forked from GoogleCloudPlatform/policy-library
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgcp_storage_location_v1.yaml
115 lines (103 loc) · 4.72 KB
/
gcp_storage_location_v1.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# This template is for policies restricting the locations
# of Cloud Storage buckets to specific locations in GCP.
# Location names need to be exact match. It supports
# allowlist or denylist modes, as well as exempting selected
# buckets from the list.
apiVersion: templates.gatekeeper.sh/v1alpha1
kind: ConstraintTemplate
metadata:
name: gcp-storage-location-v1
spec:
crd:
spec:
names:
kind: GCPStorageLocationConstraintV1
validation:
openAPIV3Schema:
properties:
mode:
type: string
enum: [denylist, allowlist]
description: "String identifying the operational mode, allowlist or denylist. In allowlist mode,
datasets are only allowed in the locations specified in the 'locations' parameter. In denylist mode,
resources are allowed in all locations except those listed in the 'locations' parameter."
exemptions:
type: array
items:
type: string
description: "Array of storage buckets to exempt from location restriction. String values in the array should
correspond to the full name values of exempted storage buckets."
locations:
type: array
items:
type: string
description: "Array of location names to be allowed or denied. Should be the the location name, whether regional
(e.g. us-west2), multi-regional (e.g. EU), or dual-region (e.g. eur4), as defined at
https://cloud.google.com/storage/docs/locations. Location names need to be exact match."
targets:
validation.gcp.forsetisecurity.org:
rego: | #INLINE("validator/storage_location.rego")
#
# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
package templates.gcp.GCPStorageLocationConstraintV1
import data.validator.gcp.lib as lib
deny[{
"msg": message,
"details": metadata,
}] {
constraint := input.constraint
lib.get_constraint_params(constraint, params)
asset := input.asset
asset.asset_type == "storage.googleapis.com/Bucket"
# Check if resource is in exempt list
exempt_list := lib.get_default(params, "exemptions", [])
matches := {asset.name} & cast_set(exempt_list)
count(matches) == 0
# Check that location is in allowlist/denylist
target_locations := params.locations
asset_location := asset.resource.data.location
location_matches := ({upper(asset_location)} & cast_set(target_locations)) | ({lower(asset_location)} & cast_set(target_locations))
target_location_match_count(params.mode, desired_count)
count(location_matches) == desired_count
message := sprintf("%v is in a disallowed location.", [asset.name])
metadata := {"location": asset_location, "resource": asset.name}
}
###########################
# Rule Utilities
###########################
# Determine the overlap between locations under test and constraint
# By default (allowlist), we violate if there isn't overlap
target_location_match_count(mode) = 0 {
mode != "denylist"
}
target_location_match_count(mode) = 1 {
mode == "denylist"
}
#ENDINLINE