✨ add preventive guardrails

daxingplay · daxingplay · commit d9f637bef1ac · 2024-10-17T18:43:57.000+08:00
diff --git a/terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/main.tf b/terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/main.tf
@@ -2,10 +2,11 @@ provider "alicloud" {
   region = "cn-shanghai"
 }
 
-module "detective_guardrails" {
+module "guardrails" {
   source = "../../"
   
   detective_guardrails = var.detective_guardrails
+  preventive_guardrails = var.preventive_guardrails
   config_aggreator_name = var.config_aggreator_name
   config_aggreator_description = var.config_aggreator_description
   config_compliance_pack_name = var.config_compliance_pack_name
diff --git a/terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/tfvars/common.tfvars b/terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/tfvars/common.tfvars
@@ -12,4 +12,30 @@ detective_guardrails = [
     tag_scope_key = ""
     tag_scope_value = ""
   }
+]
+
+preventive_guardrails = [
+  {
+    rule_name = "DenyCreateRamRole"
+    rule_description = "Deny creating RAM role"
+    policy_document = <<EOF
+{
+    "Statement": [
+        {
+            "Action": [
+                "ram:CreateRole"
+            ],
+            "Resource": "*",
+            "Effect": "Deny",
+            "Condition": {
+                "StringNotLike": {
+                    "acs:PrincipalARN": "acs:ram:*:*:role/resourcedirectoryaccountaccessrole"
+                }
+            }
+        }
+    ],
+    "Version": "1"
+}
+    EOF
+  }
 ]
diff --git a/terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/variables.tf b/terraform-modules/terraform-alicloud-landing-zone-guardrails/examples/common/variables.tf
@@ -1,5 +1,14 @@
-terraform {
-  experiments = [module_variable_optional_attrs]
+# terraform {
+#   experiments = [module_variable_optional_attrs]
+# }
+variable "preventive_guardrails" {
+  type = list(object({
+    rule_name = string
+    rule_description = optional(string)
+    policy_document = string
+    target = optional(string)
+  }))
+  description = "preventive guardrails, each item in list should have rule_name and policy_document. If target is not specified, it will be set to root_folder_id"
 }
 variable "detective_guardrails" {
   type = list(object({
diff --git a/terraform-modules/terraform-alicloud-landing-zone-guardrails/main.tf b/terraform-modules/terraform-alicloud-landing-zone-guardrails/main.tf
@@ -2,6 +2,32 @@
 data "alicloud_account" "current" {
 }
 
+#########################################################
+# Preventive Controls
+#########################################################
+data "alicloud_resource_manager_resource_directories" "default" {}
+
+locals {
+  resource_directory_root_folder_id = "${data.alicloud_resource_manager_resource_directories.default.directories.0.root_folder_id}"
+}
+
+module "control_policies" {
+  source = "./modules/control_policies"
+
+  for_each = {
+    for rule in var.preventive_guardrails: rule.rule_name => rule
+  }
+
+  name = each.value.rule_name
+  description = can(each.value.rule_description) ? each.value.rule_description : ""
+  policy_document = each.value.policy_document
+  target_id = can(each.value.target_id) ? each.value.target_id : local.resource_directory_root_folder_id
+}
+
+#########################################################
+# Detective Controls
+#########################################################
+
 # Retrieve all the accounts in resource directory
 data "alicloud_resource_manager_accounts" "accounts" {
 }
diff --git a/terraform-modules/terraform-alicloud-landing-zone-guardrails/modules/control_policies/main.tf b/terraform-modules/terraform-alicloud-landing-zone-guardrails/modules/control_policies/main.tf
@@ -0,0 +1,11 @@
+resource "alicloud_resource_manager_control_policy" "policy" {
+  control_policy_name = var.name
+  description         = var.description
+  effect_scope        = "RAM"
+  policy_document     = var.policy_document
+}
+
+resource "alicloud_resource_manager_control_policy_attachment" "attachment" {
+  policy_id = alicloud_resource_manager_control_policy.policy.id
+  target_id = var.target_id
+}
diff --git a/terraform-modules/terraform-alicloud-landing-zone-guardrails/modules/control_policies/variables.tf b/terraform-modules/terraform-alicloud-landing-zone-guardrails/modules/control_policies/variables.tf
@@ -0,0 +1,19 @@
+variable "name" {
+  type = string
+  description = "policy name"
+}
+
+variable "description" {
+  type = string
+  description = "policy description"
+}
+
+variable "policy_document" {
+  type = string
+  description = "policy document"
+}
+
+variable "target_id" {
+  type = string
+  description = "target which policy is applied to"
+}
diff --git a/terraform-modules/terraform-alicloud-landing-zone-guardrails/variables.tf b/terraform-modules/terraform-alicloud-landing-zone-guardrails/variables.tf
@@ -1,5 +1,15 @@
-terraform {
-  experiments = [module_variable_optional_attrs]
+# terraform {
+#   experiments = [module_variable_optional_attrs]
+# }
+
+variable "preventive_guardrails" {
+  type = list(object({
+    rule_name = string
+    rule_description = optional(string)
+    policy_document = string
+    target = optional(string)
+  }))
+  description = "preventive guardrails, each item in list should have rule_name and policy_document. If target is not specified, it will be set to root_folder_id"
 }
 variable "detective_guardrails" {
   type = list(object({
