Skip to content

Commit

Permalink
remove unused type attribute from assertions
Browse files Browse the repository at this point in the history
  • Loading branch information
@lhitchon
lhitchon committed Mar 23, 2018
1 parent 6fee717 commit 3af8f6e
Show file tree
Hide file tree
Showing 6 changed files with 75 additions and 151 deletions.
43 changes: 14 additions & 29 deletions README.md
View file
Expand Up @@ -73,7 +73,6 @@ Each assertion contains the following attributes:

|Name |Description |
|-----------|------------------------------------------------------------------------------------|
|type | Should always be "value" for now |
|key | JMES path used to find data in a resource |
|op | Operation to perform on the data returned by searching for the key |
|value | Literal value needed for most operations |
Expand All @@ -92,8 +91,7 @@ Rules:
message: Instance type should be t2.micro or m3.medium
resource: aws_instance
assertions:
- type: value
key: instance_type
- key: instance_type
op: in
value: t2.micro,m3.medium
severity: WARNING
Expand All @@ -113,12 +111,10 @@ Rules:
resource: aws_instance
assertions:
or:
- type: value
key: instance_type
- key: instance_type
op: eq
value: t2.micro
- type: value
key: instance_type
- key: instance_type
op: eq
value: m3.medium
severity: WARNING
Expand All @@ -139,8 +135,7 @@ Example:
message: EBS Volumes must be encrypted
severity: FAILURE
assertions:
- type: value
key: encrypted
- key: encrypted
op: eq
value: true
...
Expand All @@ -156,8 +151,7 @@ Example:
message: Security group should not allow ingress from 0.0.0.0/0
severity: FAILURE
assertions:
- type: value
key: "ingress[].cidr_blocks[] | [0]"
- key: "ingress[].cidr_blocks[] | [0]"
op: ne
value: "0.0.0.0/0"
...
Expand All @@ -172,8 +166,7 @@ Example:
message: Instance type should be t2.micro or m3.medium
resource: aws_instance
assertions:
- type: value
key: instance_type
- key: instance_type
op: in
value: t2.micro,m3.medium
severity: WARNING
Expand All @@ -191,8 +184,7 @@ Example:
message: Department tag is required
resource: aws_instance
assertions:
- type: value
key: "tags[].Department | [0]"
- key: "tags[].Department | [0]"
op: present
severity: FAILURE
...
Expand All @@ -215,8 +207,7 @@ Example:
severity: WARNING
assertions:
- not:
- type: value
key: instance_type
- key: instance_type
op: eq
value: c4.large
...
Expand All @@ -233,11 +224,9 @@ Example:
severity: WARNING
assertions:
- and:
- type: value
key: "tags[].Department | [0]"
- key: "tags[].Department | [0]"
op: present
- type: value
key: "tags[].Project | [0]"
- key: "tags[].Project | [0]"
op: present
tags:
- and-test
Expand All @@ -256,12 +245,10 @@ Example:
severity: WARNING
assertions:
- or:
- type: value
key: instance_type
- key: instance_type
op: eq
value: t2.micro
- type: value
key: instance_type
- key: instance_type
op: eq
value: m3.medium
...
Expand Down Expand Up @@ -373,12 +360,10 @@ Rules:
assertions:
- not:
- and:
- type: value
key: ipPermissions[].fromPort[]
- key: ipPermissions[].fromPort[]
op: contains
value: "22"
- type: value
key: ipPermissions[].ipRanges[]
- key: ipPermissions[].ipRanges[]
op: contains
value: 0.0.0.0/0
```
Expand Down
15 changes: 5 additions & 10 deletions assertion/rules_test.go
View file
Expand Up @@ -37,8 +37,7 @@ var content = `Rules:
resource: aws_instance
severity: WARNING
assertions:
- type: value
key: instance_type
- key: instance_type
op: in
value: t2.micro
tags:
Expand All @@ -48,8 +47,7 @@ var content = `Rules:
resource: aws_s3_bucket
severity: WARNING
assertions:
- type: value
key: name
- key: name
op: eq
value: bucket1
tags:
Expand Down Expand Up @@ -91,12 +89,10 @@ var ruleWithMultipleFilters = `Rules:
resource: aws_instance
severity: FAILURE
assertions:
- type: value
key: instance_type
- key: instance_type
op: eq
value: t2.micro
- type: value
key: ami
- key: ami
op: eq
value: ami-000000
`
Expand Down Expand Up @@ -158,8 +154,7 @@ var ruleWithValueFrom = `Rules:
severity: FAILURE
resource: aws_instance
assertions:
- type: value
key: instance_type
- key: instance_type
op: in
value_from:
bucket: config-rules-for-lambda
Expand Down
12 changes: 4 additions & 8 deletions example-files/rules/aws-config.yml
View file
Expand Up @@ -6,16 +6,14 @@ Rules:
message: Table status must have provisionedThroughput
resource: AWS::DynamoDB::Table
assertions:
- type: value
key: provisionedThroughput.writeCapacityUnits
- key: provisionedThroughput.writeCapacityUnits
op: present
severity: NON_COMPLIANT
- id: CFG2
message: Table status must have provisionedThroughput
resource: AWS::DynamoDB::Table
assertions:
- type: value
key: provisionedThroughput.readCapacityUnits
- key: provisionedThroughput.readCapacityUnits
op: present
severity: NON_COMPLIANT
- id: SG1
Expand All @@ -26,12 +24,10 @@ Rules:
assertions:
- not:
- and:
- type: value
key: ipPermissions[].fromPort[]
- key: ipPermissions[].fromPort[]
op: contains
value: "22"
- type: value
key: ipPermissions[].ipRanges[]
- key: ipPermissions[].ipRanges[]
op: contains
value: 0.0.0.0/0
severity: NON_COMPLIANT
24 changes: 8 additions & 16 deletions example-files/rules/kubernetes.yml
View file
Expand Up @@ -10,8 +10,7 @@ Rules:
message: Allowed kinds
resource: "*"
assertions:
- type: value
key: kind
- key: kind
op: in
value: Pod,Policy,ServiceAccount,NetworkPolicy
tags:
Expand All @@ -22,8 +21,7 @@ Rules:
message: Pod must include containers
resource: Pod
assertions:
- type: value
key: spec.containers
- key: spec.containers
op: present
tags:
- pod
Expand All @@ -33,8 +31,7 @@ Rules:
message: Pod should use a service account
resource: Pod
assertions:
- type: value
key: serviceAccountName
- key: serviceAccountName
op: present
tags:
- pod
Expand All @@ -44,12 +41,10 @@ Rules:
message: Pod should set securityContent
resource: Pod
assertions:
- type: value
key: spec.securityContext.runAsNonRoot
- key: spec.securityContext.runAsNonRoot
op: eq
value: true
- type: value
key: spec.securityContext.readOnlyRootFilesystem
- key: spec.securityContext.readOnlyRootFilesystem
op: eq
value: true
tags:
Expand All @@ -61,8 +56,7 @@ Rules:
message: Policy must include a spec
resource: Policy
assertions:
- type: value
key: spec
- key: spec
op: present
tags:
- policy
Expand All @@ -72,8 +66,7 @@ Rules:
message: Policy should not use default namespace
resource: Policy
assertions:
- type: value
key: spec.namespace
- key: spec.namespace
op: ne
value: default
tags:
Expand All @@ -94,8 +87,7 @@ Rules:
message: Network policy should include from pods
resource: NetworkPolicy
assertions:
- type: value
key: spec.allowIncoming.from[].pods
- key: spec.allowIncoming.from[].pods
op: present
tags:
- network
3 changes: 1 addition & 2 deletions example-files/rules/security-groups.yml
View file
Expand Up @@ -7,8 +7,7 @@ Rules:
resource: "AWS::EC2::SecurityGroup"
assertions:
- not:
- type: value
key: IpPermissions[?(FromPort==`22`)].IpRanges[].CidrIp | [0]
- key: IpPermissions[?(FromPort==`22`)].IpRanges[].CidrIp | [0]
op: eq
value: "0.0.0.0/0"
severity: NON_COMPLIANT

0 comments on commit 3af8f6e

Please sign in to comment.