Skip to content

Commit d9f637b

Browse files
committed
✨ add preventive guardrails
1 parent ffec476 commit d9f637b

File tree

7 files changed

+107
-5
lines changed

7 files changed

+107
-5
lines changed

terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/main.tf

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,11 @@ provider "alicloud" {
22
region = "cn-shanghai"
33
}
44

5-
module "detective_guardrails" {
5+
module "guardrails" {
66
source = "../../"
77

88
detective_guardrails = var.detective_guardrails
9+
preventive_guardrails = var.preventive_guardrails
910
config_aggreator_name = var.config_aggreator_name
1011
config_aggreator_description = var.config_aggreator_description
1112
config_compliance_pack_name = var.config_compliance_pack_name

terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/tfvars/common.tfvars

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,4 +12,30 @@ detective_guardrails = [
1212
tag_scope_key = ""
1313
tag_scope_value = ""
1414
}
15+
]
16+
17+
preventive_guardrails = [
18+
{
19+
rule_name = "DenyCreateRamRole"
20+
rule_description = "Deny creating RAM role"
21+
policy_document = <<EOF
22+
{
23+
"Statement": [
24+
{
25+
"Action": [
26+
"ram:CreateRole"
27+
],
28+
"Resource": "*",
29+
"Effect": "Deny",
30+
"Condition": {
31+
"StringNotLike": {
32+
"acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
33+
}
34+
}
35+
}
36+
],
37+
"Version": "1"
38+
}
39+
EOF
40+
}
1541
]

terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/variables.tf

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,14 @@
1-
terraform {
2-
experiments = [module_variable_optional_attrs]
1+
# terraform {
2+
# experiments = [module_variable_optional_attrs]
3+
# }
4+
variable "preventive_guardrails" {
5+
type = list(object({
6+
rule_name = string
7+
rule_description = optional(string)
8+
policy_document = string
9+
target = optional(string)
10+
}))
11+
description = "preventive guardrails, each item in list should have rule_name and policy_document. If target is not specified, it will be set to root_folder_id"
312
}
413
variable "detective_guardrails" {
514
type = list(object({

terraform-modules/terraform-alicloud-landing-zone-guardrails/main.tf

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,32 @@
22
data "alicloud_account" "current" {
33
}
44

5+
#########################################################
6+
# Preventive Controls
7+
#########################################################
8+
data "alicloud_resource_manager_resource_directories" "default" {}
9+
10+
locals {
11+
resource_directory_root_folder_id = "${data.alicloud_resource_manager_resource_directories.default.directories.0.root_folder_id}"
12+
}
13+
14+
module "control_policies" {
15+
source = "./modules/control_policies"
16+
17+
for_each = {
18+
for rule in var.preventive_guardrails: rule.rule_name => rule
19+
}
20+
21+
name = each.value.rule_name
22+
description = can(each.value.rule_description) ? each.value.rule_description : ""
23+
policy_document = each.value.policy_document
24+
target_id = can(each.value.target_id) ? each.value.target_id : local.resource_directory_root_folder_id
25+
}
26+
27+
#########################################################
28+
# Detective Controls
29+
#########################################################
30+
531
# Retrieve all the accounts in resource directory
632
data "alicloud_resource_manager_accounts" "accounts" {
733
}
Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
resource "alicloud_resource_manager_control_policy" "policy" {
2+
control_policy_name = var.name
3+
description = var.description
4+
effect_scope = "RAM"
5+
policy_document = var.policy_document
6+
}
7+
8+
resource "alicloud_resource_manager_control_policy_attachment" "attachment" {
9+
policy_id = alicloud_resource_manager_control_policy.policy.id
10+
target_id = var.target_id
11+
}
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
variable "name" {
2+
type = string
3+
description = "policy name"
4+
}
5+
6+
variable "description" {
7+
type = string
8+
description = "policy description"
9+
}
10+
11+
variable "policy_document" {
12+
type = string
13+
description = "policy document"
14+
}
15+
16+
variable "target_id" {
17+
type = string
18+
description = "target which policy is applied to"
19+
}

terraform-modules/terraform-alicloud-landing-zone-guardrails/variables.tf

Lines changed: 12 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,15 @@
1-
terraform {
2-
experiments = [module_variable_optional_attrs]
1+
# terraform {
2+
# experiments = [module_variable_optional_attrs]
3+
# }
4+
5+
variable "preventive_guardrails" {
6+
type = list(object({
7+
rule_name = string
8+
rule_description = optional(string)
9+
policy_document = string
10+
target = optional(string)
11+
}))
12+
description = "preventive guardrails, each item in list should have rule_name and policy_document. If target is not specified, it will be set to root_folder_id"
313
}
414
variable "detective_guardrails" {
515
type = list(object({

0 commit comments

Comments
 (0)