-
Notifications
You must be signed in to change notification settings - Fork 68
/
enforce_instance_subnet.rego
43 lines (35 loc) · 1.13 KB
/
enforce_instance_subnet.rego
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Enforces the use of specific subnets on EC2 instances
# This policy first checks that a subnet_id has been specified, i.e. not default for an AZ
package terraform
import input.tfplan as tfplan
# Add only private subnets to this list.
# NOTE: OPA cannot validate that a subnet is private unless the terraform config is actaully creating the subnet.
allowed_subnets = [
"subnet-019c416174b079502",
"subnet-04dbded374ed11690"
]
array_contains(arr, elem) {
arr[_] = elem
}
# Check that subnet has been specified
deny[reason] {
r = tfplan.resource_changes[_]
r.mode == "managed"
r.type == "aws_instance"
true == r.change.after_unknown.subnet_id
reason := sprintf(
"%-40s :: subnet_id must be specied in terraform configuration.",
[r.address]
)
}
# Check subnet is in allowed list for EC2 instances
deny[reason] {
r = tfplan.resource_changes[_]
r.mode == "managed"
r.type == "aws_instance"
not array_contains(allowed_subnets, r.change.after.subnet_id)
reason := sprintf(
"%-40s :: subnet_id '%s' is public and not allowed",
[r.address, r.change.after.subnet_id]
)
}