Skip to main content

Custodian policies for IAAC definitions

Project description

Custodian policies for Infrastructure Code

This package allows cloud custodian to evaluate policies directly against infrastructure as code source assets.

It also provides a separate cli for better command line ux for source asset evaluation.

Install

We currently only support python > 3.10 on mac and linux, to run on windows we recommend using our docker images.

pip install c7n_left

We also provide signed docker images. These images are built on top of chainguard's wolfi linux distribution which is designed to be minimal, auditable, and secure.

docker pull cloudcustodian/c7n_left:dev

Images signatures can be verified using cosign

export IMAGE=$(docker image inspect cloudcustodian/c7n-left:dev -f '{{index .RepoDigests 0}}')
cosign verify $IMAGE \
   --certificate-identity 'https://github.com/cloud-custodian/cloud-custodian/.github/workflows/docker.yml@refs/heads/main' \
   --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

Usage

 c7n-left run --help
Usage: c7n-left run [OPTIONS]

  evaluate policies against IaC sources.

  c7n-left -p policy_dir -d terraform_root --filters "severity=HIGH"

  WARNING - CLI interface subject to change.

Options:
  --format TEXT
  --filters TEXT                  Filter policies or resources as k=v pairs
                                  with globbing
  -p, --policy-dir PATH           Directory with policies
  -d, --directory PATH            IaC directory to evaluate
  -o, --output [cli|github|json]  Output format (default cli)
  --output-file FILENAME          Output file (default stdout)
  --var-file FILE                 Load variables from the given file, can be
                                  used more than once
  --output-query TEXT             Use a jmespath expression to filter json
                                  output
  --summary [policy|resource]
  --help                          Show this message and exit.

We'll create an empty directory with a policy in it

policies:
  - name: test
    resource: terraform.aws_s3_bucket
    metadata:
      severity: medium
    filters:
      - server_side_encryption_configuration: absent

And now we can use it to evaluate a terraform root module

 c7n-left run -p policies -d module
Running 1 policies on 1 resources
test - terraform.aws_s3_bucket
  Failed
  File: s3.tf:1-8
  1 resource "aws_s3_bucket" "example" {                                                                                
  2   bucket = "my-custodian-test-bucket"                                                                               
  3   acl    = "private"                                                                                                
  4                                                                                                                     
  5   tags = {                                                                                                          
  6     original-tag = "original-value"                                                                                 
  7   }                                                                                                                 
  8 }                                                                                                                   

Evaluation complete 0.00 seconds -> 1 Failures
           Summary - By Policy           
┏━━━━━━━━━━┳━━━━━━━━┳━━━━━━━━━━━━━━━━━━━┓
┃ Severity  Policy  Result            ┃
┡━━━━━━━━━━╇━━━━━━━━╇━━━━━━━━━━━━━━━━━━━┩
│ medium    test    1 failed 0 passed │
└──────────┴────────┴───────────────────┘
0 compliant of 1 total, 1 resource has 1 policy violation

For running in docker, you'll need to use volume mounts to provide access to the policy directory and terraform root module.

docker run -ti --rm -v $(pwd)/policies:/policies -v $(pwd)/root-module:/module \
       cloudcustodian/c7n-left:dev run -p /policies -d /module

If the terraform root module has other remote module dependencies, you'll need to fetch those first using terraform before running c7n-left.

terraform get -update

CLI Filters

Which policies and which resources are evaluated can be controlled via command line via --filters option.

Available filters

  • name - policy name
  • category - policy category
  • severity - minimum policy severity (unknown, low, medium, high, critical)
  • type - resource type, ie. aws_security_group
  • id - resource id ie. aws_vpc.example

Multiple values for a given filter can be specified as comma separate values, and all filters except severity support globbing.

Examples

# run all encryption policies on ebs volumes and sqs queues
c7n-left run -p policy_dir -d terraform --filters="category=encryption type=aws_ebs_volume,aws_sqs_queue"

# run all medium and higher level policies cost policies
c7n-left run -p policy_dir -d terraform --filters="severity=medium category=cost"

policy values for severity and category are specified in its metadata section. ie

policies:
  - name: check-encryption
    resource: [aws_ebs_volume, aws_sqs_queue]
    metadata:
      category: [encryption, security]
      severity: high
    filters:
       - kms_master_key_id: absent

Outputs

if your using this in github actions, we have special output mode for reporting annotations directly into pull requests with --output github

We also display a summary output after displaying resource matches, there are two summary displays available, the default policy summary, and a resource summary which can be enabled via --summary resource.

Policy Language

Standard Custodian filters (value, list-item, and, or, not, reduce and event) are available

Policies for c7n-left support a few additional capabilities beyond what's common for custodian policies.

Policies can be specified against multiple resource types either as an array or glob.

policies:
  - name: check-encryption
    resource: [aws_ebs_volume, aws_sqs_queue]

taggable filter

A taggable filter is available that allows filtering to only resources that support tagging.

In combination with resource wild card support, this allows using a single policy to enforce an organization's tag standards.

policies:
 - name: check-tag-policy
   resource: "terraform.aws*"
   filters:
     - taggable
     - tag:Env: absent
	 - tag:Owner: absent
	 - tag:App: absent

This filter supports resources from several terraform providers including aws, azure, gcp, oci, tencentcloud.

terraform providers that support default_tags have those values automatically available on the applicable resources.

traverse filter

A traverse filter is available that allows for multi-hop graph traversal from a resource to any related resource.

ie, here's a policy against an aws ec2 instance, that checks if any of the security groups attached to the instance, have a permission defined that allows access from 0.0.0.0/0

policies:
 - name: check-security-group-open-cidr
   resource: terraform.aws_instance
   description: "EC2 should not be open to world on ssh"
   filters:
     - type: traverse
       resources:
         - aws_security_group
         - aws_security_ingress_permission
       attrs:
         - Ipv4: 0.0.0.0/0

Policy Testing

c7n-left supports writing and running tests for policies.

To create a test for a policy, create a tests directory next to your policy files.

Within that tests directory, create a sub directory with the policy name.

Next add terraform files to this sub directory. Typically you would add both terraform files that would match the policy and those that should not.

Finally you add assertions in a left.plan[.yaml|.json] file. The format of the file is an array of dictionaries. The dictionaries are used to match against the policy findings. The data its matching against is what is found by using c7n-left run --output json. Each key/value pair in the dictionary is matched against the finding.

So putting it all together, we've setup our tests as follows

 tree policy-dir-a/
policy-dir-a/
├── alb.yaml
└── tests
    └── alb-deletion-protection-disabled
        ├── left.plan.yaml
        ├── negative1.tf
        └── positive1.tf

3 directories, 4 files

❯ cat policy-dir-a/alb.yaml 
policies:
  - name: alb-deletion-protection-disabled
    resource: [terraform.aws_lb, terraform.aws_alb]
    description: |
      Application Load Balancer should have deletion protection enabled
    metadata:
      severity: low
      category: "Insecure Configurations"
    filters:
      - enable_deletion_protection: empty

❯ cat policy-dir-a/tests/alb-deletion-protection-disabled/left.plan.yaml 
- "resource.__tfmeta.filename": "positive1.tf"

and now we can run a test

 c7n-left test -p policy-dir-a/
Discovered 1 Tests
Failure alb-deletion-protection-disabled [{'resource.__tfmeta.filename': 
'positive1.tf'}] checks not used

1 Test Complete (0.05s) 1 Failure

A test fails if either an assertion in the plan file does not match one policy finding, or if a policy finding is not matched by an assertion.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

c7n_left-0.2.0-py3-none-any.whl (33.0 kB view details)

Uploaded Python 3

File details

Details for the file c7n_left-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: c7n_left-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 33.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.9.6 readme-renderer/40.0 requests/2.31.0 requests-toolbelt/1.0.0 urllib3/1.26.16 tqdm/4.66.1 importlib-metadata/5.2.0 keyring/24.2.0 rfc3986/2.0.0 colorama/0.4.6 CPython/3.11.1

File hashes

Hashes for c7n_left-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 82a50b22f692ad062b9ab832d8e34f33fa7d37cebcf421822e1f43e2a2ac874d
MD5 ae2d4596c265fc7a82963ea588532c4c
BLAKE2b-256 b5576bc32a91a94e1f0580f5552501a7951eb988913bf934757ac3883ec49ee3

See more details on using hashes here.

Provenance

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page