Skip to content

Commit

Permalink
move docs for supported operations to separate file
Browse files Browse the repository at this point in the history
  • Loading branch information
lhitchon committed Mar 30, 2018
1 parent 27e3c44 commit 7400d94
Show file tree
Hide file tree
Showing 2 changed files with 182 additions and 169 deletions.
170 changes: 1 addition & 169 deletions README.md
View file
Expand Up @@ -143,174 +143,7 @@ Rules:
The assertions and operations are modeled after those used by Cloud Custodian: http://capitalone.github.io/cloud-custodian/docs/


## Operations supported for an Assertion

* eq - Equals

Example:
```
...
- id: VOLUME1
resource: aws_ebs_volume
message: EBS Volumes must be encrypted
severity: FAILURE
assertions:
- key: encrypted
op: eq
value: true
...
```

* ne - Not equals

Example:
```
...
- id: SG1
resource: aws_security_group
message: Security group should not allow ingress from 0.0.0.0/0
severity: FAILURE
assertions:
- key: "ingress[].cidr_blocks[] | [0]"
op: ne
value: "0.0.0.0/0"
...
```

* in - In list of values

Example:
```
...
- id: R1
message: Instance type should be t2.micro or m3.medium
resource: aws_instance
assertions:
- key: instance_type
op: in
value: t2.micro,m3.medium
severity: WARNING
...
```

* not-in - Not in list of values

* present - Attribute is present

Example:
```
...
- id: R6
message: Department tag is required
resource: aws_instance
assertions:
- key: "tags[].Department | [0]"
op: present
severity: FAILURE
...
```

* absent - Attribute is not present

* empty - Attribute is empty

* not-empty - Attribute is not empty

* contains - Attribute contains a substring

* regex - Attribute matches a regular expression

* not - Logical not of another assertions

Example:
```
...
- id: NOTTEST
resource: aws_instance
message: Should not have instance type of c4.large
severity: WARNING
assertions:
- not:
- key: instance_type
op: eq
value: c4.large
...
```

* and - Logical and of a list of assertions

Example:
```
...
- id: ANDTEST
resource: aws_instance
message: Should have both Project and Department tags
severity: WARNING
assertions:
- and:
- key: "tags[].Department | [0]"
op: present
- key: "tags[].Project | [0]"
op: present
tags:
- and-test
...
```

* or - Logical or of a list of assertions

Example:

```
...
- id: ORTEST
resource: aws_instance
message: Should have instance_type of t2.micro or m3.medium
severity: WARNING
assertions:
- or:
- key: instance_type
op: eq
value: t2.micro
- key: instance_type
op: eq
value: m3.medium
...
```

## Invoking an external API for more difficult cases

If the combination of JMESPath and the simple expression DSL are not sufficient, it is possible to have the
rules engine make an API call to validate a resource. Instead of the list of assertions, set the invoke
attribute to an object containg these attributes:

* url - An HTTP GET request will be made to this URL
* payload - A JMESPath expression used to generate the JSON payload to include in the GET request. If not provided, the entire resource will be included (same as using '@' in JMESPath)

The return value should look like this:
```
{
"Violations": [
{ "Message": "First Violation" }
]
}
```

Example:
```
...
- id: CUSTOM
severity: FAILURE
message: Custom
resource: Policy
invoke:
url: https://19kfojjbi2.execute-api.us-east-1.amazonaws.com/dev
payload: "{ user: spec.user, namespace: spec.namespace }"
tags:
- custom
...
```

## [Valid Operations](docs/operations.md)

# Output

Expand Down Expand Up @@ -404,4 +237,3 @@ Rules:
* Start using go testing coverage tools
* Ruleset examples have Initial upper case for top level attributes, all lower case for rules
* Use log package for error reporting
* Move the rule examples to a separate file, and include an index of operators in a table
181 changes: 181 additions & 0 deletions docs/operations.md
View file
@@ -0,0 +1,181 @@
## Assertion Operations

| Operation | Description |
|-------------------------|-------------|
| [eq](#eq) | Equal |
| [ne](#ne) | Not equal |
| [in](#in) | In |
| [not-in](#not-in) | Not In |
| [present](#present) | Present |
| [absent](#absent) | Absent |
| [empty](#empty) | Empty |
| [not-empty](#not-empty) | Not Empty |
| [contains](#contains) | Contains |
| [regex](#regex) | Regex |
| [and](#and) | And |
| [or](#or) | Or |
| [not](#not) | Not |

## eq

Equal

###Example:

```
...
- id: VOLUME1
resource: aws_ebs_volume
message: EBS Volumes must be encrypted
severity: FAILURE
assertions:
- key: encrypted
op: eq
value: true
...
```

## ne

Not Equal

Example:
```
...
- id: SG1
resource: aws_security_group
message: Security group should not allow ingress from 0.0.0.0/0
severity: FAILURE
assertions:
- key: "ingress[].cidr_blocks[] | [0]"
op: ne
value: "0.0.0.0/0"
...
```

## in

In list of values

### Example:

```
...
- id: R1
message: Instance type should be t2.micro or m3.medium
resource: aws_instance
assertions:
- key: instance_type
op: in
value: t2.micro,m3.medium
severity: WARNING
...
```

## not-in

Not in list of values

## present

Attribute is present

###Example:

```
...
- id: R6
message: Department tag is required
resource: aws_instance
assertions:
- key: "tags[].Department | [0]"
op: present
severity: FAILURE
...
```

## absent

Attribute is not present

## empty

Attribute is empty

## not-empty

Attribute is not empty

## contains

Attribute contains a substring, or array contains an element

## regex

Attribute matches a regular expression

## and

Logical and of a list of assertions

### Example:

```
...
- id: ANDTEST
resource: aws_instance
message: Should have both Project and Department tags
severity: WARNING
assertions:
- and:
- key: "tags[].Department | [0]"
op: present
- key: "tags[].Project | [0]"
op: present
tags:
- and-test
...
```

## or

Logical or of a list of assertions

### Example:

```
...
- id: ORTEST
resource: aws_instance
message: Should have instance_type of t2.micro or m3.medium
severity: WARNING
assertions:
- or:
- key: instance_type
op: eq
value: t2.micro
- key: instance_type
op: eq
value: m3.medium
...
```

## not

Logical not of an assertion

Example:

```
...
- id: NOTTEST
resource: aws_instance
message: Should not have instance type of c4.large
severity: WARNING
assertions:
- not:
- key: instance_type
op: eq
value: c4.large
...
```

0 comments on commit 7400d94

Please sign in to comment.