Skip to content

Commit

Permalink
✨ add preventive guardrails
Browse files Browse the repository at this point in the history
  • Loading branch information
@daxingplay
daxingplay committed Oct 17, 2024
1 parent ffec476 commit d9f637b
Show file tree
Hide file tree
Showing 7 changed files with 107 additions and 5 deletions.
3 changes: 2 additions & 1 deletion terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,11 @@ provider "alicloud" {
region = "cn-shanghai"
}

module "detective_guardrails" {
module "guardrails" {
source = "../../"

detective_guardrails = var.detective_guardrails
preventive_guardrails = var.preventive_guardrails
config_aggreator_name = var.config_aggreator_name
config_aggreator_description = var.config_aggreator_description
config_compliance_pack_name = var.config_compliance_pack_name
Expand Down
26 changes: 26 additions & 0 deletions ...m-modules/terraform-alicloud-landing-zone-guardrails/examples/common/tfvars/common.tfvars
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,4 +12,30 @@ detective_guardrails = [
tag_scope_key = ""
tag_scope_value = ""
}
]

preventive_guardrails = [
{
rule_name = "DenyCreateRamRole"
rule_description = "Deny creating RAM role"
policy_document = <<EOF
{
"Statement": [
{
"Action": [
"ram:CreateRole"
],
"Resource": "*",
"Effect": "Deny",
"Condition": {
"StringNotLike": {
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
}
}
}
],
"Version": "1"
}
EOF
}
]
13 changes: 11 additions & 2 deletions terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,14 @@
terraform {
experiments = [module_variable_optional_attrs]
# terraform {
# experiments = [module_variable_optional_attrs]
# }
variable "preventive_guardrails" {
type = list(object({
rule_name = string
rule_description = optional(string)
policy_document = string
target = optional(string)
}))
description = "preventive guardrails, each item in list should have rule_name and policy_document. If target is not specified, it will be set to root_folder_id"
}
variable "detective_guardrails" {
type = list(object({
Expand Down
26 changes: 26 additions & 0 deletions terraform-modules/terraform-alicloud-landing-zone-guardrails/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,32 @@
data "alicloud_account" "current" {
}

#########################################################
# Preventive Controls
#########################################################
data "alicloud_resource_manager_resource_directories" "default" {}

locals {
resource_directory_root_folder_id = "${data.alicloud_resource_manager_resource_directories.default.directories.0.root_folder_id}"
}

module "control_policies" {
source = "./modules/control_policies"

for_each = {
for rule in var.preventive_guardrails: rule.rule_name => rule
}

name = each.value.rule_name
description = can(each.value.rule_description) ? each.value.rule_description : ""
policy_document = each.value.policy_document
target_id = can(each.value.target_id) ? each.value.target_id : local.resource_directory_root_folder_id
}

#########################################################
# Detective Controls
#########################################################

# Retrieve all the accounts in resource directory
data "alicloud_resource_manager_accounts" "accounts" {
}
Expand Down
11 changes: 11 additions & 0 deletions ...aform-modules/terraform-alicloud-landing-zone-guardrails/modules/control_policies/main.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
resource "alicloud_resource_manager_control_policy" "policy" {
control_policy_name = var.name
description = var.description
effect_scope = "RAM"
policy_document = var.policy_document
}

resource "alicloud_resource_manager_control_policy_attachment" "attachment" {
policy_id = alicloud_resource_manager_control_policy.policy.id
target_id = var.target_id
}
19 changes: 19 additions & 0 deletions ...-modules/terraform-alicloud-landing-zone-guardrails/modules/control_policies/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
variable "name" {
type = string
description = "policy name"
}

variable "description" {
type = string
description = "policy description"
}

variable "policy_document" {
type = string
description = "policy document"
}

variable "target_id" {
type = string
description = "target which policy is applied to"
}
14 changes: 12 additions & 2 deletions terraform-modules/terraform-alicloud-landing-zone-guardrails/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,15 @@
terraform {
experiments = [module_variable_optional_attrs]
# terraform {
# experiments = [module_variable_optional_attrs]
# }

variable "preventive_guardrails" {
type = list(object({
rule_name = string
rule_description = optional(string)
policy_document = string
target = optional(string)
}))
description = "preventive guardrails, each item in list should have rule_name and policy_document. If target is not specified, it will be set to root_folder_id"
}
variable "detective_guardrails" {
type = list(object({
Expand Down

0 comments on commit d9f637b

Please sign in to comment.