Merge pull request hashicorp#272 from ja5onhughe5/master

Null check, better violation msgs, and added function descriptions

Author: rberlind

governance/third-generation/aws/restrict-ingress-sg-rule-rdp.sentinel

@@ -1,5 +1,5 @@
 # This policy uses the Sentinel tfplan/v2 import to validate that no security group
-# rules have the have SSH open to CIDR "0.0.0.0/0" for ingress rules.  It covers both the
+# rules have the have RDP open to CIDR "0.0.0.0/0" for ingress rules.  It covers both the
 # aws_security_group and the aws_security_group_rule resources which can both
 # define rules.
 
@@ -40,19 +40,50 @@ for aws_security_group_rules as address, sgr {
 	# We check that it is present and really a list
 	# before checking whether it contains "0.0.0.0/0"
 	if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is null and 
+    	sgr.change.after.to_port else null is not null and 
+		sgr.change.after.to_port is forbidden_to_port{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(RDP) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule has from_port that is null or undefined")
+		print("   and Ingress Rule has to_port with value", sgr.change.after.to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
+  } else if sgr.change.after.cidr_blocks else null is not null and
 		types.type_of(sgr.change.after.cidr_blocks) is "list" and
 		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
 		sgr.change.after.from_port else null is not null and
-		sgr.change.after.from_port <= forbidden_from_port and 
+    	sgr.change.after.from_port is forbidden_from_port and 
+		sgr.change.after.to_port else null is null{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(RDP) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule has from_port with value", sgr.change.after.from_port)
+		print("   and Ingress Rule has to_port that is null or undefined")
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
+  } else if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is not null and
+    	sgr.change.after.from_port <= forbidden_from_port and 
 		sgr.change.after.to_port else null is not null and
 		sgr.change.after.to_port >= forbidden_to_port{
 		violatingSGRulesCount += 1
 		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
 		"(RDP) open to", forbidden_cidrs, "that is not allowed")
-		print("  Ingress Rule", "has from_port with value", sgr.change.after.from_port, 
+		print("  Ingress Rule has from_port with value", sgr.change.after.from_port, 
 		"that is less than or equal to", forbidden_from_port)
-		print("  and Ingress Rule has to_port with value", sgr.change.after.to_port, 
+		print("   and Ingress Rule has to_port with value", sgr.change.after.to_port, 
 		"that is greater than or equal to", forbidden_to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
 	} else if sgr.change.after.cidr_blocks else null is not null and
 		types.type_of(sgr.change.after.cidr_blocks) is "list" and
 		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
@@ -61,7 +92,10 @@ for aws_security_group_rules as address, sgr {
 		violatingSGRulesCount += 1
 		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
 			"(RDP) open to", forbidden_cidrs, "that is not allowed")
-		print("  Ingress Rule", "has to_port with value", sgr.change.after.to_port)
+		print("  Ingress Rule has to_port with value", sgr.change.after.to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
   }
 } // end of SG Rules
 
@@ -80,11 +114,6 @@ for allSGs as address, sg {
 	violatingCidr = plan.filter_attribute_contains_items_from_list(ingressRules,
 					"cidr_blocks", forbidden_cidrs, false)
 
-	# Filter to violating Service port
-	# Warnings will not be printed for violations since the last parameter is false
-	violatingToPort = plan.filter_attribute_is_value(ingressRules,
-						"to_port", forbidden_to_port, false)
-	
 	# Filter to violating Service port
 	# Warnings will not be printed for violations since the last parameter is false
 	violatingFromPortLess = plan.filter_attribute_less_than_equal_to_value(ingressRules,
@@ -104,14 +133,10 @@ for allSGs as address, sg {
 ###Uncomment below if you want to show the CIDRs as a separate message as well
 #	plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
 	plan.print_violations(violatingFromPortLess["messages"], "  Ingress Rule")
-	plan.print_violations(violatingToPortGreater["messages"], "  and Ingress Rule")
-	} else if length(violatingCidr["messages"]) > 0 and length(violatingToPort["messages"]) > 0{
-	violatingSGsCount += 1
-    print("SG Ingress Violation:", address, "has port", forbidden_port, 
-			"(RDP) open to", forbidden_cidrs, "that is not allowed")
-###Uncomment below if you want to show the CIDRs as a separate message as well
-#   plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
-	plan.print_violations(violatingToPort["messages"], "  Ingress Rule")
+	plan.print_violations(violatingToPortGreater["messages"], "   and Ingress Rule")
+	print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+	print("   value to each other that is either less than or greater than", forbidden_port)
   }
 } // end for SGs
 

governance/third-generation/aws/restrict-ingress-sg-rule-ssh.sentinel

@@ -40,19 +40,50 @@ for aws_security_group_rules as address, sgr {
 	# We check that it is present and really a list
 	# before checking whether it contains "0.0.0.0/0"
 	if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is null and 
+    	sgr.change.after.to_port else null is not null and 
+		sgr.change.after.to_port is forbidden_to_port{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(SSH) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule has from_port that is null or undefined")
+		print("   and Ingress Rule has to_port with value", sgr.change.after.to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
+  } else if sgr.change.after.cidr_blocks else null is not null and
 		types.type_of(sgr.change.after.cidr_blocks) is "list" and
 		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
 		sgr.change.after.from_port else null is not null and
-		sgr.change.after.from_port <= forbidden_from_port and 
+    	sgr.change.after.from_port is forbidden_from_port and 
+		sgr.change.after.to_port else null is null{
+		violatingSGRulesCount += 1
+		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
+		"(SSH) open to", forbidden_cidrs, "that is not allowed")
+		print("  Ingress Rule has from_port with value", sgr.change.after.from_port)
+		print("   and Ingress Rule has to_port that is null or undefined")
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
+  } else if sgr.change.after.cidr_blocks else null is not null and
+		types.type_of(sgr.change.after.cidr_blocks) is "list" and
+		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
+		sgr.change.after.from_port else null is not null and
+    	sgr.change.after.from_port <= forbidden_from_port and 
 		sgr.change.after.to_port else null is not null and
 		sgr.change.after.to_port >= forbidden_to_port{
 		violatingSGRulesCount += 1
 		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
 		"(SSH) open to", forbidden_cidrs, "that is not allowed")
-		print("  Ingress Rule", "has from_port with value", sgr.change.after.from_port, 
+		print("  Ingress Rule has from_port with value", sgr.change.after.from_port, 
 		"that is less than or equal to", forbidden_from_port)
-		print("  and Ingress Rule has to_port with value", sgr.change.after.to_port, 
+		print("   and Ingress Rule has to_port with value", sgr.change.after.to_port, 
 		"that is greater than or equal to", forbidden_to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
 	} else if sgr.change.after.cidr_blocks else null is not null and
 		types.type_of(sgr.change.after.cidr_blocks) is "list" and
 		sgr.change.after.cidr_blocks contains "0.0.0.0/0" and
@@ -61,7 +92,10 @@ for aws_security_group_rules as address, sgr {
 		violatingSGRulesCount += 1
 		print("SG Rule Ingress Violation:", address, "has port", forbidden_port, 
 			"(SSH) open to", forbidden_cidrs, "that is not allowed")
-		print("  Ingress Rule", "has to_port with value", sgr.change.after.to_port)
+		print("  Ingress Rule has to_port with value", sgr.change.after.to_port)
+		print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+		print("   value to each other that is either less than or greater than", forbidden_port)
   }
 } // end of SG Rules
 
@@ -80,11 +114,6 @@ for allSGs as address, sg {
 	violatingCidr = plan.filter_attribute_contains_items_from_list(ingressRules,
 					"cidr_blocks", forbidden_cidrs, false)
 
-	# Filter to violating Service port
-	# Warnings will not be printed for violations since the last parameter is false
-	violatingToPort = plan.filter_attribute_is_value(ingressRules,
-						"to_port", forbidden_to_port, false)
-	
 	# Filter to violating Service port
 	# Warnings will not be printed for violations since the last parameter is false
 	violatingFromPortLess = plan.filter_attribute_less_than_equal_to_value(ingressRules,
@@ -104,14 +133,10 @@ for allSGs as address, sg {
 ###Uncomment below if you want to show the CIDRs as a separate message as well
 #	plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
 	plan.print_violations(violatingFromPortLess["messages"], "  Ingress Rule")
-	plan.print_violations(violatingToPortGreater["messages"], "  and Ingress Rule")
-	} else if length(violatingCidr["messages"]) > 0 and length(violatingToPort["messages"]) > 0{
-	violatingSGsCount += 1
-    print("SG Ingress Violation:", address, "has port", forbidden_port, 
-			"(SSH) open to", forbidden_cidrs, "that is not allowed")
-###Uncomment below if you want to show the CIDRs as a separate message as well
-#   plan.print_violations(violatingCidr["messages"], "  Ingress Rule")
-	plan.print_violations(violatingToPort["messages"], "  Ingress Rule")
+	plan.print_violations(violatingToPortGreater["messages"], "   and Ingress Rule")
+	print("  The to_port and from_port both need to be set to an integer",
+			"range or of equal")
+	print("   value to each other that is either less than or greater than", forbidden_port)
   }
 } // end for SGs
 

governance/third-generation/aws/test/restrict-ingress-sg-rule-rdp/mock-tfplan-fail.sentinel

@@ -16,10 +16,10 @@ resource_changes = {
 						"from_port":        0,
 						"ipv6_cidr_blocks": [],
 						"prefix_list_ids":  [],
-						"protocol":         "-1",
+						"protocol":         "tcp",
 						"security_groups":  [],
 						"self":             false,
-						"to_port":          3389,
+						"to_port":          9443,
 					},
 				],
 				"name":                   "bar",
@@ -69,13 +69,13 @@ resource_changes = {
 							"0.0.0.0/0",
 						],
 						"description":      "baz",
-						"from_port":        0,
+						"from_port":        null,
 						"ipv6_cidr_blocks": [],
 						"prefix_list_ids":  [],
 						"protocol":         "tcp",
 						"security_groups":  [],
 						"self":             false,
-						"to_port":          9443,
+						"to_port":          3389,
 					},
 				],
 				"name":                   "baz",
@@ -174,18 +174,42 @@ resource_changes = {
 				"create",
 			],
 			"after": {
-				"description":            "seuss",
+				"description": "seuss",
+				"ingress": [
+					{
+						"cidr_blocks": [
+							"0.0.0.0/0",
+						],
+						"description":      "seuss",
+						"from_port":        3389,
+						"ipv6_cidr_blocks": [],
+						"prefix_list_ids":  [],
+						"protocol":         "tcp",
+						"security_groups":  [],
+						"self":             false,
+						"to_port":          null,
+					},
+				],
 				"name":                   "seuss",
 				"name_prefix":            null,
 				"revoke_rules_on_delete": false,
 				"tags":     null,
 				"timeouts": null,
 			},
 			"after_unknown": {
-				"arn":      true,
-				"egress":   true,
-				"id":       true,
-				"ingress":  true,
+				"arn":    true,
+				"egress": true,
+				"id":     true,
+				"ingress": [
+					{
+						"cidr_blocks": [
+							false,
+						],
+						"ipv6_cidr_blocks": [],
+						"prefix_list_ids":  [],
+						"security_groups":  [],
+					},
+				],
 				"owner_id": true,
 				"vpc_id":   true,
 			},
@@ -195,7 +219,7 @@ resource_changes = {
 		"index":          null,
 		"mode":           "managed",
 		"module_address": "",
-		"name":           "seuss",
+		"name":           "foo",
 		"provider_name":  "aws",
 		"type":           "aws_security_group",
 	},
@@ -215,7 +239,7 @@ resource_changes = {
 				"prefix_list_ids":  null,
 				"protocol":         "-1",
 				"self":             false,
-				"to_port":          0,
+				"to_port":          9443,
 				"type":             "ingress",
 			},
 			"after_unknown": {
@@ -247,7 +271,7 @@ resource_changes = {
 					"0.0.0.0/0",
 				],
 				"description":      "green",
-				"from_port":        0,
+				"from_port":        3389,
 				"ipv6_cidr_blocks": null,
 				"prefix_list_ids":  null,
 				"protocol":         "tcp",
@@ -284,12 +308,12 @@ resource_changes = {
 					"0.0.0.0/0",
 				],
 				"description":      "ham",
-				"from_port":        0,
+				"from_port":        null,
 				"ipv6_cidr_blocks": null,
 				"prefix_list_ids":  null,
 				"protocol":         "tcp",
 				"self":             false,
-				"to_port":          9443,
+				"to_port":          3389,
 				"type":             "ingress",
 			},
 			"after_unknown": {
@@ -310,4 +334,41 @@ resource_changes = {
 		"provider_name":  "aws",
 		"type":           "aws_security_group_rule",
 	},
-}
+	"aws_security_group_rule.bar": {
+		"address": "aws_security_group_rule.bar",
+		"change": {
+			"actions": [
+				"create",
+			],
+			"after": {
+				"cidr_blocks": [
+					"0.0.0.0/0",
+				],
+				"description":      "bar",
+				"from_port":        3389,
+				"ipv6_cidr_blocks": null,
+				"prefix_list_ids":  null,
+				"protocol":         "tcp",
+				"self":             false,
+				"to_port":          null,
+				"type":             "ingress",
+			},
+			"after_unknown": {
+				"cidr_blocks": [
+					false,
+				],
+				"id":                       true,
+				"security_group_id":        true,
+				"source_security_group_id": true,
+			},
+			"before": null,
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "bar",
+		"provider_name":  "aws",
+		"type":           "aws_security_group_rule",
+	},
+}