beaverlyhills
commented
1 year ago Current version of this command is very limited in use - it just prints an error if something is wrong with parsing the policy or the input. Usage:
$ go run policy-tool.go debug \
--logtostderr \
--policies "policy-library/samples,policy-library/policies/templates" \
--libs "policy-library/lib" \
--file "resource.json"Example bad constraint from Forseti policy library samples - note that error is not in Rego code, but in constraint YAML definition:
failed to add constraint &{map[apiVersion:constraints.gatekeeper.sh/v1alpha1 kind:GCPComputeBlockSSHKeysConstraintV1 metadata:map[annotations:map[validation.gcp.forsetisecurity.org/originalName:compute_block_ssh_keys validation.gcp.forsetisecurity.org/yamlpath:policy-library/samples/compute_block_ssh_keys.yaml] name:compute-block-ssh-keys] spec:map[match:map[ancestries:[organization/*]] parameters:map[] severity:high]]}: invalid glob in spec.match.ancestries: idx [0]: unexpected item organization element 0 in organization/*I am adding a few more error checks and prints, so the command can be used to also see evaluation results. This is useful if you have some existing policies that you want to quickly test on your input data without manually unwrapping them into raw Rego and using opa eval. Example constraint output with this change:
//appengine.googleapis.com/apps/my-app: //appengine.googleapis.com/apps/my-app is in violation. [GCPAppengineLocationConstraintV1.allow_appengine_applications_in_australia_and_south_america]
Make the debug command a bit more useful by printing evaluation results.