Skip to content

Commit

Permalink
Update PaC examples for latest API (pulumi#455)
Browse files Browse the repository at this point in the history 
Updates for the changes to no longer use the "output" shape of the resource (instead we're using the "input" shape, i.e. the resource's args type).
  • Loading branch information
@justinvp
justinvp authored Nov 13, 2019
1 parent 384aaae commit c29a5fa
Show file tree
Hide file tree
Showing 6 changed files with 32 additions and 32 deletions.
39 changes: 20 additions & 19 deletions policy-packs/aws-advanced/compute.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,17 +31,17 @@ export function requireApprovedAmisById(
description: "Instances should use approved AMIs.",
enforcementLevel: "mandatory",
validateResource: [
validateTypedResource(aws.ec2.Instance.isInstance, (instance, args, reportViolation) => {
validateTypedResource(aws.ec2.Instance, (instance, args, reportViolation) => {
if (amis && !amis.has(instance.ami)) {
reportViolation("EC2 Instances should use approved AMIs.");
}
}),
validateTypedResource(aws.ec2.LaunchConfiguration.isInstance, (lc, args, reportViolation) => {
validateTypedResource(aws.ec2.LaunchConfiguration, (lc, args, reportViolation) => {
if (amis && !amis.has(lc.imageId)) {
reportViolation("EC2 LaunchConfigurations should use approved AMIs.");
}
}),
validateTypedResource(aws.ec2.LaunchTemplate.isInstance, (lt, args, reportViolation) => {
validateTypedResource(aws.ec2.LaunchTemplate, (lt, args, reportViolation) => {
if (amis && lt.imageId && !amis.has(lt.imageId)) {
reportViolation("EC2 LaunchTemplates should use approved AMIs.");
}
Expand All @@ -60,12 +60,13 @@ export function requireHealthChecksOnAsgElb(name: string): ResourceValidationPol
"Auto Scaling groups that are associated with a load balancer should use Elastic " +
"Load Balancing health checks",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(aws.autoscaling.Group.isInstance, (group, args, reportViolation) => {
const classicLbAttached = group.loadBalancers.length > 0;
const albAttached = group.targetGroupArns.length > 0;
validateResource: validateTypedResource(aws.autoscaling.Group, (group, args, reportViolation) => {
const classicLbAttached = group.loadBalancers && group.loadBalancers.length > 0;
const albAttached = group.targetGroupArns && group.targetGroupArns.length > 0;
if (classicLbAttached || albAttached) {
if (group.healthCheckType !== "ELB") {
reportViolation("Auto Scaling groups that are associated with a load balancer should use");
reportViolation("Auto Scaling groups that are associated with a load balancer should use Elastic " +
"Load Balancing health checks");
}
}
}),
Expand All @@ -88,8 +89,8 @@ export function requireInstanceTenancy(
)} should use tenancy '${tenancy}'`,
enforcementLevel: "mandatory",
validateResource: [
validateTypedResource(aws.ec2.Instance.isInstance, (instance, args, reportViolation) => {
if (hosts !== undefined && hosts.has(instance.hostId)) {
validateTypedResource(aws.ec2.Instance, (instance, args, reportViolation) => {
if (hosts !== undefined && instance.hostId && hosts.has(instance.hostId)) {
if (instance.tenancy !== tenancy) {
reportViolation(`EC2 Instance with host ID '${instance.hostId}' not using tenancy '${tenancy}'.`);
}
Expand All @@ -99,7 +100,7 @@ export function requireInstanceTenancy(
}
}
}),
validateTypedResource(aws.ec2.LaunchConfiguration.isInstance, (lc, args, reportViolation) => {
validateTypedResource(aws.ec2.LaunchConfiguration, (lc, args, reportViolation) => {
if (images !== undefined && images.has(lc.imageId)) {
if (lc.placementTenancy !== tenancy) {
reportViolation(`EC2 LaunchConfiguration with image ID '${lc.imageId}' not using tenancy '${tenancy}'.`);
Expand All @@ -121,17 +122,17 @@ export function requireInstanceType(
description: "EC2 instances should use approved instance types.",
enforcementLevel: "mandatory",
validateResource: [
validateTypedResource(aws.ec2.Instance.isInstance, (instance, args, reportViolation) => {
validateTypedResource(aws.ec2.Instance, (instance, args, reportViolation) => {
if (!types.has(instance.instanceType)) {
reportViolation("EC2 Instance should use the approved instance types.")
}
}),
validateTypedResource(aws.ec2.LaunchConfiguration.isInstance, (lc, args, reportViolation) => {
validateTypedResource(aws.ec2.LaunchConfiguration, (lc, args, reportViolation) => {
if (!types.has(lc.instanceType)) {
reportViolation("EC2 LaunchConfiguration should use the approved instance types.")
}
}),
validateTypedResource(aws.ec2.LaunchTemplate.isInstance, (lt, args, reportViolation) => {
validateTypedResource(aws.ec2.LaunchTemplate, (lt, args, reportViolation) => {
if (!lt.instanceType || !types.has(lt.instanceType)) {
reportViolation("EC2 LaunchTemplate should use the approved instance types.")
}
Expand All @@ -146,7 +147,7 @@ export function requireEbsOptimization(name: string): ResourceValidationPolicy {
name: name,
description: "EBS optimization should be enabled for all EC2 instances",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(aws.ec2.Instance.isInstance, (instance, args, reportViolation) => {
validateResource: validateTypedResource(aws.ec2.Instance, (instance, args, reportViolation) => {
if (instance.ebsOptimized !== true) {
reportViolation("EC2 Instance should have EBS optimization enabled.");
}
Expand All @@ -159,7 +160,7 @@ export function requireDetailedMonitoring(name: string): ResourceValidationPolic
name: name,
description: "Detailed monitoring should be enabled for all EC2 instances",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(aws.ec2.Instance.isInstance, (instance, args, reportViolation) => {
validateResource: validateTypedResource(aws.ec2.Instance, (instance, args, reportViolation) => {
if (instance.monitoring !== true) {
reportViolation("EC2 Instance should have monitoring enabled.");
}
Expand Down Expand Up @@ -197,7 +198,7 @@ export function requireEbsVolumesOnEc2Instances(name: string): ResourceValidatio
name: name,
description: "EBS volumes should be attached to all EC2 instances",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(aws.ec2.Instance.isInstance, (instance, args, reportViolation) => {
validateResource: validateTypedResource(aws.ec2.Instance, (instance, args, reportViolation) => {
if (instance.ebsBlockDevices !== undefined && instance.ebsBlockDevices.length === 0) {
reportViolation("EC2 Instance should have EBS volumes attached.");
}
Expand All @@ -213,7 +214,7 @@ export function requireEbsEncryption(name: string, kmsKeyId?: string): ResourceV
name: name,
description: "EBS volumes should be encrypted",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(aws.ebs.Volume.isInstance, (volume, args, reportViolation) => {
validateResource: validateTypedResource(aws.ebs.Volume, (volume, args, reportViolation) => {
if (!volume.encrypted) {
reportViolation("EBS volumes should be encrypted.");
}
Expand Down Expand Up @@ -260,8 +261,8 @@ export function requireElbLogging(name: string, bucketName?: string): ResourceVa
"logging enabled.",
enforcementLevel: "mandatory",
validateResource: [
validateTypedResource(aws.elasticloadbalancing.LoadBalancer.isInstance, assertElbLogs),
validateTypedResource(aws.elasticloadbalancingv2.LoadBalancer.isInstance, assertElbLogs),
validateTypedResource(aws.elasticloadbalancing.LoadBalancer, assertElbLogs),
validateTypedResource(aws.elasticloadbalancingv2.LoadBalancer, assertElbLogs),
],
};
}
Expand Down
10 changes: 5 additions & 5 deletions policy-packs/aws/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ const policies = new PolicyPack("aws", {
name: "discouraged-ec2-public-ip-address",
description: "Associating public IP addresses is discouraged.",
enforcementLevel: "advisory",
validateResource: validateTypedResource(aws.ec2.Instance.isInstance, (instance, args, reportViolation) => {
validateResource: validateTypedResource(aws.ec2.Instance, (instance, args, reportViolation) => {
if (instance.associatePublicIpAddress) {
reportViolation("Consider not setting associatePublicIpAddress to true.");
}
Expand All @@ -18,10 +18,10 @@ const policies = new PolicyPack("aws", {
description: "A 'Name' tag is required.",
enforcementLevel: "mandatory",
validateResource: [
validateTypedResource(aws.ec2.Instance.isInstance, (instance, args, reportViolation) => {
validateTypedResource(aws.ec2.Instance, (instance, args, reportViolation) => {
requireNameTag(instance.tags, reportViolation);
}),
validateTypedResource(aws.ec2.Vpc.isInstance, (vpc, args, reportViolation) => {
validateTypedResource(aws.ec2.Vpc, (vpc, args, reportViolation) => {
requireNameTag(vpc.tags, reportViolation);
}),
],
Expand All @@ -30,8 +30,8 @@ const policies = new PolicyPack("aws", {
name: "prohibited-public-internet",
description: "Ingress rules with public internet access are prohibited.",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(aws.ec2.SecurityGroup.isInstance, (sg, args, reportViolation) => {
const publicInternetRules = sg.ingress.find(ingressRule =>
validateResource: validateTypedResource(aws.ec2.SecurityGroup, (sg, args, reportViolation) => {
const publicInternetRules = (sg.ingress || []).find(ingressRule =>
(ingressRule.cidrBlocks || []).find(cidr => cidr === "0.0.0.0/0"));
if (publicInternetRules) {
reportViolation("Ingress rules with public internet access are prohibited.");
Expand Down
5 changes: 2 additions & 3 deletions policy-packs/azure/index.ts
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,13 @@
import * as azure from "@pulumi/azure";
import { PolicyPack, validateTypedResource } from "@pulumi/policy";
import * as assert from "assert";

const policies = new PolicyPack("azure", {
policies: [
{
name: "discouraged-public-ip-address",
description: "Associating public IP addresses is discouraged.",
enforcementLevel: "advisory",
validateResource: validateTypedResource(azure.network.NetworkInterface.isInstance, (ni, args, reportViolation) => {
validateResource: validateTypedResource(azure.network.NetworkInterface, (ni, args, reportViolation) => {
const publicIpAssociations = ni.ipConfigurations.find(cfg => cfg.publicIpAddressId !== undefined);
if (publicIpAssociations !== undefined) {
reportViolation("Associating public IP addresses is discouraged.");
Expand All @@ -19,7 +18,7 @@ const policies = new PolicyPack("azure", {
name: "prohibited-public-internet",
description: "Inbound rules with public internet access are prohibited.",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(azure.network.NetworkSecurityRule.isInstance, (securityRule, args, reportViolation) => {
validateResource: validateTypedResource(azure.network.NetworkSecurityRule, (securityRule, args, reportViolation) => {
if (securityRule.sourceAddressPrefix === "*") {
reportViolation("Inbound rules with public internet access are prohibited.");
}
Expand Down
4 changes: 2 additions & 2 deletions policy-packs/gcp/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ const policies = new PolicyPack("gcp", {
name: "discouraged-gcp-public-ip-address",
description: "Associating public IP addresses is discouraged.",
enforcementLevel: "advisory",
validateResource: validateTypedResource(gcp.compute.Instance.isInstance, (instance, args, reportViolation) => {
validateResource: validateTypedResource(gcp.compute.Instance, (instance, args, reportViolation) => {
const publicIps = instance.networkInterfaces.find(net => net.accessConfigs !== undefined);
if (publicIps !== undefined) {
reportViolation("Associating public IP addresses is discouraged.");
Expand All @@ -18,7 +18,7 @@ const policies = new PolicyPack("gcp", {
name: "prohibited-public-internet",
description: "Ingress rules with public internet access are prohibited.",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(gcp.compute.Firewall.isInstance, (firewall, args, reportViolation) => {
validateResource: validateTypedResource(gcp.compute.Firewall, (firewall, args, reportViolation) => {
const publicInternetRules = (firewall.sourceRanges || []).find(ranges => ranges === "0.0.0.0/0");
if (publicInternetRules !== undefined) {
reportViolation("Ingress rules with public internet access are prohibited.");
Expand Down
4 changes: 2 additions & 2 deletions policy-packs/kubernetes/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ const policies = new PolicyPack("kubernetes", {
name: "no-public-services",
description: "Kubernetes Services should be cluster-private",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(k8s.core.v1.Service.isInstance, (svc, args, reportViolation) => {
if (svc.spec.type == "LoadBalancer") {
validateResource: validateTypedResource(k8s.core.v1.Service, (svc, args, reportViolation) => {
if (svc.spec && svc.spec.type === "LoadBalancer") {
reportViolation(`Kubernetes Services that have .type === "LoadBalancer" are exposed to ` +
`anything that can reach the Kubernetes cluster, likely including the ` +
`public Internet. The security team has disallowed this to prevent ` +
Expand Down
2 changes: 1 addition & 1 deletion policy-packs/policy-pack-typescript/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ new PolicyPack("policy-pack-typescript", {
name: "s3-no-public-read",
description: "Prohibits setting the publicRead or publicReadWrite permission on AWS S3 buckets.",
enforcementLevel: "mandatory",
validateResource: validateTypedResource(aws.s3.Bucket.isInstance, (bucket, args, reportViolation) => {
validateResource: validateTypedResource(aws.s3.Bucket, (bucket, args, reportViolation) => {
if (bucket.acl === "public-read" || bucket.acl === "public-read-write") {
reportViolation(
"You cannot set public-read or public-read-write on an S3 bucket. " +
Expand Down

0 comments on commit c29a5fa

Please sign in to comment.