OPA 拒绝创建新子网
denial of creation of new subnets by OPA
我有下面的 rego 代码,
package terraform.analysis
import input as tfplan
# acceptable score for automated authorization
blast_radius = 5
# weights assigned for each operation on each resource-type
weights = {
"aws_subnet": {"delete": 100, "create": 10, "modify": 1},
}
# Consider exactly these resource types in calculations
resource_types = {"aws_subnet"}
# Authorization holds if score for the plan is acceptable and no changes are made to IAM
default authz = false
authz {
score < blast_radius
}
# Compute the score for a Terraform plan as the weighted sum of deletions, creations, modifications
score = s {
all := [ x |
some resource_type
crud := weights[resource_type];
del := crud["delete"] * num_deletes[resource_type];
new := crud["create"] * num_creates[resource_type];
mod := crud["modify"] * num_modifies[resource_type];
x := del + new + mod
]
s := sum(all)
}
####################
# Terraform Library
####################
# list of all resources of a given type
resources[resource_type] = all {
some resource_type
resource_types[resource_type]
all := [name |
name:= tfplan.resource_changes[_]
name.type == resource_type
]
}
# number of creations of resources of a given type
num_creates[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
creates := [res | res:= all[_]; res.change.actions[_] == "create"]
num := count(creates)
}
# number of deletions of resources of a given type
num_deletes[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
deletions := [res | res:= all[_]; res.change.actions[_] == "delete"]
num := count(deletions)
}
# number of modifications to resources of a given type
num_modifies[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
modifies := [res | res:= all[_]; res.change.actions[_] == "update"]
num := count(modifies)
}
我的main.tf文件如下
provider "aws" {
region = var.region
}
# DATA RESOURCES
data "aws_availability_zones" "available" {}
data "aws_kms_key" "rds_key" {
key_id = "alias/rds_cluster_enryption_key"
}
resource "aws_vpc" "tf-aws-vn" {
cidr_block = var.network_address_space
tags = local.common_tags
}
data "template_file" "public_cidrsubnet" {
count = var.subnet_count
template = "$${cidrsubnet(vpc_cidr,8,current_count)}"
vars = {
vpc_cidr = var.network_address_space
current_count = count.index
}
}
# RESOURCES
resource "aws_subnet" "tf-aws-sn" {
count = var.subnet_count
vpc_id = aws_vpc.tf-aws-vn.id
cidr_block = data.template_file.public_cidrsubnet[count.index].rendered
availability_zone = slice(data.aws_availability_zones.available.names, 0, var.subnet_count)[count.index]
tags = local.common_tags
}
resource "aws_db_subnet_group" "db_subnets" {
name = "rdsdbgroup"
subnet_ids = aws_subnet.tf-aws-sn[*].id
tags = local.common_tags
}
resource "aws_rds_cluster" "tf-aws-rds-1" {
cluster_identifier = "aurora-cluster-1"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
db_subnet_group_name = aws_db_subnet_group.db_subnets.name
database_name = "cupday"
master_username = "administrator"
master_password = var.password
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
storage_encrypted = true
kms_key_id = data.aws_kms_key.rds_key.arn
}
S3 后端如下:
terraform {
backend "s3" {
bucket = "terraform-backend-20200102"
key = "test.plan"
region = "ap-southeast-2"
}
}
我的处理如下:
terraform show -json > tfplan.json # Assuming this reads my test.plan from s3 buckets and writes to local tfplan.json
opa eval --format pretty --data terraform.rego --input tfplan.json "data.terraform.analysis.authz"
当我认为它是 false 时,我得到“true”作为对超过 2 个子网的任何子网创建的响应?
注意:提前致歉,我是 OPA 的新手,但肯定会受到启发。
鉴于blast_radius = 5,计划中的一、二、三或四个子网被认为是允许的似乎是合理的,不是吗?
我有下面的 rego 代码,
package terraform.analysis
import input as tfplan
# acceptable score for automated authorization
blast_radius = 5
# weights assigned for each operation on each resource-type
weights = {
"aws_subnet": {"delete": 100, "create": 10, "modify": 1},
}
# Consider exactly these resource types in calculations
resource_types = {"aws_subnet"}
# Authorization holds if score for the plan is acceptable and no changes are made to IAM
default authz = false
authz {
score < blast_radius
}
# Compute the score for a Terraform plan as the weighted sum of deletions, creations, modifications
score = s {
all := [ x |
some resource_type
crud := weights[resource_type];
del := crud["delete"] * num_deletes[resource_type];
new := crud["create"] * num_creates[resource_type];
mod := crud["modify"] * num_modifies[resource_type];
x := del + new + mod
]
s := sum(all)
}
####################
# Terraform Library
####################
# list of all resources of a given type
resources[resource_type] = all {
some resource_type
resource_types[resource_type]
all := [name |
name:= tfplan.resource_changes[_]
name.type == resource_type
]
}
# number of creations of resources of a given type
num_creates[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
creates := [res | res:= all[_]; res.change.actions[_] == "create"]
num := count(creates)
}
# number of deletions of resources of a given type
num_deletes[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
deletions := [res | res:= all[_]; res.change.actions[_] == "delete"]
num := count(deletions)
}
# number of modifications to resources of a given type
num_modifies[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
modifies := [res | res:= all[_]; res.change.actions[_] == "update"]
num := count(modifies)
}
我的main.tf文件如下
provider "aws" {
region = var.region
}
# DATA RESOURCES
data "aws_availability_zones" "available" {}
data "aws_kms_key" "rds_key" {
key_id = "alias/rds_cluster_enryption_key"
}
resource "aws_vpc" "tf-aws-vn" {
cidr_block = var.network_address_space
tags = local.common_tags
}
data "template_file" "public_cidrsubnet" {
count = var.subnet_count
template = "$${cidrsubnet(vpc_cidr,8,current_count)}"
vars = {
vpc_cidr = var.network_address_space
current_count = count.index
}
}
# RESOURCES
resource "aws_subnet" "tf-aws-sn" {
count = var.subnet_count
vpc_id = aws_vpc.tf-aws-vn.id
cidr_block = data.template_file.public_cidrsubnet[count.index].rendered
availability_zone = slice(data.aws_availability_zones.available.names, 0, var.subnet_count)[count.index]
tags = local.common_tags
}
resource "aws_db_subnet_group" "db_subnets" {
name = "rdsdbgroup"
subnet_ids = aws_subnet.tf-aws-sn[*].id
tags = local.common_tags
}
resource "aws_rds_cluster" "tf-aws-rds-1" {
cluster_identifier = "aurora-cluster-1"
engine = "aurora-mysql"
engine_version = "5.7.mysql_aurora.2.03.2"
db_subnet_group_name = aws_db_subnet_group.db_subnets.name
database_name = "cupday"
master_username = "administrator"
master_password = var.password
backup_retention_period = 5
preferred_backup_window = "07:00-09:00"
storage_encrypted = true
kms_key_id = data.aws_kms_key.rds_key.arn
}
S3 后端如下:
terraform {
backend "s3" {
bucket = "terraform-backend-20200102"
key = "test.plan"
region = "ap-southeast-2"
}
}
我的处理如下:
terraform show -json > tfplan.json # Assuming this reads my test.plan from s3 buckets and writes to local tfplan.json
opa eval --format pretty --data terraform.rego --input tfplan.json "data.terraform.analysis.authz"
当我认为它是 false 时,我得到“true”作为对超过 2 个子网的任何子网创建的响应?
注意:提前致歉,我是 OPA 的新手,但肯定会受到启发。
鉴于blast_radius = 5,计划中的一、二、三或四个子网被认为是允许的似乎是合理的,不是吗?