Skip to content
This repository was archived by the owner on Oct 21, 2025. It is now read-only.

Commit 38e6629

Browse files
chrisnschrisns
authored
Require a known department label (#5)
* bump version * require a known department
1 parent 9b360cb commit 38e6629

File tree

18 files changed

+222
-7
lines changed

18 files changed

+222
-7
lines changed

infra/checkov/require-known-department-label/fail0.tf

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
resource "aws_s3_bucket" "b" {
2+
bucket = "my-tf-test-bucket"
3+
}

infra/checkov/require-known-department-label/fail1.tf

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
resource "aws_s3_bucket" "b" {
2+
bucket = "my-tf-test-bucket"
3+
}
4+
5+
resource "aws_ami" "example" {
6+
name = "terraform-example"
7+
virtualization_type = "hvm"
8+
root_device_name = "/dev/xvda"
9+
10+
ebs_block_device {
11+
device_name = "/dev/xvda"
12+
snapshot_id = "snap-xxxxxxxx"
13+
volume_size = 8
14+
}
15+
}

infra/checkov/require-known-department-label/fail2.tf

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,18 @@
1+
resource "aws_s3_bucket" "b" {
2+
bucket = "my-tf-test-bucket"
3+
tags = {
4+
mycompany.com.department = "finance"
5+
}
6+
}
7+
8+
resource "aws_ami" "example" {
9+
name = "terraform-example"
10+
virtualization_type = "hvm"
11+
root_device_name = "/dev/xvda"
12+
13+
ebs_block_device {
14+
device_name = "/dev/xvda"
15+
snapshot_id = "snap-xxxxxxxx"
16+
volume_size = 8
17+
}
18+
}

infra/checkov/require-known-department-label/pass0.tf

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
resource "aws_s3_bucket" "b" {
2+
bucket = "my-tf-test-bucket"
3+
tags = {
4+
mycompany.com.department = "hr"
5+
}
6+
}

infra/checkov/require-known-department-label/pass1.tf

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,20 @@
1+
resource "aws_s3_bucket" "b" {
2+
bucket = "my-tf-test-bucket"
3+
tags = {
4+
mycompany.com.department = "hr"
5+
}
6+
}
7+
8+
resource "aws_ami" "example" {
9+
name = "terraform-example"
10+
virtualization_type = "hvm"
11+
root_device_name = "/dev/xvda"
12+
tags = {
13+
mycompany.com.department = "hr"
14+
}
15+
ebs_block_device {
16+
device_name = "/dev/xvda"
17+
snapshot_id = "snap-xxxxxxxx"
18+
volume_size = 8
19+
}
20+
}

infra/checkov/require-known-department-label/policy.yaml

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
metadata:
2+
name: "Check that all resources are tagged with the key - department with a known value"
3+
id: "CUSTOM_AWS_2"
4+
category: "CONVENTION"
5+
scope:
6+
provider: aws
7+
definition:
8+
or:
9+
- cond_type: "attribute"
10+
resource_types: "all"
11+
attribute: 'tags.mycompany.com.department'
12+
operator: "equals"
13+
value: tech
14+
- cond_type: "attribute"
15+
resource_types: "all"
16+
attribute: 'tags.mycompany.com.department'
17+
operator: "equals"
18+
value: hr
19+
- cond_type: "attribute"
20+
resource_types: "all"
21+
attribute: 'tags.mycompany.com.department'
22+
operator: "equals"
23+
value: ounts
24+
- cond_type: "attribute"
25+
resource_types: "all"
26+
attribute: 'tags.mycompany.com.department'
27+
operator: "equals"
28+
value: servicedesk

kubernetes/kyverno/kustomization.yaml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,11 @@
11
apiVersion: kustomize.config.k8s.io/v1beta1
22
kind: Kustomization
33

4-
nameSuffix: "-1.0.0"
4+
nameSuffix: "-2.0.0"
55

66
commonLabels:
7-
mycompany.com/policy-version: "1.0.0"
7+
mycompany.com/policy-version: "2.0.0"
88

99
resources:
1010
- require-department-label/policy.yaml
11+
- require-known-department-label/policy.yaml

kubernetes/kyverno/require-department-label/fail0.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ kind: Pod
33
metadata:
44
name: require-department-label-fail0
55
labels:
6-
mycompany.com/policy-version: "1.0.0"
6+
mycompany.com/policy-version: "2.0.0"
77
spec:
88
containers:
99
- name: nginx

kubernetes/kyverno/require-department-label/pass0.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ metadata:
44
name: require-department-label-pass0
55
labels:
66
mycompany.com/department: finance
7-
mycompany.com/policy-version: "1.0.0"
7+
mycompany.com/policy-version: "2.0.0"
88
spec:
99
containers:
1010
- name: nginx

kubernetes/kyverno/require-department-label/policy.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@ spec:
3939
- "*"
4040
selector:
4141
matchLabels:
42-
mycompany.com/policy-version: "1.0.0"
42+
mycompany.com/policy-version: "2.0.0"
4343
validate:
4444
message: "The label `mycompany.com/department` is required."
4545
pattern:

0 commit comments

Comments
 (0)