HarshalRane23
commented
2 years ago apiVersion: constraints.gatekeeper.sh/v1alpha1 kind: GCPComputeZoneConstraintV1 metadata: name: compute_zone_allowlist_one annotations: description: Checks the instances and Persistent Disks are in desired zones. spec: severity: high parameters: mode: "allowlist" zones:
- asia-east1-b exemptions: []
We have followed official terraform validator and installed version 6.0 One the policy is not working as expected link. Our target is to create a tf-validator policy for vm outside certain zone. there is not error with policy just that its not showing any violations. Adding tf-plan.json and deployments.tf file below
{"format_version":"0.2","terraform_version":"1.0.9","planned_values":{"root_module":{"resources":[{"address":"google_compute_instance.default","mode":"managed","type":"google_compute_instance","name":"default","provider_name":"registry.terraform.io/hashicorp/google","schema_version":6,"values":{"advanced_machine_features":[],"allow_stopping_for_update":null,"attached_disk":[],"boot_disk":[{"auto_delete":true,"disk_encryption_key_raw":null,"initialize_params":[{"image":"debian-cloud/debian-9"}],"mode":"READ_WRITE"}],"can_ip_forward":false,"deletion_protection":false,"description":null,"desired_status":null,"enable_display":null,"hostname":null,"labels":null,"machine_type":"e2-medium","metadata":{"foo":"bar"},"metadata_startup_script":"echo hi \u003e /test.txt","name":"test","network_interface":[{"access_config":[{"public_ptr_domain_name":null}],"alias_ip_range":[],"ipv6_access_config":[],"network":"default","nic_type":null,"queue_count":null}],"resource_policies":null,"scratch_disk":[{"interface":"SCSI"}],"service_account":[],"shielded_instance_config":[],"tags":["bar","foo"],"timeouts":null,"zone":"us-central1-a"},"sensitive_values":{"advanced_machine_features":[],"attached_disk":[],"boot_disk":[{"initialize_params":[{"labels":{}}]}],"confidential_instance_config":[],"guest_accelerator":[],"metadata":{},"network_interface":[{"access_config":[{}],"alias_ip_range":[],"ipv6_access_config":[]}],"reservation_affinity":[],"scheduling":[],"scratch_disk":[{}],"service_account":[],"shielded_instance_config":[],"tags":[false,false]}}]}},"resource_changes":[{"address":"google_compute_instance.default","mode":"managed","type":"google_compute_instance","name":"default","provider_name":"registry.terraform.io/hashicorp/google","change":{"actions":["create"],"before":null,"after":{"advanced_machine_features":[],"allow_stopping_for_update":null,"attached_disk":[],"boot_disk":[{"auto_delete":true,"disk_encryption_key_raw":null,"initialize_params":[{"image":"debian-cloud/debian-9"}],"mode":"READ_WRITE"}],"can_ip_forward":false,"deletion_protection":false,"description":null,"desired_status":null,"enable_display":null,"hostname":null,"labels":null,"machine_type":"e2-medium","metadata":{"foo":"bar"},"metadata_startup_script":"echo hi \u003e /test.txt","name":"test","network_interface":[{"access_config":[{"public_ptr_domain_name":null}],"alias_ip_range":[],"ipv6_access_config":[],"network":"default","nic_type":null,"queue_count":null}],"resource_policies":null,"scratch_disk":[{"interface":"SCSI"}],"service_account":[],"shielded_instance_config":[],"tags":["bar","foo"],"timeouts":null,"zone":"us-central1-a"},"after_unknown":{"advanced_machine_features":[],"attached_disk":[],"boot_disk":[{"device_name":true,"disk_encryption_key_sha256":true,"initialize_params":[{"labels":true,"size":true,"type":true}],"kms_key_self_link":true,"source":true}],"confidential_instance_config":true,"cpu_platform":true,"current_status":true,"guest_accelerator":true,"id":true,"instance_id":true,"label_fingerprint":true,"metadata":{},"metadata_fingerprint":true,"min_cpu_platform":true,"network_interface":[{"access_config":[{"nat_ip":true,"network_tier":true}],"alias_ip_range":[],"ipv6_access_config":[],"ipv6_access_type":true,"name":true,"network_ip":true,"stack_type":true,"subnetwork":true,"subnetwork_project":true}],"project":true,"reservation_affinity":true,"scheduling":true,"scratch_disk":[{}],"self_link":true,"service_account":[],"shielded_instance_config":[],"tags":[false,false],"tags_fingerprint":true},"before_sensitive":false,"after_sensitive":{"advanced_machine_features":[],"attached_disk":[],"boot_disk":[{"disk_encryption_key_raw":true,"initialize_params":[{"labels":{}}]}],"confidential_instance_config":[],"guest_accelerator":[],"metadata":{},"network_interface":[{"access_config":[{}],"alias_ip_range":[],"ipv6_access_config":[]}],"reservation_affinity":[],"scheduling":[],"scratch_disk":[{}],"service_account":[],"shielded_instance_config":[],"tags":[false,false]}}}],"configuration":{"root_module":{"resources":[{"address":"google_compute_instance.default","mode":"managed","type":"google_compute_instance","name":"default","provider_config_key":"google","expressions":{"boot_disk":[{"initialize_params":[{"image":{"constant_value":"debian-cloud/debian-9"}}]}],"machine_type":{"constant_value":"e2-medium"},"metadata":{"constant_value":{"foo":"bar"}},"metadata_startup_script":{"constant_value":"echo hi \u003e /test.txt"},"name":{"constant_value":"test"},"network_interface":[{"access_config":[{}],"network":{"constant_value":"default"}}],"scratch_disk":[{"interface":{"constant_value":"SCSI"}}],"tags":{"constant_value":["foo","bar"]},"zone":{"constant_value":"us-central1-a"}},"schema_version":6}]}}}