search

canada-ca / cloud-guardrails-gcp

Recommended configuration guidance for Google Cloud Platform / Conseils de configuration recommandés pour Platforme infonuagique de Google
Other
22 stars 14 forks source link

Guardrails failure Issues and hardcoded resource names in rego policy #13

Open jacyang2010 opened 1 year ago

jacyang2010 commented 1 year ago

A rego policy parse error is spotted from the cloud build issued by the guardrails validation function as shown below and there is not any validation report generated because of this error.

starting build "14d58fa0-fda5-4cb7-9a34-ce2c132154fd"

FETCHSOURCE
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint:   git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint:   git branch -m <name>
Initialized empty Git repository in /workspace/.git/
From https://source.developers.google.com/p/lzpe-js08-guardrailsjs08/r/LzPeCLD-guardrails-policies-csr
 * branch            8b1241263fe9ae3cfd766e244a8dd131b82a1ff9 -> FETCH_HEAD
HEAD is now at 8b12412 Merge pull request #9 from cartyc/main
BUILD
Starting Step #0
Step #0: Already have image (with digest): gcr.io/cloud-builders/gcloud
Step #0: Copying gs://lzpe565977066779assetsguardrailsjs08/organizations/565977066779.json...
Step #0: / [0 files][    0.0 B/  3.2 MiB]                                                
/ [1 files][  3.2 MiB/  3.2 MiB]                                                
Step #0: Operation completed over 1 objects/3.2 MiB.                                      
Finished Step #0
Starting Step #1
Step #1: Already have image (with digest): gcr.io/cloud-builders/docker
Finished Step #1
Starting Step #2
Step #2: Already have image (with digest): gcr.io/cloud-builders/docker
Step #2: Unable to find image 'northamerica-northeast1-docker.pkg.dev/lzpe-js08-guardrailsjs08/lzpecld-guardrails-af-registry-afr/lzpeccr-guardrails-policies-cntr:latest' locally
Step #2: latest: Pulling from lzpe-js08-guardrailsjs08/lzpecld-guardrails-af-registry-afr/lzpeccr-guardrails-policies-cntr
Step #2: 26c5c85e47da: Already exists
Step #2: 89c09bbbc10a: Pulling fs layer
Step #2: b4dab82f7782: Pulling fs layer
Step #2: 1b2c23d7ae23: Pulling fs layer
Step #2: 89c09bbbc10a: Verifying Checksum
Step #2: 89c09bbbc10a: Download complete
Step #2: b4dab82f7782: Verifying Checksum
Step #2: b4dab82f7782: Download complete
Step #2: 89c09bbbc10a: Pull complete
Step #2: b4dab82f7782: Pull complete
Step #2: 1b2c23d7ae23: Verifying Checksum
Step #2: 1b2c23d7ae23: Download complete
Step #2: 1b2c23d7ae23: Pull complete
Step #2: Digest: sha256:99e07a711bacfe921a049a43ec2b266570f6287d573bbc3a7553ec14ad9e9c64
Step #2: Status: Downloaded newer image for northamerica-northeast1-docker.pkg.dev/lzpe-js08-guardrailsjs08/lzpecld-guardrails-af-registry-afr/lzpeccr-guardrails-policies-cntr:latest
Step #2: Checking ./assets/asset_inventory.json
Step #2: Error: running test: build compiler: parse module: 1 error occurred: policies/11-logging-and-monitoring/11-Logging-and-Monitoring.rego:18: rego_parse_error: unexpected import path, must begin with one of: {data, input}, got: future
Step #2:    import future.keywords.in
Step #2:           ^
Finished Step #2
Starting Step #3
Step #3: Already have image (with digest): gcr.io/cloud-builders/docker
Step #3: ./assets/asset_inventory.json
Step #3: 
Finished Step #3
Starting Step #4
Step #4: Already have image (with digest): gcr.io/cloud-builders/docker
Finished Step #4
Starting Step #5
Step #5: Already have image (with digest): gcr.io/cloud-builders/gcloud
Step #5: Copying file:///assets/565977066779.json [Content-Type=application/json]...
Step #5: / [0 files][    0.0 B/   31.0 B]                                                
/ [1 files][   31.0 B/   31.0 B]                                                
Step #5: Operation completed over 1 objects/31.0 B.                                       
Finished Step #5
PUSH
DONE

After upgrading the conftest version to latest, some hardcoded very specific resource names are found from the validation report generated as shown below.

./assets/asset_inventory.json
+---------+------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| RESULT  | FILE | NAMESPACE |                                                                                                        MESSAGE                                                                                                        |
+---------+------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| failure | -
| |
|         |
| failure | -
| |
| failure | -
| |
|         |
| failure | -
| |
| main
|
|
| main
|
| main
|
|
| main
|
| Guardrail # 11: No                                                                                                                                                                                                    |
| storage bucket matching                                                                                                                                                                                               |
| 'logginglogsink-goc' found.                                                                                                                                                                                           |
| Guardrail # 11: The log sink                                                                                                                                                                                          |
| 'org_log_sink' does not exist.                                                                                                                                                                                        |
| Guardrail # 5: Resource containerregistry.googleapis.com/Image

The proposed tested changes is attached below. cloud-guardrails-gcp.patch

The changes from the patch.

fmichaelobrien commented 1 year ago

Sounds very good, we will review/pull once a PR is posted

fmichaelobrien commented 1 year ago

See pr notes in https://github.com/canada-ca/cloud-guardrails-gcp/pull/14#issuecomment-1512280877