Allow support for referential constraints

[Jberlinsky]

Summary

I have a customer for whom referential constraints would drive outsize business value, enabling them to adopt Forseti Config Validator and Terraform Validator to implement detective and protective controls to safeguard their GCP organization.

Use Case

The specific use case identified is:

• Ensuring that all Disks created within a GCP organization have an attached Resource Policy (snapshot schedule) with a particularly configured snapshot period and retention cycle. e.g.: "I want to ensure that all Disks in GCP are snapshotted daily with 30 day retention"

At present, we can pull sufficient information from CAI to determine that there is some ResourcePolicy attached to a Disk:

{
  "asset_type": "compute.googleapis.com/Disk",
  ...
  "resource": {
    "version": "v1",
    "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
    "discovery_name": "Disk",
    ...
    "data": {
      ...
      "resourcePolicies": [
        "https://www.googleapis.com/compute/v1/projects/.../regions/us-east4/resourcePolicies/snapshot-disks"
      ],
      ...
    },
    "location": "us-east4-a"
  },
  ...
}

And subsequently pulling the ResourcePolicy CAI data yields information about the snapshot schedule:

{
  "asset_type": "compute.googleapis.com/ResourcePolicy",
  ...
  "resource": {
    "version": "v1",
    "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/compute/v1/rest",
    "discovery_name": "ResourcePolicy",
    ...
    "data": {
      ...
      "snapshotSchedulePolicy": {
        "retentionPolicy": {
          "maxRetentionDays": 7,
          "onSourceDiskDelete": "KEEP_AUTO_SNAPSHOTS"
        },
        "schedule": {
          "dailySchedule": {
            "daysInCycle": 1,
            "duration": "PT14400S",
            "startTime": "00:00"
          }
        }
      },
      "status": "READY"
    },
    "location": "us-east4"
  },
  ...
}

The ability to build policies that consider both of these CAI asset data objects at once would be valuable, and extensible to other security control implementations.

[briantkennedy]

Hi Jason,

We previously had referential constraints prior to integrating with Constraint Framework, however, there are some scaling issues for larger organizations. Referential constraints entail having the entire set of resources loaded into memory and Golang experiences roughly 60x increase in memory footprint for parsed JSON (eg, a 1GB CAI export will require 60GB of physical memory).

Enabling referential constraints would require implementing the rego function matching_reviews_and_constraints in pkg/gcptarget/library.go, creating the appropriate unit tests, plumbing through functionality for loading CAI information into Constraint Framework, and invoking the audit. Unfortunately, I have no plans to implement it at this time, however, I am willing to review pull requests.

-Brian

[morgante]

This is something we're still considering for the roadmap though.

[aimjwizards]

+Marten van Wezel <martenvw@google.com> for awareness

…

On Fri, Jan 15, 2021 at 11:46 AM Morgante Pell ***@***.***> wrote: This is something we're still considering for the roadmap though. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#160 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAZQCJQHC332EKQGTKQD63DS2CLR3ANCNFSM4WEQHKKQ> .