Difficulty causing pass.hcl to become a fail

Sentinel
1

This is going to be a bit inverted but I’m trying to ensure the roles “allUsers” and “allAuthenticatedUsers” are not present in the mock file. However, I get a pass in the pass file and a fail in the fail file when both or either/or are present.

The fail works fine. However, the pass file should fail if “allUsers” and/or “allAuthenticatedUsers” is present. What I’m getting is a pass for the pass.hcl if either of the two user roles are present. This should not be the case since it violates our policy.

The resources I’m targeting are: google_service_account_iam_binding, google_kms_crypto_key_iam_member, and google_iam_policy

https://play.sentinelproject.io/p/QV8ZfQwOYUn

Unfortunately I couldn’t get this script to work on playground this time, so you’ll have to use a personal environment unless you know a workaround.

-Thank you

2

@Hiddenmessages my recommendation would be to try and write a lot of the logic yourself where possible. The function library is a great resource but sometimes I feel like it abstracts away too much of the policy logic.

Based on my understanding, you would like to:

  1. Filter resources based on type
  2. Check the members property and validate that the configured members are not contained in a predefined list
  3. Fail the policy is there are violations of the rule defined above

I would implement the policy as follows:

import "tfplan/v2" as tfplan

resource_types = [
  "google_service_account_iam_binding",
  "google_kms_crypto_key_iam_member",
  "google_iam_policy",
]

forbidden_members = [
  "allUsers",
  "allAuthenticatedUsers",
]

all_resources = filter tfplan.resource_changes as _, resource_changes {
    resource_changes.type in resource_types and
        resource_changes.mode is "managed" and
        (resource_changes.change.actions contains "create" or
            resource_changes.change.actions is ["update"])
}

violations = filter all_resources as _, resource {
	resource.change.after.member in forbidden_members
}

main = rule {
	violations is empty
}

Playground Example: Sentinel Playground

I haven’t accounted for undefined values, but this should get you started.

1 Like