forked from arodd/security-policies
-
Notifications
You must be signed in to change notification settings - Fork 1
/
azurerm-block-allow-all-cidr.sentinel
59 lines (53 loc) · 1.62 KB
/
azurerm-block-allow-all-cidr.sentinel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
import "tfplan"
# Get an array of all resources of the given type (or an empty array).
get_resources = func(type) {
if length(tfplan.module_paths else []) > 0 { # always true in the real tfplan import
return get_resources_all_modules(type)
} else { # fallback for tests
return get_resources_root_only(type)
}
}
get_resources_root_only = func(type) {
resources = []
named_and_counted_resources = tfplan.resources[type] else {}
# Get resource bodies out of nested resource maps, from:
# {"name": {"0": {"applied": {...}, "diff": {...} }, "1": {...}}, "name": {...}}
# to:
# [{"applied": {...}, "diff": {...}}, {"applied": {...}, "diff": {...}}, ...]
for named_and_counted_resources as _, instances {
for instances as _, body {
append(resources, body)
}
}
return resources
}
get_resources_all_modules = func(type) {
resources = []
for tfplan.module_paths as path {
named_and_counted_resources = tfplan.module(path).resources[type] else {}
# Get resource bodies out of nested resource maps, from:
# {"name": {"0": {"applied": {...}, "diff": {...} }, "1": {...}}, "name": {...}}
# to:
# [{"applied": {...}, "diff": {...}}, {"applied": {...}, "diff": {...}}, ...]
for named_and_counted_resources as _, instances {
for instances as _, body {
append(resources, body)
}
}
}
return resources
}
disallowed_cidr_blocks = [
"0.0.0.0/0",
"*",
]
block_allow_all = rule {
all get_resources("azurerm_network_security_group") as sg {
all sg.applied.security_rule as _, sr {
(sr.source_address_prefix not in disallowed_cidr_blocks) or sr.access == "Deny"
}
}
}
main = rule {
(block_allow_all) else true
}