initial commit

This commit is contained in:
worm 2023-08-10 16:40:59 -07:00
commit b966559c64

102
asg-tags.sentinel Normal file
View file

@ -0,0 +1,102 @@
# This policy uses the Sentinel tfplan/v2 import to require that
# all EC2 instances have the Environment key in the tags attribute
# and that it has a value from an allowed list
# Import common-functions/tfplan-functions/tfplan-functions.sentinel
# with alias "plan"
import "tfplan/v2" as tfplan
#import "tfplan-functions" as plan
param actions default [
["no-op"],
["create"],
["update"],
]
# Mandatory tags. This should probably be a map that contains a list of acceptable values.
# e.g., mandatory_tags = { "Environments: [prod, dev, qa]"}
# at least in the context of asgs it would make more sense if there's more than one mandatory tag
mandatory_tags = ["Environments"]
# Allowed Environments
# Include "null" to allow missing or computed values
allowed_environments = ["tfe-monitoring"]
# Get asgs
allAwsAutoscalingGroups = filter tfplan.resource_changes as _, rc {
rc.provider_name matches "(.*)aws$" and
rc.type is "aws_autoscaling_group" and
rc.mode is "managed" and
rc.change.actions in actions
}
#verify that each element of a list is present in map m
#contains looks at keys when used with maps
contains_all_list_items = func(l, m) {
all_present = true
for l as i {
if m not contains i {
all_present = false
}
}
return all_present
}
# iterate over required keys (rk) that exist in a given map (m), and ensure that the value is in a provided list
# this won't actually work correctly for more than one required tag
tag_values_compliant = func(rk, m, l) {
values_compliant = true
for rk as key {
if l not contains m[key] else "ok" {
values_compliant = false
}
}
return values_compliant
}
# Merge tags on an aws_autoscaling_group resource. List of maps is tough to work with
merge_tags = func(lm) {
merged_tag = {}
for lm as l {
merged_tag[l.key] = l.value
}
return merged_tag
}
# Iterate over a set of resources, and filter to those without required keys (k) and values (v)
iterOverResources = func(resources, k, v, prtmsg) {
violators = {}
messages = {}
for resources as a, r {
merged_tags = merge_tags(r.change.after.tag)
all_required_keys_present = contains_all_list_items(k, merged_tags)
all_tag_values_compliant = tag_values_compliant(mandatory_tags, merged_tags, v)
if not all_required_keys_present {
message = string(a) + " is missing a required key from list: " + string(k) + " from tags " + string(merged_tags)
violators[a] = r
if prtmsg {
print("Not all required keys are present.")
print("Required keys:", k)
print("Resource keys:", keys(merged_tags))
}
}
if not all_tag_values_compliant {
violators[a] = r
if prtmsg {
print("tag values not compliant")
print("compliant key values: ", k)
print(a, " has a noncompliant tag value. Compliant values are:", v)
print("Resource tags:")
print(merged_tags)
}
}
}
return {"resources":violators, "messages":messages}
}
violations = length(iterOverResources(allAwsAutoscalingGroups, mandatory_tags, allowed_environments, true)["resources"])
# Main rule
main = rule {
violations is 0
}