Merge pull request hashicorp#273 from hashicorp/add-rds-deletion-protection-policy

Add rds deletion protection policy

Author: rberlind

governance/third-generation/README.md

@@ -72,7 +72,7 @@ Each of these modules has several types of functions:
     * `resources`: a map consisting of resource changes (for tfplan/v2) or resources (for tfstate/v2) or blocks that violate a condition.
     * `messages`: a map of violation messages associated with the resource changes, resources, or blocks.
   Note that both the `resources` and `messages` collections are indexed by the address of the resources, so they will have the same order and length. The filter functions all call the `evaluate_attribute` function to evaluate attributes of resources even if nested deep within them. After calling a filter function and assigning the results to a variable like `violatingResources`, you can test if there are any violations with this condition: `length(violatingResources["messages"]) is 0`.
-  * The `evaluate_attribute` function, which can evaluate the values of any attribute of any resource even if it is deeply nested inside the resource. It does this by calling itself recursively.
+  * The `evaluate_attribute` function, which can evaluate the values of any attribute of any resource even if it is deeply nested inside the resource. It does this by calling itself recursively. The implementation in the tfplan-functions module will convert `rc` to `rc.change.after`. If you want it to examine previous values instead of planned values, pass it `rc.change.before` instead of `rc`.
   * The `to_string` function which can convert any Sentinel object to a string. It is used to build the messages in the `messages` collection returned by the filter functions.
   * The `print_violations` function which can be called after calling one of the filter function to print the violation messages. This would only be called if the `prtmsg` argument had been set to `false` when calling the filter function. This is sometimes desirable especially if processing blocks of resources since your policy can then print some other message that gives the address of the resource with block-level violations before printing them.
 

governance/third-generation/aws/protect-against-rds-instance-deletion.sentinel

@@ -0,0 +1,32 @@
+# This policy uses the Sentinel tfplan/v2 import to prevent deletion
+# of RDS instances that have `deletion_protection` set to true.
+# Note that it calls the `filter_attribute_was_value()` function which passes
+# `rc.change.before` instead of `rc` to the `evaluate_attribute()` function
+# which converts `rc` to `rc.change.after`.
+
+# Import common-functions/tfplan-functions/tfplan-functions.sentinel
+# with alias "plan"
+import "tfplan-functions" as plan
+
+# Get all resources being destroyed
+resourcesBeingDestroyed = plan.find_resources_being_destroyed()
+
+# Filter to RDS instances being destroyed
+RDSInstancesBeingDestroyed = filter resourcesBeingDestroyed as address, rc {
+  rc.type is "aws_db_instance"
+}
+
+# Filter to RDS instances with violations
+# Warnings will be printed for all violations since the last parameter is true
+violatingRDSInstances = plan.filter_attribute_was_value(RDSInstancesBeingDestroyed,
+                        "deletion_protection", true, false)
+
+if length(violatingRDSInstances["messages"]) > 0 {
+  print("RDS instances with deletion_protection set to true cannot be destroyed.")
+  plan.print_violations(violatingRDSInstances["messages"], "")
+}
+
+# Main rule
+main = rule {
+  length(violatingRDSInstances["messages"]) is 0
+}

governance/third-generation/aws/sentinel.hcl

@@ -19,6 +19,11 @@ policy "enforce-mandatory-tags" {
   enforcement_level = "advisory"
 }
 
+policy "protect-against-rds-instance-deletion" {
+  source = "./protect-against-rds-instance-deletion.sentinel"
+  enforcement_level = "advisory"
+}
+
 policy "require-dns-support-for-vpcs" {
   source = "./require-dns-support-for-vpcs.sentinel"
   enforcement_level = "advisory"
@@ -120,7 +125,7 @@ policy "restrict-sagemaker-notebooks" {
 }
 
 policy "restrict-subnet-of-ec2-instances" {
-  source = "./restrict-subnet-of-ec2-instancess.sentinel"
+  source = "./restrict-subnet-of-ec2-instances.sentinel"
   enforcement_level = "advisory"
 }
 

governance/third-generation/aws/test/protect-against-rds-instance-deletion/fail.hcl

@@ -0,0 +1,15 @@
+module "tfplan-functions" {
+  source = "../../../common-functions/tfplan-functions/tfplan-functions.sentinel"
+}
+
+mock "tfplan/v2" {
+  module {
+    source = "mock-tfplan-fail.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = false
+  }
+}

governance/third-generation/aws/test/protect-against-rds-instance-deletion/mock-tfplan-fail.sentinel

@@ -0,0 +1,315 @@
+terraform_version = "0.13.6"
+
+planned_values = {
+	"outputs":   {},
+	"resources": {},
+}
+
+variables = {}
+
+resource_changes = {
+	"aws_db_instance.default": {
+		"address": "aws_db_instance.default",
+		"change": {
+			"actions": [
+				"delete",
+			],
+			"after":         null,
+			"after_unknown": {},
+			"before": {
+				"address":                     "terraform-20210224200525302700000001.cjm7z941xa9c.us-east-1.rds.amazonaws.com",
+				"allocated_storage":           10,
+				"allow_major_version_upgrade": null,
+				"apply_immediately":           null,
+				"arn":                         "arn:aws:rds:us-east-1:711129375688:db:terraform-20210224200525302700000001",
+				"auto_minor_version_upgrade":          true,
+				"availability_zone":                   "us-east-1c",
+				"backup_retention_period":             0,
+				"backup_window":                       "06:57-07:27",
+				"ca_cert_identifier":                  "rds-ca-2019",
+				"character_set_name":                  null,
+				"copy_tags_to_snapshot":               false,
+				"db_subnet_group_name":                "default",
+				"delete_automated_backups":            true,
+				"deletion_protection":                 true,
+				"domain":                              "",
+				"domain_iam_role_name":                "",
+				"enabled_cloudwatch_logs_exports":     [],
+				"endpoint":                            "terraform-20210224200525302700000001.cjm7z941xa9c.us-east-1.rds.amazonaws.com:3306",
+				"engine":                              "mysql",
+				"engine_version":                      "5.7.26",
+				"final_snapshot_identifier":           null,
+				"hosted_zone_id":                      "Z2R2ITUGPM61AM",
+				"iam_database_authentication_enabled": false,
+				"id":                                    "terraform-20210224200525302700000001",
+				"identifier":                            "terraform-20210224200525302700000001",
+				"identifier_prefix":                     null,
+				"instance_class":                        "db.t3.micro",
+				"iops":                                  0,
+				"kms_key_id":                            "",
+				"latest_restorable_time":                "0001-01-01T00:00:00Z",
+				"license_model":                         "general-public-license",
+				"maintenance_window":                    "sat:03:23-sat:03:53",
+				"max_allocated_storage":                 0,
+				"monitoring_interval":                   0,
+				"monitoring_role_arn":                   "",
+				"multi_az":                              false,
+				"name":                                  "mydb",
+				"option_group_name":                     "default:mysql-5-7",
+				"parameter_group_name":                  "default.mysql5.7",
+				"password":                              "foobarbaz",
+				"performance_insights_enabled":          false,
+				"performance_insights_kms_key_id":       "",
+				"performance_insights_retention_period": 0,
+				"port":                     3306,
+				"publicly_accessible":      false,
+				"replicas":                 [],
+				"replicate_source_db":      "",
+				"resource_id":              "db-FQBMWQWOZZJIQQI6U7T74XITAM",
+				"restore_to_point_in_time": [],
+				"s3_import":                [],
+				"security_group_names":     [],
+				"skip_final_snapshot":      true,
+				"snapshot_identifier":      null,
+				"status":                   "available",
+				"storage_encrypted":        false,
+				"storage_type":             "gp2",
+				"tags":                     {},
+				"timeouts":                 null,
+				"timezone":                 "",
+				"username":                 "foo",
+				"vpc_security_group_ids": [
+					"sg-d6ecdbf4",
+				],
+			},
+		},
+		"deposed":        "",
+		"index":          null,
+		"mode":           "managed",
+		"module_address": "",
+		"name":           "default",
+		"provider_name":  "registry.terraform.io/hashicorp/aws",
+		"type":           "aws_db_instance",
+	},
+}
+
+output_changes = {}
+
+raw = {
+	"configuration": {
+		"root_module": {
+			"resources": [
+				{
+					"address": "aws_db_instance.default",
+					"expressions": {
+						"allocated_storage": {
+							"constant_value": 10,
+						},
+						"deletion_protection": {
+							"constant_value": true,
+						},
+						"engine": {
+							"constant_value": "mysql",
+						},
+						"engine_version": {
+							"constant_value": "5.7",
+						},
+						"instance_class": {
+							"constant_value": "db.t3.micro",
+						},
+						"name": {
+							"constant_value": "mydb",
+						},
+						"parameter_group_name": {
+							"constant_value": "default.mysql5.7",
+						},
+						"password": {
+							"constant_value": "foobarbaz",
+						},
+						"skip_final_snapshot": {
+							"constant_value": true,
+						},
+						"username": {
+							"constant_value": "foo",
+						},
+					},
+					"mode":                "managed",
+					"name":                "default",
+					"provider_config_key": "aws",
+					"schema_version":      1,
+					"type":                "aws_db_instance",
+				},
+			],
+		},
+	},
+	"format_version": "0.1",
+	"planned_values": {
+		"root_module": {},
+	},
+	"prior_state": {
+		"format_version":    "0.1",
+		"terraform_version": "0.13.6",
+		"values": {
+			"root_module": {
+				"resources": [
+					{
+						"address":        "aws_db_instance.default",
+						"mode":           "managed",
+						"name":           "default",
+						"provider_name":  "registry.terraform.io/hashicorp/aws",
+						"schema_version": 1,
+						"type":           "aws_db_instance",
+						"values": {
+							"address":                     "terraform-20210224200525302700000001.cjm7z941xa9c.us-east-1.rds.amazonaws.com",
+							"allocated_storage":           10,
+							"allow_major_version_upgrade": null,
+							"apply_immediately":           null,
+							"arn":                         "arn:aws:rds:us-east-1:711129375688:db:terraform-20210224200525302700000001",
+							"auto_minor_version_upgrade":          true,
+							"availability_zone":                   "us-east-1c",
+							"backup_retention_period":             0,
+							"backup_window":                       "06:57-07:27",
+							"ca_cert_identifier":                  "rds-ca-2019",
+							"character_set_name":                  null,
+							"copy_tags_to_snapshot":               false,
+							"db_subnet_group_name":                "default",
+							"delete_automated_backups":            true,
+							"deletion_protection":                 true,
+							"domain":                              "",
+							"domain_iam_role_name":                "",
+							"enabled_cloudwatch_logs_exports":     [],
+							"endpoint":                            "terraform-20210224200525302700000001.cjm7z941xa9c.us-east-1.rds.amazonaws.com:3306",
+							"engine":                              "mysql",
+							"engine_version":                      "5.7.26",
+							"final_snapshot_identifier":           null,
+							"hosted_zone_id":                      "Z2R2ITUGPM61AM",
+							"iam_database_authentication_enabled": false,
+							"id":                                    "terraform-20210224200525302700000001",
+							"identifier":                            "terraform-20210224200525302700000001",
+							"identifier_prefix":                     null,
+							"instance_class":                        "db.t3.micro",
+							"iops":                                  0,
+							"kms_key_id":                            "",
+							"latest_restorable_time":                "0001-01-01T00:00:00Z",
+							"license_model":                         "general-public-license",
+							"maintenance_window":                    "sat:03:23-sat:03:53",
+							"max_allocated_storage":                 0,
+							"monitoring_interval":                   0,
+							"monitoring_role_arn":                   "",
+							"multi_az":                              false,
+							"name":                                  "mydb",
+							"option_group_name":                     "default:mysql-5-7",
+							"parameter_group_name":                  "default.mysql5.7",
+							"password":                              "foobarbaz",
+							"performance_insights_enabled":          false,
+							"performance_insights_kms_key_id":       "",
+							"performance_insights_retention_period": 0,
+							"port":                     3306,
+							"publicly_accessible":      false,
+							"replicas":                 [],
+							"replicate_source_db":      "",
+							"resource_id":              "db-FQBMWQWOZZJIQQI6U7T74XITAM",
+							"restore_to_point_in_time": [],
+							"s3_import":                [],
+							"security_group_names":     [],
+							"skip_final_snapshot":      true,
+							"snapshot_identifier":      null,
+							"status":                   "available",
+							"storage_encrypted":        false,
+							"storage_type":             "gp2",
+							"tags":                     {},
+							"timeouts":                 null,
+							"timezone":                 "",
+							"username":                 "foo",
+							"vpc_security_group_ids": [
+								"sg-d6ecdbf4",
+							],
+						},
+					},
+				],
+			},
+		},
+	},
+	"resource_changes": [
+		{
+			"address": "aws_db_instance.default",
+			"change": {
+				"actions": [
+					"delete",
+				],
+				"after_unknown": {},
+				"before": {
+					"address":                     "terraform-20210224200525302700000001.cjm7z941xa9c.us-east-1.rds.amazonaws.com",
+					"allocated_storage":           10,
+					"allow_major_version_upgrade": null,
+					"apply_immediately":           null,
+					"arn":                         "arn:aws:rds:us-east-1:711129375688:db:terraform-20210224200525302700000001",
+					"auto_minor_version_upgrade":          true,
+					"availability_zone":                   "us-east-1c",
+					"backup_retention_period":             0,
+					"backup_window":                       "06:57-07:27",
+					"ca_cert_identifier":                  "rds-ca-2019",
+					"character_set_name":                  null,
+					"copy_tags_to_snapshot":               false,
+					"db_subnet_group_name":                "default",
+					"delete_automated_backups":            true,
+					"deletion_protection":                 true,
+					"domain":                              "",
+					"domain_iam_role_name":                "",
+					"enabled_cloudwatch_logs_exports":     [],
+					"endpoint":                            "terraform-20210224200525302700000001.cjm7z941xa9c.us-east-1.rds.amazonaws.com:3306",
+					"engine":                              "mysql",
+					"engine_version":                      "5.7.26",
+					"final_snapshot_identifier":           null,
+					"hosted_zone_id":                      "Z2R2ITUGPM61AM",
+					"iam_database_authentication_enabled": false,
+					"id":                                    "terraform-20210224200525302700000001",
+					"identifier":                            "terraform-20210224200525302700000001",
+					"identifier_prefix":                     null,
+					"instance_class":                        "db.t3.micro",
+					"iops":                                  0,
+					"kms_key_id":                            "",
+					"latest_restorable_time":                "0001-01-01T00:00:00Z",
+					"license_model":                         "general-public-license",
+					"maintenance_window":                    "sat:03:23-sat:03:53",
+					"max_allocated_storage":                 0,
+					"monitoring_interval":                   0,
+					"monitoring_role_arn":                   "",
+					"multi_az":                              false,
+					"name":                                  "mydb",
+					"option_group_name":                     "default:mysql-5-7",
+					"parameter_group_name":                  "default.mysql5.7",
+					"password":                              "foobarbaz",
+					"performance_insights_enabled":          false,
+					"performance_insights_kms_key_id":       "",
+					"performance_insights_retention_period": 0,
+					"port":                     3306,
+					"publicly_accessible":      false,
+					"replicas":                 [],
+					"replicate_source_db":      "",
+					"resource_id":              "db-FQBMWQWOZZJIQQI6U7T74XITAM",
+					"restore_to_point_in_time": [],
+					"s3_import":                [],
+					"security_group_names":     [],
+					"skip_final_snapshot":      true,
+					"snapshot_identifier":      null,
+					"status":                   "available",
+					"storage_encrypted":        false,
+					"storage_type":             "gp2",
+					"tags":                     {},
+					"timeouts":                 null,
+					"timezone":                 "",
+					"username":                 "foo",
+					"vpc_security_group_ids": [
+						"sg-d6ecdbf4",
+					],
+				},
+			},
+			"mode":          "managed",
+			"name":          "default",
+			"provider_name": "registry.terraform.io/hashicorp/aws",
+			"type":          "aws_db_instance",
+		},
+	],
+	"terraform_version": "0.13.6",
+}