search

ansible / ansible-policy

ansible-policy is a prototype implementation which allows us to define and set constraints to the Ansible project in OPA Rego language.
Apache License 2.0
20 stars 10 forks source link

Regex capability #46

Open ffirg opened 1 month ago

ffirg commented 1 month ago

It would be really useful to be able to wildcard, pattern match etc against some content.

For instance, after a conversation, a customer "bans" the use of AWS ec2, in favour of lambda and fargate. As there are a lot of ec2 modules (https://docs.ansible.com/ansible/latest/collections/amazon/aws/index.html#modules) it would be tedious and error prone to list out all of them in a policybook. We should be able to do something like this:

# This policybook checks if someone is using automation content that has been banned from use for whatever reason
# That could be for cost control, standards alignment or security reasons
# This will check both FQCN and non-FQCN for module checks
---
- name: General or common AWS policy checks
  hosts: localhost
  vars:
    disallowed_modules:
      - amazon.aws.ec2*
      - community.aws.eks_fargate_profile
  policies:
    - name: Check for disallowed module usage
      target: task
      condition: input._agk.task.module_info.fqcn in disallowed_modules or input._agk.task.module in disallowed_modules
      actions:
        - deny:
            msg: "You are not allowed to use these modules in automation tasks: {{ disallowed_modules }}"
      tags:
        - compliance
ffirg commented 1 month ago

Additionally, it would be great to be able to put out the exact details of what's violated the condition in msg: