search

StyraInc / opa-aws-cloudformation-hook

AWS Cloudformation Hook for OPA-powered infrastructure policy enforcement
Apache License 2.0
35 stars 5 forks source link

Adjust policies to work with unit tests #16

Closed peteroneilljr closed 2 years ago

peteroneilljr commented 2 years ago

2 things still to work out

  1. Resources we have not created rules for.
FAIL: templates/rds-encryption-verify/examples/rds-fail-encryption-not-set.yaml DBEC2SecurityGroup
{'action': 'CREATE', 'hook': 'Styra::OPA::Hook', 'resource': {'id': 'DBEC2SecurityGroup', 'name': 'AWS::EC2::SecurityGroup', 'type': 'AWS::EC2::SecurityGroup', 'properties': {'GroupDescription': 'Open database for access', 'SecurityGroupIngress': [{'IpProtocol': 'tcp', 'FromPort': '3306', 'ToPort': '3306', 'SourceSecurityGroupName': {'Ref': 'EC2SecurityGroup'}}]}}}
FAIL: templates/rds-encryption-verify/examples/rds-fail-encryption-not-set.yaml DBSecurityGroup
{'action': 'CREATE', 'hook': 'Styra::OPA::Hook', 'resource': {'id': 'DBSecurityGroup', 'name': 'AWS::RDS::DBSecurityGroup', 'type': 'AWS::RDS::DBSecurityGroup', 'properties': {'DBSecurityGroupIngress': {'EC2SecurityGroupName': {'Ref': 'EC2SecurityGroup'}}, 'GroupDescription': 'database access'}}}

  1. The True vs "true" problem

    
FAIL: templates/s3-block-public-access/examples/s3-success-all-access-blocked.yaml S3Bucket
{'action': 'CREATE', 'hook': 'Styra::OPA::Hook', 'resource': {'id': 'S3Bucket', 'name': 'AWS::S3::Bucket', 'type': 'AWS::S3::Bucket', 'properties': {'BucketName': 'access-blocked-bucket', 'PublicAccessBlockConfiguration': {'BlockPublicAcls': True, 'BlockPublicPolicy': True, 'IgnorePublicAcls': True, 'RestrictPublicBuckets': True}}}}

public access not blocked for bucket S3Bucket