }, + { + "address": "aws_cloudtrail.example-multi-region", + "expressions": { + "include_global_service_events": { + "constant_value": true, + }, + "is_multi_region_trail": { + "constant_value": true, + }, + "name": { + "constant_value": "example-multi-region", + }, + "s3_bucket_name": { + "constant_value": "stm-cloudtrail-sentinel", + }, + }, + "mode": "managed", + "name": "example-multi-region", + "provider_config_key": "aws", + "schema_version": 0, + "type": "aws_cloudtrail", + }, + ], + }, + }, + "format_version": "1.2", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "aws_cloudtrail.example", + "mode": "managed", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "advanced_event_selector": [], + "event_selector": [], + "insight_selector": [], + "tags": {}, + "tags_all": {}, + }, + "type": "aws_cloudtrail", + "values": { + "advanced_event_selector": [], + "arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example", + "cloud_watch_logs_group_arn": "", + "cloud_watch_logs_role_arn": "", + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "home_region": "us-west-2", + "id": "example", + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": "", + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": "", + "sns_topic_name": "", + "tags": {}, + "tags_all": {}, + }, + }, + { + "address": "aws_cloudtrail.example-multi-region", + "mode": "managed", + "name": "example-multi-region", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "advanced_event_selector": [], + "event_selector": [], + "insight_selector": [], + "tags_all": {}, + }, + "type": "aws_cloudtrail", + "values": { + "advanced_event_selector": [], + "cloud_watch_logs_group_arn": null, + "cloud_watch_logs_role_arn": null, + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "include_global_service_events": true, + "insight_selector": [], + "is_multi_region_trail": true, + "is_organization_trail": false, + "kms_key_id": null, + "name": "example-multi-region", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": null, + "sns_topic_name": null, + "tags": null, + }, + }, + ], + }, + }, + "prior_state": { + "format_version": "1.0", + "terraform_version": "1.6.3", + "values": { + "root_module": { + "resources": [ + { + "address": "aws_cloudtrail.example", + "mode": "managed", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "advanced_event_selector": [], + "event_selector": [], + "insight_selector": [], + "tags": {}, + "tags_all": {}, + }, + "type": "aws_cloudtrail", + "values": { + "advanced_event_selector": [], + "arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example", + "cloud_watch_logs_group_arn": "", + "cloud_watch_logs_role_arn": "", + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "home_region": "us-west-2", + "id": "example", + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": "", + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": "", + "sns_topic_name": "", + "tags": {}, + "tags_all": {}, + }, + }, + ], + }, + }, + }, + "resource_changes": [ + { + "address": "aws_cloudtrail.example", + "change": { + "actions": [ + "no-op", + ], + "after": { + "advanced_event_selector": [], + "arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example", + "cloud_watch_logs_group_arn": "", + "cloud_watch_logs_role_arn": "", + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "home_region": "us-west-2", + "id": "example", + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": "", + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": "", + "sns_topic_name": "", + "tags": {}, + "tags_all": {}, + }, + "after_sensitive": { + "advanced_event_selector": [], + "event_selector": [], + "insight_selector": [], + "tags": {}, + "tags_all": {}, + }, + "after_unknown": {}, + "before": { + "advanced_event_selector": [], + "arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example", + "cloud_watch_logs_group_arn": "", + "cloud_watch_logs_role_arn": "", + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "home_region": "us-west-2", + "id": "example", + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": "", + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": "", + "sns_topic_name": "", + "tags": {}, + "tags_all": {}, + }, + "before_sensitive": { + "advanced_event_selector": [], + "event_selector": [], + "insight_selector": [], + "tags": {}, + "tags_all": {}, + }, + }, + "mode": "managed", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "type": "aws_cloudtrail", + }, + { + "address": "aws_cloudtrail.example-multi-region", + "change": { + "actions": [ + "create", + ], + "after": { + "advanced_event_selector": [], + "cloud_watch_logs_group_arn": null, + "cloud_watch_logs_role_arn": null, + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "include_global_service_events": true, + "insight_selector": [], + "is_multi_region_trail": true, + "is_organization_trail": false, + "kms_key_id": null, + "name": "example-multi-region", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": null, + "sns_topic_name": null, + "tags": null, + }, + "after_sensitive": { + "advanced_event_selector": [], + "event_selector": [], + "insight_selector": [], + "tags_all": {}, + }, + "after_unknown": { + "advanced_event_selector": [], + "arn": true, + "event_selector": [], + "home_region": true, + "id": true, + "insight_selector": [], + "tags_all": true, + }, + "before": null, + "before_sensitive": false, + }, + "mode": "managed", + "name": "example-multi-region", + "provider_name": "registry.terraform.io/hashicorp/aws", + "type": "aws_cloudtrail", + }, + ], + "terraform_version": "1.6.3", +} diff --git a/v1.4.0/mocks/cloudtrail-multiregion-mock-tfrun.sentinel b/v1.4.0/mocks/cloudtrail-multiregion-mock-tfrun.sentinel new file mode 100644 index 0000000..97c6de9 --- /dev/null +++ b/v1.4.0/mocks/cloudtrail-multiregion-mock-tfrun.sentinel @@ -0,0 +1,50 @@ +id = "run-kMeuEdk8igq5Dghy" +created_at = "2023-11-07T00:15:32.205Z" +created_by = "seanmeininger" +message = "Triggered via CLI" +commit_sha = undefined +speculative = false +is_destroy = false +refresh = true +refresh_only = false +replace_addrs = null +target_addrs = null +project = { + "id": "prj-reb8RoikfSwzy97u", + "name": "Default Project", +} + +variables = { + "AWS_ACCESS_KEY_ID": { + "category": "env", + "sensitive": false, + }, + "AWS_SECRET_ACCESS_KEY": { + "category": "env", + "sensitive": true, + }, + "AWS_SESSION_EXPIRATION": { + "category": "env", + "sensitive": false, + }, + "AWS_SESSION_TOKEN": { + "category": "env", + "sensitive": true, + }, +} + +organization = { + "name": "sean-env", +} + +workspace = { + "auto_apply": false, + "created_at": "2023-11-06T23:57:08.689Z", + "description": "Work description", + "execution_mode": "default", + "id": "ws-SiAU345Ch3vMXGXA", + "name": "cis-sentinel-resources", + "tags": [], + "vcs_repo": null, + "working_directory": "", +} diff --git a/v1.4.0/mocks/cloudtrail-multiregion-mock-tfstate-v2.sentinel b/v1.4.0/mocks/cloudtrail-multiregion-mock-tfstate-v2.sentinel new file mode 100644 index 0000000..b6e9613 --- /dev/null +++ b/v1.4.0/mocks/cloudtrail-multiregion-mock-tfstate-v2.sentinel @@ -0,0 +1,40 @@ +terraform_version = "1.6.3" + +outputs = {} + +resources = { + "aws_cloudtrail.example": { + "address": "aws_cloudtrail.example", + "depends_on": [], + "deposed_key": "", + "index": null, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "tainted": false, + "type": "aws_cloudtrail", + "values": { + "advanced_event_selector": [], + "arn": "arn:aws:cloudtrail:us-west-2:323533494701:trail/example", + "cloud_watch_logs_group_arn": "", + "cloud_watch_logs_role_arn": "", + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "home_region": "us-west-2", + "id": "example", + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": "", + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": "", + "sns_topic_name": "", + "tags": {}, + "tags_all": {}, + }, + }, +} diff --git a/v1.4.0/mocks/cloudtrail-singleregion-mock-tfconfig-v2.sentinel b/v1.4.0/mocks/cloudtrail-singleregion-mock-tfconfig-v2.sentinel new file mode 100644 index 0000000..2d912cc --- /dev/null +++ b/v1.4.0/mocks/cloudtrail-singleregion-mock-tfconfig-v2.sentinel @@ -0,0 +1,60 @@ +import "strings" + +providers = { + "aws": { + "alias": "", + "config": { + "region": { + "constant_value": "us-west-2", + }, + }, + "full_name": "registry.terraform.io/hashicorp/aws", + "module_address": "", + "name": "aws", + "provider_config_key": "aws", + "version_constraint": "~> 5.0", + }, +} + +resources = { + "aws_cloudtrail.example": { + "address": "aws_cloudtrail.example", + "config": { + "include_global_service_events": { + "constant_value": false, + }, + "name": { + "constant_value": "example", + }, + "s3_bucket_name": { + "constant_value": "stm-cloudtrail-sentinel", + }, + }, + "count": {}, + "depends_on": [], + "for_each": {}, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_config_key": "aws", + "provisioners": [], + "type": "aws_cloudtrail", + }, +} + +provisioners = {} + +variables = {} + +outputs = {} + +module_calls = {} + +strip_index = func(addr) { + s = strings.split(addr, ".") + for s as i, v { + s[i] = strings.split(v, "[")[0] + } + + return strings.join(s, ".") +} diff --git a/v1.4.0/mocks/cloudtrail-singleregion-mock-tfplan-v2.sentinel b/v1.4.0/mocks/cloudtrail-singleregion-mock-tfplan-v2.sentinel new file mode 100644 index 0000000..344df99 --- /dev/null +++ b/v1.4.0/mocks/cloudtrail-singleregion-mock-tfplan-v2.sentinel @@ -0,0 +1,216 @@ +terraform_version = "1.6.3" + +planned_values = { + "outputs": {}, + "resources": { + "aws_cloudtrail.example": { + "address": "aws_cloudtrail.example", + "depends_on": [], + "deposed_key": "", + "index": null, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "tainted": false, + "type": "aws_cloudtrail", + "values": { + "advanced_event_selector": [], + "cloud_watch_logs_group_arn": null, + "cloud_watch_logs_role_arn": null, + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": null, + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": null, + "sns_topic_name": null, + "tags": null, + }, + }, + }, +} + +variables = {} + +resource_changes = { + "aws_cloudtrail.example": { + "address": "aws_cloudtrail.example", + "change": { + "actions": [ + "create", + ], + "after": { + "advanced_event_selector": [], + "cloud_watch_logs_group_arn": null, + "cloud_watch_logs_role_arn": null, + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": null, + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": null, + "sns_topic_name": null, + "tags": null, + }, + "after_unknown": { + "advanced_event_selector": [], + "arn": true, + "event_selector": [], + "home_region": true, + "id": true, + "insight_selector": [], + "tags_all": true, + }, + "before": null, + }, + "deposed": "", + "index": null, + "mode": "managed", + "module_address": "", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "type": "aws_cloudtrail", + }, +} + +output_changes = {} + +raw = { + "configuration": { + "provider_config": { + "aws": { + "expressions": { + "region": { + "constant_value": "us-west-2", + }, + }, + "full_name": "registry.terraform.io/hashicorp/aws", + "name": "aws", + "version_constraint": "~> 5.0", + }, + }, + "root_module": { + "resources": [ + { + "address": "aws_cloudtrail.example", + "expressions": { + "include_global_service_events": { + "constant_value": false, + }, + "name": { + "constant_value": "example", + }, + "s3_bucket_name": { + "constant_value": "stm-cloudtrail-sentinel", + }, + }, + "mode": "managed", + "name": "example", + "provider_config_key": "aws", + "schema_version": 0, + "type": "aws_cloudtrail", + }, + ], + }, + }, + "format_version": "1.2", + "planned_values": { + "root_module": { + "resources": [ + { + "address": "aws_cloudtrail.example", + "mode": "managed", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "schema_version": 0, + "sensitive_values": { + "advanced_event_selector": [], + "event_selector": [], + "insight_selector": [], + "tags_all": {}, + }, + "type": "aws_cloudtrail", + "values": { + "advanced_event_selector": [], + "cloud_watch_logs_group_arn": null, + "cloud_watch_logs_role_arn": null, + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": null, + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": null, + "sns_topic_name": null, + "tags": null, + }, + }, + ], + }, + }, + "resource_changes": [ + { + "address": "aws_cloudtrail.example", + "change": { + "actions": [ + "create", + ], + "after": { + "advanced_event_selector": [], + "cloud_watch_logs_group_arn": null, + "cloud_watch_logs_role_arn": null, + "enable_log_file_validation": false, + "enable_logging": true, + "event_selector": [], + "include_global_service_events": false, + "insight_selector": [], + "is_multi_region_trail": false, + "is_organization_trail": false, + "kms_key_id": null, + "name": "example", + "s3_bucket_name": "stm-cloudtrail-sentinel", + "s3_key_prefix": null, + "sns_topic_name": null, + "tags": null, + }, + "after_sensitive": { + "advanced_event_selector": [], + "event_selector": [], + "insight_selector": [], + "tags_all": {}, + }, + "after_unknown": { + "advanced_event_selector": [], + "arn": true, + "event_selector": [], + "home_region": true, + "id": true, + "insight_selector": [], + "tags_all": true, + }, + "before": null, + "before_sensitive": false, + }, + "mode": "managed", + "name": "example", + "provider_name": "registry.terraform.io/hashicorp/aws", + "type": "aws_cloudtrail", + }, + ], + "terraform_version": "1.6.3", +} diff --git a/v1.4.0/mocks/cloudtrail-singleregion-mock-tfrun.sentinel b/v1.4.0/mocks/cloudtrail-singleregion-mock-tfrun.sentinel new file mode 100644 index 0000000..12892e4 --- /dev/null +++ b/v1.4.0/mocks/cloudtrail-singleregion-mock-tfrun.sentinel @@ -0,0 +1,50 @@ +id = "run-DZ9jn295kgBTAiWU" +created_at = "2023-11-07T00:08:21.839Z" +created_by = "seanmeininger" +message = "Triggered via CLI" +commit_sha = undefined +speculative = false +is_destroy = false +refresh = true +refresh_only = false +replace_addrs = null +target_addrs = null +project = { + "id": "prj-reb8RoikfSwzy97u", + "name": "Default Project", +} + +variables = { + "AWS_ACCESS_KEY_ID": { + "category": "env", + "sensitive": false, + }, + "AWS_SECRET_ACCESS_KEY": { + "category": "env", + "sensitive": true, + }, + "AWS_SESSION_EXPIRATION": { + "category": "env", + "sensitive": false, + }, + "AWS_SESSION_TOKEN": { + "category": "env", + "sensitive": true, + }, +} + +organization = { + "name": "sean-env", +} + +workspace = { + "auto_apply": false, + "created_at": "2023-11-06T23:57:08.689Z", + "description": "Work description", + "execution_mode": "default", + "id": "ws-SiAU345Ch3vMXGXA", + "name": "cis-sentinel-resources", + "tags": [], + "vcs_repo": null, + "working_directory": "", +} diff --git a/v1.4.0/mocks/cloudtrail-singleregion-mock-tfstate-v2.sentinel b/v1.4.0/mocks/cloudtrail-singleregion-mock-tfstate-v2.sentinel new file mode 100644 index 0000000..028a453 --- /dev/null +++ b/v1.4.0/mocks/cloudtrail-singleregion-mock-tfstate-v2.sentinel @@ -0,0 +1,5 @@ +terraform_version = undefined + +outputs = {} + +resources = {} diff --git a/v1.4.0/mocks/sentinel.hcl b/v1.4.0/mocks/sentinel.hcl new file mode 100644 index 0000000..04a03e2 --- /dev/null +++ b/v1.4.0/mocks/sentinel.hcl @@ -0,0 +1,59 @@ +mock "tfconfig" { + module { + source = "mock-tfconfig.sentinel" + } +} + +mock "tfconfig/v1" { + module { + source = "mock-tfconfig.sentinel" + } +} + +mock "tfconfig/v2" { + module { + source = "mock-tfconfig-v2.sentinel" + } +} + +mock "tfplan" { + module { + source = "mock-tfplan.sentinel" + } +} + +mock "tfplan/v1" { + module { + source = "mock-tfplan.sentinel" + } +} + +mock "tfplan/v2" { + module { + source = "mock-tfplan-v2.sentinel" + } +} + +mock "tfstate" { + module { + source = "mock-tfstate.sentinel" + } +} + +mock "tfstate/v1" { + module { + source = "mock-tfstate.sentinel" + } +} + +mock "tfstate/v2" { + module { + source = "mock-tfstate-v2.sentinel" + } +} + +mock "tfrun" { + module { + source = "mock-tfrun.sentinel" + } +} diff --git a/v1.4.0/test/CloudTrail.1/fail.hcl b/v1.4.0/test/CloudTrail.1/fail.hcl new file mode 100644 index 0000000..9717f71 --- /dev/null +++ b/v1.4.0/test/CloudTrail.1/fail.hcl @@ -0,0 +1,11 @@ +mock "tfplan/v2" { + module { + source = "../../mocks/cloudtrail-singleregion-mock-tfplan-v2.sentinel" + } +} + +test { + rules = { + main = false + } +} \ No newline at end of file diff --git a/v1.4.0/test/CloudTrail.1/pass.hcl b/v1.4.0/test/CloudTrail.1/pass.hcl new file mode 100644 index 0000000..d90b064 --- /dev/null +++ b/v1.4.0/test/CloudTrail.1/pass.hcl @@ -0,0 +1,11 @@ +mock "tfplan/v2" { + module { + source = "../../mocks/cloudtrail-multiregion-mock-tfplan-v2.sentinel" + } +} + +test { + rules = { + main = true + } +} \ No newline at end of file