Add some functionality and info

ja5onhughe5 · ja5onhughe5 · commit 0e5b9241bc9c · 2021-02-19T18:28:32.000-05:00
I added a null check in the aws_security_group_rule loop and additional info in the fail messaging.
diff --git a/governance/third-generation/aws/restrict-ingress-sg-rule-rdp.sentinel b/governance/third-generation/aws/restrict-ingress-sg-rule-rdp.sentinel
@@ -1,5 +1,5 @@
 # This policy uses the Sentinel tfplan/v2 import to validate that no security group
-# rules have the have SSH open to CIDR "0.0.0.0/0" for ingress rules.  It covers both the
+# rules have the have RDP open to CIDR "0.0.0.0/0" for ingress rules.  It covers both the
 # aws_security_group and the aws_security_group_rule resources which can both
 # define rules.
 
@@ -40,19 +40,50 @@ for aws_security_group_rules as address, sgr {
 	# We check that it is present and really a list
 	# before checking whether it contains "0.0.0.0/0"
 	if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is null and 
+    	sgr.change.after.to_port else null is not null and 
+		sgr.change.after.to_port is forbidden_to_port{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(RDP) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule has from_port that is null or undefined")
+		print("   and Ingress Rule has to_port with value", sgr.change.after.to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
+  } else if sgr.change.after.cidr_blocks else null is not null and
 		types.type_of(sgr.change.after.cidr_blocks) is "list" and
 		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
 		sgr.change.after.from_port else null is not null and
-		sgr.change.after.from_port <= forbidden_from_port and 
+    	sgr.change.after.from_port is forbidden_from_port and 
+		sgr.change.after.to_port else null is null{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(RDP) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule has from_port with value", sgr.change.after.from_port)
+		print("   and Ingress Rule has to_port that is null or undefined")
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
+  } else if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is not null and
+    	sgr.change.after.from_port <= forbidden_from_port and 
 		sgr.change.after.to_port else null is not null and
 		sgr.change.after.to_port >= forbidden_to_port{
 		violatingSGRulesCount += 1
 		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
 		"(RDP) open to", forbidden_cidrs, "that is not allowed")
-		print("  Ingress Rule", "has from_port with value", sgr.change.after.from_port, 
+		print("  Ingress Rule has from_port with value", sgr.change.after.from_port, 
 		"that is less than or equal to", forbidden_from_port)
-		print("  and Ingress Rule has to_port with value", sgr.change.after.to_port, 
+		print("   and Ingress Rule has to_port with value", sgr.change.after.to_port, 
 		"that is greater than or equal to", forbidden_to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
 	} else if sgr.change.after.cidr_blocks else null is not null and
 		types.type_of(sgr.change.after.cidr_blocks) is "list" and
 		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
@@ -61,7 +92,10 @@ for aws_security_group_rules as address, sgr {
 		violatingSGRulesCount += 1
 		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
 			"(RDP) open to", forbidden_cidrs, "that is not allowed")
-		print("  Ingress Rule", "has to_port with value", sgr.change.after.to_port)
+		print("  Ingress Rule has to_port with value", sgr.change.after.to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
   }
 } // end of SG Rules
 
@@ -80,11 +114,6 @@ for allSGs as address, sg {
 	violatingCidr = plan.filter_attribute_contains_items_from_list(ingressRules,
 					"cidr_blocks", forbidden_cidrs, false)
 	
-	# Filter to violating Service port
-	# Warnings will not be printed for violations since the last parameter is false
-	violatingToPort = plan.filter_attribute_is_value(ingressRules,
-						"to_port", forbidden_to_port, false)
-	
 	# Filter to violating Service port
 	# Warnings will not be printed for violations since the last parameter is false
 	violatingFromPortLess = plan.filter_attribute_less_than_equal_to_value(ingressRules,
@@ -104,14 +133,10 @@ for allSGs as address, sg {
 ###Uncomment below if you want to show the CIDRs as a separate message as well
 #	plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
 	plan.print_violations(violatingFromPortLess["messages"], "  Ingress Rule")
-	plan.print_violations(violatingToPortGreater["messages"], "  and Ingress Rule")
-	} else if length(violatingCidr["messages"]) > 0 and length(violatingToPort["messages"]) > 0{
-	violatingSGsCount += 1
-    print("SG Ingress Violation:", address, "has port", forbidden_port, 
-			"(RDP) open to", forbidden_cidrs, "that is not allowed")
-###Uncomment below if you want to show the CIDRs as a separate message as well
-#   plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
-	plan.print_violations(violatingToPort["messages"], "  Ingress Rule")
+	plan.print_violations(violatingToPortGreater["messages"], "   and Ingress Rule")
+	print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+	print("   value to each other that is either less than or greater than", forbidden_port)
   }
 } // end for SGs
 
diff --git a/governance/third-generation/aws/restrict-ingress-sg-rule-ssh.sentinel b/governance/third-generation/aws/restrict-ingress-sg-rule-ssh.sentinel
@@ -40,19 +40,50 @@ for aws_security_group_rules as address, sgr {
 	# We check that it is present and really a list
 	# before checking whether it contains "0.0.0.0/0"
 	if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is null and 
+    	sgr.change.after.to_port else null is not null and 
+		sgr.change.after.to_port is forbidden_to_port{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(SSH) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule has from_port that is null or undefined")
+		print("   and Ingress Rule has to_port with value", sgr.change.after.to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
+  } else if sgr.change.after.cidr_blocks else null is not null and
 		types.type_of(sgr.change.after.cidr_blocks) is "list" and
 		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
 		sgr.change.after.from_port else null is not null and
-		sgr.change.after.from_port <= forbidden_from_port and 
+    	sgr.change.after.from_port is forbidden_from_port and 
+		sgr.change.after.to_port else null is null{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(SSH) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule has from_port with value", sgr.change.after.from_port)
+		print("   and Ingress Rule has to_port that is null or undefined")
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
+  } else if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is not null and
+    	sgr.change.after.from_port <= forbidden_from_port and 
 		sgr.change.after.to_port else null is not null and
 		sgr.change.after.to_port >= forbidden_to_port{
 		violatingSGRulesCount += 1
 		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
 		"(SSH) open to", forbidden_cidrs, "that is not allowed")
-		print("  Ingress Rule", "has from_port with value", sgr.change.after.from_port, 
+		print("  Ingress Rule has from_port with value", sgr.change.after.from_port, 
 		"that is less than or equal to", forbidden_from_port)
-		print("  and Ingress Rule has to_port with value", sgr.change.after.to_port, 
+		print("   and Ingress Rule has to_port with value", sgr.change.after.to_port, 
 		"that is greater than or equal to", forbidden_to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
 	} else if sgr.change.after.cidr_blocks else null is not null and
 		types.type_of(sgr.change.after.cidr_blocks) is "list" and
 		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
@@ -61,7 +92,10 @@ for aws_security_group_rules as address, sgr {
 		violatingSGRulesCount += 1
 		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
 			"(SSH) open to", forbidden_cidrs, "that is not allowed")
-		print("  Ingress Rule", "has to_port with value", sgr.change.after.to_port)
+		print("  Ingress Rule has to_port with value", sgr.change.after.to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
   }
 } // end of SG Rules
 
@@ -80,11 +114,6 @@ for allSGs as address, sg {
 	violatingCidr = plan.filter_attribute_contains_items_from_list(ingressRules,
 					"cidr_blocks", forbidden_cidrs, false)
 	
-	# Filter to violating Service port
-	# Warnings will not be printed for violations since the last parameter is false
-	violatingToPort = plan.filter_attribute_is_value(ingressRules,
-						"to_port", forbidden_to_port, false)
-	
 	# Filter to violating Service port
 	# Warnings will not be printed for violations since the last parameter is false
 	violatingFromPortLess = plan.filter_attribute_less_than_equal_to_value(ingressRules,
@@ -104,14 +133,10 @@ for allSGs as address, sg {
 ###Uncomment below if you want to show the CIDRs as a separate message as well
 #	plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
 	plan.print_violations(violatingFromPortLess["messages"], "  Ingress Rule")
-	plan.print_violations(violatingToPortGreater["messages"], "  and Ingress Rule")
-	} else if length(violatingCidr["messages"]) > 0 and length(violatingToPort["messages"]) > 0{
-	violatingSGsCount += 1
-    print("SG Ingress Violation:", address, "has port", forbidden_port, 
-			"(SSH) open to", forbidden_cidrs, "that is not allowed")
-###Uncomment below if you want to show the CIDRs as a separate message as well
-#   plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
-	plan.print_violations(violatingToPort["messages"], "  Ingress Rule")
+	plan.print_violations(violatingToPortGreater["messages"], "   and Ingress Rule")
+	print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+	print("   value to each other that is either less than or greater than", forbidden_port)
   }
 } // end for SGs
 
