Merge pull request hashicorp#1 from hashicorp/master

Repo update 17FEB21

Author: ja5onhughe5

governance/third-generation/aws/restrict-sagemaker-notebooks.sentinel

@@ -0,0 +1,29 @@
+# This policy uses the Sentinel tfplan/v2 import to require that
+# all Sagemaker Notebook instances have root access and direct internet access
+# disabled
+
+# Import common-functions/tfplan-functions/tfplan-functions.sentinel
+# with alias "plan"
+import "tfplan-functions" as plan
+
+# Get all Sagemaker notebooks
+allSagemakerNotebooks = plan.find_resources("aws_sagemaker_notebook_instance")
+#print("allSagemakerNotebooks:", allSagemakerNotebooks)
+
+# Filter to Sagemaker notebooks that have root_access set to "Enabled"
+# or missing.
+# Warnings will be printed for all violations since the last parameter is true
+sagemakerNotebooksWithRootAccess = plan.filter_attribute_is_not_value(
+                        allSagemakerNotebooks, "root_access", "Disabled", true)
+
+# Filter to Sagemaker notebooks that have direct_internet_access set to "Enabled"
+# or missing.
+# Warnings will be printed for all violations since the last parameter is true
+sagemakerNotebooksWithDirectInternetAccess = plan.filter_attribute_is_not_value(
+              allSagemakerNotebooks, "direct_internet_access", "Disabled", true)
+
+# Main rule
+validated = length(sagemakerNotebooksWithRootAccess["messages"]) is 0 and length(sagemakerNotebooksWithDirectInternetAccess["messages"]) is 0
+main = rule {
+  validated is true
+}

governance/third-generation/aws/test/restrict-sagemaker-notebooks/fail-direct-internet-access.hcl

@@ -0,0 +1,15 @@
+module "tfplan-functions" {
+  source = "../../../common-functions/tfplan-functions/tfplan-functions.sentinel"
+}
+
+mock "tfplan/v2" {
+  module {
+    source = "mock-tfplan-fail-direct-internet.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = false
+  }
+}

governance/third-generation/aws/test/restrict-sagemaker-notebooks/fail-missing-values.hcl

@@ -0,0 +1,15 @@
+module "tfplan-functions" {
+  source = "../../../common-functions/tfplan-functions/tfplan-functions.sentinel"
+}
+
+mock "tfplan/v2" {
+  module {
+    source = "mock-tfplan-fail-missing-values.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = false
+  }
+}

governance/third-generation/aws/test/restrict-sagemaker-notebooks/fail-root-access.hcl

@@ -0,0 +1,15 @@
+module "tfplan-functions" {
+  source = "../../../common-functions/tfplan-functions/tfplan-functions.sentinel"
+}
+
+mock "tfplan/v2" {
+  module {
+    source = "mock-tfplan-fail-root-access.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = false
+  }
+}

governance/third-generation/aws/test/restrict-sagemaker-notebooks/fail-root-and-internet-access.hcl

@@ -0,0 +1,15 @@
+module "tfplan-functions" {
+  source = "../../../common-functions/tfplan-functions/tfplan-functions.sentinel"
+}
+
+mock "tfplan/v2" {
+  module {
+    source = "mock-tfplan-fail-root-and-internet-access.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = false
+  }
+}