VPC SC: Ensure project in service perimiter (#215)

Author: charliewolf

policies/templates/gcp_vpc_sc_ensure_project_v1.yaml

@@ -0,0 +1,78 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: templates.gatekeeper.sh/v1alpha1
+kind: ConstraintTemplate
+metadata:
+  name: gcp-vpc-sc-ensure-project-v1
+spec:
+  crd:
+    spec:
+      names:
+        kind: GCPVPCSCEnsureProjectConstraintV1
+        plural: gcpvpcscensureprojectconstraintsv1
+      validation:
+        openAPIV3Schema:
+          properties:
+            required_projects:
+              description: "Required project IDs"
+              type: array
+              items: string
+  targets:
+    validation.gcp.forsetisecurity.org:
+      rego: | #INLINE("validator/vpc_sc_ensure_project.rego")
+             #
+             # Copyright 2019 Google LLC
+             #
+             # Licensed under the Apache License, Version 2.0 (the "License");
+             # you may not use this file except in compliance with the License.
+             # You may obtain a copy of the License at
+             #
+             #      http://www.apache.org/licenses/LICENSE-2.0
+             #
+             # Unless required by applicable law or agreed to in writing, software
+             # distributed under the License is distributed on an "AS IS" BASIS,
+             # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+             # See the License for the specific language governing permissions and
+             # limitations under the License.
+             #
+             
+             package templates.gcp.GCPVPCSCEnsureProjectConstraintV1
+             
+             import data.validator.gcp.lib as lib
+             
+             deny[{
+             	"msg": message,
+             	"details": metadata,
+             }] {
+             	constraint := input.constraint
+             	asset := input.asset
+             
+             	asset.asset_type == "cloudresourcemanager.googleapis.com/Organization"
+             	lib.has_field(asset, "service_perimeter")
+             
+             	lib.get_constraint_params(constraint, params)
+             	required_projects_array := lib.get_default(params, "required_projects", [])
+             	required_projects := {sprintf("projects/%v", [p]) | p = required_projects_array[_]}
+             
+             	perimeter_resources := {r | r = asset.service_perimeter.status.resources[_]}
+             
+             	count(perimeter_resources - required_projects) != count(perimeter_resources) - count(required_projects)
+             
+             	message := sprintf("Required project missing from service perimeter %v.", [asset.service_perimeter.name])
+             
+             	metadata := {"resource": asset.name, "service_perimeter_name": asset.service_perimeter.name}
+             }
+             #ENDINLINE

samples/vpc_sc_ensure_project.yaml

@@ -0,0 +1,28 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPVPCSCEnsureProjectConstraintV1
+metadata:
+  name: vpc_sc_ensure_project
+spec:
+  severity: high
+  match:
+    gcp:
+      target: ["organization/*"]
+  parameters:
+      required_projects:
+        - "179891054369"
+        - "179891054370"
+

validator/test/fixtures/vpc_sc_ensure_project/assets/data.json

@@ -0,0 +1,29 @@
+[{
+        "name": "//cloudresourcemanager.googleapis.com/organizations/660570133860",
+        "asset_type": "cloudresourcemanager.googleapis.com/Organization",
+        "service_perimeter": {
+            "name": "accessPolicies/1008882730433/servicePerimeters/Test_Service_Perimeter_Good",
+            "title": "Test Service Perimeter Good",
+            "status": {
+                "resources": ["projects/179891054368", "projects/179891054369", "projects/179891054370"],
+                "access_levels": ["accessPolicies/1008882730433/accessLevels/abcb"],
+                "restricted_services": ["container.googleapis.com"]
+            }
+        },
+        "ancestors": ["organizations/660570133860"]
+    },
+    {
+        "name": "//cloudresourcemanager.googleapis.com/organizations/660570133861",
+        "asset_type": "cloudresourcemanager.googleapis.com/Organization",
+        "service_perimeter": {
+            "name": "accessPolicies/1008882730434/servicePerimeters/Test_Service_Perimeter_Bad",
+            "title": "Test Service Perimeter Bad",
+            "status": {
+                "resources": ["projects/179891054368", "projects/179891054369"],
+                "access_levels": ["accessPolicies/1008882730433/accessLevels/abcb"],
+                "restricted_services": ["container.googleapis.com"]
+            }
+        },
+        "ancestors": ["organizations/660570133861"]
+    }
+]

validator/test/fixtures/vpc_sc_ensure_project/constraints/data.yaml

@@ -0,0 +1,28 @@
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+apiVersion: constraints.gatekeeper.sh/v1alpha1
+kind: GCPVPCSCEnsureProjectConstraintV1
+metadata:
+  name: vpc_sc_ensure_project
+spec:
+  severity: high
+  match:
+    gcp:
+      target: ["organization/*"]
+  parameters:
+      required_projects:
+        - "179891054369"
+        - "179891054370"
+

validator/vpc_sc_ensure_project.rego

@@ -0,0 +1,42 @@
+#
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package templates.gcp.GCPVPCSCEnsureProjectConstraintV1
+
+import data.validator.gcp.lib as lib
+
+deny[{
+	"msg": message,
+	"details": metadata,
+}] {
+	constraint := input.constraint
+	asset := input.asset
+
+	asset.asset_type == "cloudresourcemanager.googleapis.com/Organization"
+	lib.has_field(asset, "service_perimeter")
+
+	lib.get_constraint_params(constraint, params)
+	required_projects_array := lib.get_default(params, "required_projects", [])
+	required_projects := {sprintf("projects/%v", [p]) | p = required_projects_array[_]}
+
+	perimeter_resources := {r | r = asset.service_perimeter.status.resources[_]}
+
+	count(perimeter_resources - required_projects) != count(perimeter_resources) - count(required_projects)
+
+	message := sprintf("Required project missing from service perimeter %v.", [asset.service_perimeter.name])
+
+	metadata := {"resource": asset.name, "service_perimeter_name": asset.service_perimeter.name}
+}

validator/vpc_sc_ensure_project_test.rego

@@ -0,0 +1,34 @@
+#
+# Copyright 2019 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+package templates.gcp.GCPVPCSCEnsureProjectConstraintV1
+
+import data.validator.gcp.lib as lib
+
+all_violations[violation] {
+	resource := data.test.fixtures.vpc_sc_ensure_project.assets[_]
+	constraint := data.test.fixtures.vpc_sc_ensure_project.constraints
+
+	issues := deny with input.asset as resource
+		 with input.constraint as constraint
+
+	violation := issues[_]
+}
+
+test_violations_basic {
+	violation_resources := {r | r = all_violations[_].details.service_perimeter_name}
+	violation_resources == {"accessPolicies/1008882730434/servicePerimeters/Test_Service_Perimeter_Bad"}
+}