Amazon web services OPA拒绝创建新的子网_Amazon Web Services_Terraform Provider Aws_Open Policy Agent_Rego

Amazon web services OPA拒绝创建新的子网

amazon-web-services

Amazon web services OPA拒绝创建新的子网,amazon-web-services,terraform-provider-aws,open-policy-agent,rego,Amazon Web Services,Terraform Provider Aws,Open Policy Agent,Rego,我有下面的rego代码 package terraform.analysis import input as tfplan # acceptable score for automated authorization blast_radius = 5 # weights assigned for each operation on each resource-type weights = { "aws_subnet": {"delete":

我有下面的rego代码

package terraform.analysis

import input as tfplan

# acceptable score for automated authorization
blast_radius = 5

# weights assigned for each operation on each resource-type
weights = {
    "aws_subnet": {"delete": 100, "create": 10, "modify": 1},
}

# Consider exactly these resource types in calculations
resource_types = {"aws_subnet"}

# Authorization holds if score for the plan is acceptable and no changes are made to IAM
default authz = false
authz {
    score < blast_radius
}


# Compute the score for a Terraform plan as the weighted sum of deletions, creations, modifications
score = s {
    all := [ x |
            some resource_type
            crud := weights[resource_type];
            del := crud["delete"] * num_deletes[resource_type];
            new := crud["create"] * num_creates[resource_type];
            mod := crud["modify"] * num_modifies[resource_type];
            x := del + new + mod
    ]
    s := sum(all)
}

####################
# Terraform Library
####################

# list of all resources of a given type
resources[resource_type] = all {
    some resource_type
    resource_types[resource_type]
    all := [name |
        name:= tfplan.resource_changes[_]
        name.type == resource_type
    ]
}

# number of creations of resources of a given type
num_creates[resource_type] = num {
    some resource_type
    resource_types[resource_type]
    all := resources[resource_type]
    creates := [res |  res:= all[_]; res.change.actions[_] == "create"]
    num := count(creates)
}


# number of deletions of resources of a given type
num_deletes[resource_type] = num {
    some resource_type
    resource_types[resource_type]
    all := resources[resource_type]
    deletions := [res |  res:= all[_]; res.change.actions[_] == "delete"]
    num := count(deletions)
}

# number of modifications to resources of a given type
num_modifies[resource_type] = num {
    some resource_type
    resource_types[resource_type]
    all := resources[resource_type]
    modifies := [res |  res:= all[_]; res.change.actions[_] == "update"]
    num := count(modifies)
}

S3后端如下：


terraform {
  backend "s3" {
    bucket = "terraform-backend-20200102"
    key    = "test.plan"
    region = "ap-southeast-2"
  }
}

我的工作如下：

terraform show -json > tfplan.json # Assuming this reads my test.plan from s3 buckets and writes to local tfplan.json
opa eval --format pretty --data terraform.rego --input tfplan.json "data.terraform.analysis.authz"

我得到“true”作为对任何超过2个子网的子网创建的响应，而我应该期望它为false

注意：提前道歉，我是OPA的新手，但肯定会受到启发。

考虑到

爆炸半径=5

，计划中的一、二、三或四个子网被认为是允许的，这似乎是合理的，不是吗？

那么我应该降低该值吗？不允许任何超过2个子网的情况。@学习者应将

blast_半径更改为3。
terraform show -json > tfplan.json # Assuming this reads my test.plan from s3 buckets and writes to local tfplan.json
opa eval --format pretty --data terraform.rego --input tfplan.json "data.terraform.analysis.authz"