Skip to content
A library of constraint templates and sample constraints for Forseti Config Validator.
Shell Python Makefile Dockerfile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
cloudbuild Updating Dockerfile for pip3 yaml module. Fixing Makefile typo. Aug 16, 2019
docs Merge branch 'master' into bug/cai-api-plural-network Sep 16, 2019
lib Initial public release Mar 29, 2019
policies Inlining and formatting Oct 4, 2019
samples Merge branch 'master' into feature/kms Sep 27, 2019
scripts Support project, folder and org-level audits in Makefile Sep 19, 2019
validator Inlining and formatting Oct 4, 2019
.gitignore .DS_Store removed May 30, 2019
CODEOWNERS Add AdrienWalkowiak as a reviewer (#142) Aug 5, 2019
CONTRIBUTING.md contributions update Jul 17, 2019
LICENSE Initial public release Mar 29, 2019
Makefile Update documentation Sep 19, 2019
README.md
cloudbuild.yaml Restoring original docker image for cloudbuild Aug 16, 2019
delete.me testing 123 Apr 17, 2019

README.md

Policies

This repo contains a library of constraint templates and sample constraints.

For information on setting up Config Validator to secure your environment, see the User Guide.

Developing a Constraint

If this library doesn't contain a constraint that matches your use case, you can develop a new one using the Constraint Template Authoring Guide.

Available Commands

make audit                          Run audit against real CAI dump data
make build                          Format and build
make build_templates                Inline Rego rules into constraint templates
make debug                          Show debugging output from OPA
make format                         Format Rego rules
make help                           Prints help for targets with comments
make test                           Test constraint templates via OPA

Inlining

You can run make build to automatically inline Rego rules into your constraint templates.

This is done by finding a INLINE("filename") and #ENDINLINE statements in your yaml, and replacing everything in between with the contents of the file.

For example, running make build would replace the raw content with the replaced content below

Raw:

#INLINE("my_rule.rego")
# This text will be replaced
#ENDINLINE

Replaced:

#INLINE("my_rule.rego")
#contents of my_rule.rego
#ENDINLINE
You can’t perform that action at this time.