Amazon web services OPA拒绝创建新的子网
我有下面的rego代码Amazon web services OPA拒绝创建新的子网,amazon-web-services,terraform-provider-aws,open-policy-agent,rego,Amazon Web Services,Terraform Provider Aws,Open Policy Agent,Rego,我有下面的rego代码 package terraform.analysis import input as tfplan # acceptable score for automated authorization blast_radius = 5 # weights assigned for each operation on each resource-type weights = { "aws_subnet": {"delete":
package terraform.analysis
import input as tfplan
# acceptable score for automated authorization
blast_radius = 5
# weights assigned for each operation on each resource-type
weights = {
"aws_subnet": {"delete": 100, "create": 10, "modify": 1},
}
# Consider exactly these resource types in calculations
resource_types = {"aws_subnet"}
# Authorization holds if score for the plan is acceptable and no changes are made to IAM
default authz = false
authz {
score < blast_radius
}
# Compute the score for a Terraform plan as the weighted sum of deletions, creations, modifications
score = s {
all := [ x |
some resource_type
crud := weights[resource_type];
del := crud["delete"] * num_deletes[resource_type];
new := crud["create"] * num_creates[resource_type];
mod := crud["modify"] * num_modifies[resource_type];
x := del + new + mod
]
s := sum(all)
}
####################
# Terraform Library
####################
# list of all resources of a given type
resources[resource_type] = all {
some resource_type
resource_types[resource_type]
all := [name |
name:= tfplan.resource_changes[_]
name.type == resource_type
]
}
# number of creations of resources of a given type
num_creates[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
creates := [res | res:= all[_]; res.change.actions[_] == "create"]
num := count(creates)
}
# number of deletions of resources of a given type
num_deletes[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
deletions := [res | res:= all[_]; res.change.actions[_] == "delete"]
num := count(deletions)
}
# number of modifications to resources of a given type
num_modifies[resource_type] = num {
some resource_type
resource_types[resource_type]
all := resources[resource_type]
modifies := [res | res:= all[_]; res.change.actions[_] == "update"]
num := count(modifies)
}
S3后端如下:
terraform {
backend "s3" {
bucket = "terraform-backend-20200102"
key = "test.plan"
region = "ap-southeast-2"
}
}
我的工作如下:
terraform show -json > tfplan.json # Assuming this reads my test.plan from s3 buckets and writes to local tfplan.json
opa eval --format pretty --data terraform.rego --input tfplan.json "data.terraform.analysis.authz"
我得到“true”作为对任何超过2个子网的子网创建的响应,而我应该期望它为false
注意:提前道歉,我是OPA的新手,但肯定会受到启发。考虑到
爆炸半径=5
,计划中的一、二、三或四个子网被认为是允许的,这似乎是合理的,不是吗?那么我应该降低该值吗?不允许任何超过2个子网的情况。@学习者应将blast_半径更改为3。
terraform show -json > tfplan.json # Assuming this reads my test.plan from s3 buckets and writes to local tfplan.json
opa eval --format pretty --data terraform.rego --input tfplan.json "data.terraform.analysis.authz"