Hello, l am trying to write a policy that checks for lifecycle configuration in s3. I want the policy to fail if an s3 bucket is deployed without the lifecycle configuration. I used this code which works for my s3 specific module but fails all my other modules.
resources = plan.find_resources(“aws_s3_bucket_lifecycle_configuration”)
if !(resources is empty){
print (resources)
lifecycle_configuration_violation = plan.filter_attribute_is_value(resources, “values.0.rule”, , true)
validated = length(lifecycle_configuration_violation[“messages”]) is 0
} else {
print("No lifecycle configured on S3 Bucket $BUCKET NAME, S3 buckets need to have lifecycle defined.")
validated = false
}
Thanks for posting your question. Unfortunately, it’s going to be very difficult for the community to provide assistance without some Sentinel mock data. You are likely to have more success if you share a playground link with the policy and the mock data.
I suspect that the issue is with your usage of the filter_attribute_is_value helper function, but without mock data, it is really hard to tell.
Please correct me if I am wrong, but it appears that the policy you have provided is checking for the existence of rule on a aws_s3_bucket_lifecycle_configuration resource, but NOT checking to ensure that every bucket that is getting provisioned has a lifecycle configuration associated with it, which I believe is the outcome you are hoping to achieve?
yes please that is exactly what l am trying to achieve.checking to ensure that every bucket that is getting provisioned has a lifecycle configuration associated with it,
@f.nkeng if you would like assistance, you will need to provide a full set of mocks that include all resources that will be provisioned. You mentioned that the policy passes on some modules but not on others. I think that’s likely because for the modules that passed, lifecycle resources did not exist and therefore there was nothing to check.
@f.nkeng If I have understood your issue properly, then Generally lifecycle configuration and s3 buckets are deployed as separate resources and while defining life cycle configuration we need to provide references to the S3 bucket id.
So in this case first you need to define function to collect list of s3s getting provisioned and then check on each lifecycle configuration if those all S3 ids are declared. Hope I am clear.
@ashutoshrathore you are right the buckets are deployed as separate resources from the lifecycle configuration. But i am still unclears as to how to define the functions to check the buckets being provisioned please.
@f.nkeng As @hcrhall said, please provide mock files for both lifecycle configuration and S3 bucket in playground. Then I will be able to assist you how you can check it.
It looks like you have sent us the previous URL. You will need to add the new mocks and then click the share button which will generate a new share URL. When you send the new URL we will have access to the new mock data.
@f.nkeng I cannot see an easy way of associating a bucket with the lifecycle configuration using the planned_values. This may be due to the way in which you have defined the configuration or perhaps you have sanitized the plan data before sharing?
I would encourage you to include all mock data including the tfconfig/V2 mocks so that we can check references etc.
@f.nkeng it will be challenging to catch all combinations of valid Terraform configuration. It might be simpler to create a trusted S3 module and then mandate via policy that all S3 buckets are provisioned using the trusted module.
I tried the following which works to a degree but I’ve made a lot of assumptions about how modules are used, and how inputs are provided so I am not confident that it will cover all use cases: Sentinel Playground
