This is going to be a bit inverted but I’m trying to ensure the roles “allUsers” and “allAuthenticatedUsers” are not present in the mock file. However, I get a pass in the pass file and a fail in the fail file when both or either/or are present.
The fail works fine. However, the pass file should fail if “allUsers” and/or “allAuthenticatedUsers” is present. What I’m getting is a pass for the pass.hcl if either of the two user roles are present. This should not be the case since it violates our policy.
The resources I’m targeting are: google_service_account_iam_binding, google_kms_crypto_key_iam_member, and google_iam_policy
https://play.sentinelproject.io/p/QV8ZfQwOYUn
Unfortunately I couldn’t get this script to work on playground this time, so you’ll have to use a personal environment unless you know a workaround.
-Thank you
@Hiddenmessages my recommendation would be to try and write a lot of the logic yourself where possible. The function library is a great resource but sometimes I feel like it abstracts away too much of the policy logic.
Based on my understanding, you would like to:
- Filter resources based on
type
- Check the
members
property and validate that the configured members are not contained in a predefined list
- Fail the policy is there are violations of the rule defined above
I would implement the policy as follows:
import "tfplan/v2" as tfplan
resource_types = [
"google_service_account_iam_binding",
"google_kms_crypto_key_iam_member",
"google_iam_policy",
]
forbidden_members = [
"allUsers",
"allAuthenticatedUsers",
]
all_resources = filter tfplan.resource_changes as _, resource_changes {
resource_changes.type in resource_types and
resource_changes.mode is "managed" and
(resource_changes.change.actions contains "create" or
resource_changes.change.actions is ["update"])
}
violations = filter all_resources as _, resource {
resource.change.after.member in forbidden_members
}
main = rule {
violations is empty
}
Playground Example: Sentinel Playground
I haven’t accounted for undefined
values, but this should get you started.
1 Like