update some examples

stelligent · Apr 10, 2018 · 732f87c · 732f87c
1 parent d178241
commit 732f87c
Show file tree

Hide file tree

Showing 6 changed files with 208 additions and 0 deletions.
diff --git a/example-files/config/s3-encryption.tf b/example-files/config/s3-encryption.tf
@@ -0,0 +1,33 @@
+resource "aws_kms_key" "key_for_s3_encryption" {
+  description = "key for S3 bucket encryption"
+}
+
+resource "aws_s3_bucket" "bucket_example_1" {
+  acl = "public-read"
+  tags = {
+    project = "web"
+    classification = "PII"
+  }
+}
+
+resource "aws_s3_bucket" "bucket_example_2" {
+  acl = "public-read-write"
+  server_side_encryption_configuration {
+    rule {
+      apply_server_side_encryption_by_default {
+        kms_master_key_id = "${aws_kms_key.key_for_s3_encryption.arn}"
+        sse_algorithm     = "aws:kms"
+      }
+    }
+  }
+  tags = {
+    project = "web"
+    classification = "HIPAA"
+  }
+}
+
+resource "aws_s3_bucket" "bucket_example_3" {
+  tags = {
+    classification = "public"
+  }
+}
diff --git a/example-files/rules/iam-policies.yml b/example-files/rules/iam-policies.yml
@@ -0,0 +1,72 @@
+---
+version: 1
+description: Terraform rules for demo
+type: Terraform
+files:
+  - "*.tf"
+rules:
+
+  - id: NO_IAM_ROLES
+    message: Creating an IAM role is not allowed
+    resource: "aws_iam_role"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_ROLE_POLICIES
+    message: Creating an IAM role policy is not allowed
+    resource: "aws_iam_role_policy"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_GROUPS
+    message: Creating an IAM group is not allowed
+    resource: "aws_iam_group"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_GROUP_POLICIES
+    message: Creating an IAM group policy is not allowed
+    resource: "aws_iam_group_policy"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_POLICIES
+    message: Creating an IAM policy is not allowed
+    resource: "aws_iam_policy"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_USERS
+    message: Creating an IAM user is not allowed
+    resource: "aws_iam_user"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_USER_POLICIES
+    message: Creating an IAM user policy is not allowed
+    resource: "aws_iam_user_policy"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_INSTANCE_PROFILE
+    message: Creating an IAM instance profile is not allowed
+    resource: "aws_iam_instance_profile"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
diff --git a/example-files/rules/iam-restricted.yml b/example-files/rules/iam-restricted.yml
@@ -0,0 +1,65 @@
+---
+version: 1
+description: Terraform rules for creation of IAM resources
+type: Terraform
+files:
+  - "*.tf"
+rules:
+
+  - id: NO_IAM_ROLES
+    message: Creating an IAM role is not allowed
+    resource: "aws_iam_role"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_ROLE_POLICIES
+    message: Creating an IAM role policy is not allowed
+    resource: "aws_iam_role_policy"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_GROUPS
+    message: Creating an IAM group is not allowed
+    resource: "aws_iam_group"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_GROUP_POLICIES
+    message: Creating an IAM group policy is not allowed
+    resource: "aws_iam_group_policy"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_POLICIES
+    message: Creating an IAM policy is not allowed
+    resource: "aws_iam_policy"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_USERS
+    message: Creating an IAM user is not allowed
+    resource: "aws_iam_user"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+  - id: NO_IAM_USER_POLICIES
+    message: Creating an IAM user policy is not allowed
+    resource: "aws_iam_user_policy"
+    severity: FAILURE
+    assertions:
+      - key: "@"
+        op: absent
+
+
diff --git a/example-files/rules/s3-encryption.yml b/example-files/rules/s3-encryption.yml
@@ -0,0 +1,19 @@
+version: 1
+description: Rules for Terraform configuration files
+type: Terraform
+files:
+  - "*.tf"
+rules:
+
+  - id: S3_BUCKET_ENCRYPTION
+    message: S3 Bucket should be encrypted
+    resource: aws_s3_bucket
+    severity: FAILURE
+    conditions:
+      - key: "tags[].classification[] | [0]"
+        op: in
+        value: PII,HIPAA
+    assertions:
+      - key: server_side_encryption_configuration
+        op: present
+
diff --git a/web/assets/sample-terraform-config.tf b/web/assets/sample-terraform-config.tf
@@ -4,6 +4,10 @@ resource "aws_kms_key" "key_for_s3_encryption" {
 
 resource "aws_s3_bucket" "bucket_example_1" {
   acl = "public-read"
+  tags = {
+    project = "web"
+    classification = "PII"
+  }
 }
 
 resource "aws_s3_bucket" "bucket_example_2" {
@@ -16,4 +20,14 @@ resource "aws_s3_bucket" "bucket_example_2" {
       }
     }
   }
+  tags = {
+    project = "web"
+    classification = "HIPAA"
+  }
+}
+
+resource "aws_s3_bucket" "bucket_example_3" {
+  tags = {
+    classification = "public"
+  }
 }
diff --git a/web/assets/terraform-rules.yml b/web/assets/terraform-rules.yml
@@ -275,10 +275,15 @@ rules:
     message: S3 Bucket should be encrypted
     resource: aws_s3_bucket
     severity: FAILURE
+    conditions:
+      - key: "tags[].classification[] | [0]"
+        op: in
+        value: PII,HIPAA
     assertions:
       - key: server_side_encryption_configuration
         op: present
 
+
   - id: S3_NOT_ACTION
     message: Should not use NotAction in S3 bucket policy
     resource: aws_s3_bucket_policy