Documentation
¶
Overview ¶
Package monitorcompliance check asset compliance. Is the heart of RAM - Triggered by: resource or IAM policies assets feed messages in PubSub topics - Instances:
- one per REGO rule
- all constraints (yaml settings) related to a REGO rule are evaluated in the REGO rule instance
- Output:
- PubSub violation topic
- PubSub complianceStatus topic
- Cardinality:
- When compliant one-one only the compliance state, no violations
- When not compliant one-few 1 compliance state + n violations
- Automatic retrying: yes - Required environment variables:
- ASSETSCOLLECTIONID the name of the FireStore collection grouping all assets documents
- ENVIRONMENT the execution environment for RAM, eg, dev
- OWNERLABELKEYNAME key name for the label identifying the asset owner
- STATUS_TOPIC name of the PubSub topic used to output evaluated compliance states
- VIOLATIONRESOLVERLABELKEYNAMEkey name for the label identifying the asset violation resolver
- VIOLATION_TOPIC name of the PubSub topic used to output found violations
Index ¶
- func EntryPoint(ctxEvent context.Context, PubSubMessage ram.PubSubMessage, global *Global) error
- func Initialize(ctx context.Context, global *Global)
- type Asset
- type Assets
- type ComplianceStatus
- type CompliantLog
- type ConstraintConfig
- type ConstraintMetadata
- type FeedMessage
- type FunctionConfig
- type Global
- type NonCompliance
- type Parameters
- type Settings
- type Spec
- type Violation
- type Violations
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func EntryPoint ¶
EntryPoint is the function to be executed for each cloud function occurence
func Initialize ¶
Initialize is to be executed in the init() function of the cloud function to optimize the cold start
Types ¶
type Asset ¶
type Asset struct {
Name string `json:"name"`
Owner string `json:"owner"`
ViolationResolver string `json:"violationResolver"`
AncestryPathDisplayName string `json:"ancestryPathDisplayName"`
AncestryPath string `json:"ancestryPath"`
AncestryPathLegacy string `json:"ancestry_path"`
AncestorsDisplayName []string `json:"ancestorsDisplayName"`
Ancestors []string `json:"ancestors"`
AssetType string `json:"assetType"`
AssetTypeLegacy string `json:"asset_type"`
IamPolicy json.RawMessage `json:"iamPolicy"`
IamPolicyLegacy json.RawMessage `json:"iam_policy"`
Resource json.RawMessage `json:"resource"`
}
Asset Cloud Asset Metadata Duplicate "iamPolicy" and "assetType en ensure compatibility beetween format in CAI feed, aka real time, and CAI Export aka batch
type ComplianceStatus ¶
type ComplianceStatus struct {
AssetName string `json:"assetName"`
AssetInventoryTimeStamp time.Time `json:"assetInventoryTimeStamp"`
AssetInventoryOrigin string `json:"assetInventoryOrigin"`
RuleName string `json:"ruleName"`
RuleDeploymentTimeStamp time.Time `json:"ruleDeploymentTimeStamp"`
Compliant bool `json:"compliant"`
Deleted bool `json:"deleted"`
}
ComplianceStatus by asset, by rule, true/false compliance status
type CompliantLog ¶
type CompliantLog struct {
ComplianceStatus ComplianceStatus `json:"complianceStatus"`
AssetsJSONDocument json.RawMessage `json:"assetsJSONDocument"`
}
CompliantLog log entry when compliant
type ConstraintConfig ¶
type ConstraintConfig struct {
APIVersion string `json:"apiVersion"`
Kind string `json:"kind"`
Metadata ConstraintMetadata `json:"metadata"`
Spec Spec `json:"spec"`
}
ConstraintConfig expose content of the constraint yaml file
type ConstraintMetadata ¶
type ConstraintMetadata struct {
Name string `json:"name"`
Annotations map[string]interface{} `json:"annotation"`
}
ConstraintMetadata Constraint's metadata
type FeedMessage ¶
type FeedMessage struct {
Asset Asset `json:"asset"`
Window ram.Window `json:"window"`
Deleted bool `json:"deleted"`
Origin string `json:"origin"`
}
FeedMessage Cloud Asset Inventory feed message
type FunctionConfig ¶
type FunctionConfig struct {
FunctionName string `json:"functionName"`
DeploymentTime time.Time `json:"deploymentTime"`
ProjectID string `json:"projectID"`
Environment string `json:"environment"`
}
FunctionConfig function deployment settings
type Global ¶
type Global struct {
// contains filtered or unexported fields
}
Global structure for global variables to optimize the cloud function performances
type NonCompliance ¶
type NonCompliance struct {
Message string `json:"message"`
Metadata map[string]interface{} `json:"metadata"`
}
NonCompliance form the "deny" rego policy in a <templateName>.rego module
type Settings ¶
type Settings struct {
WritabelOPAFolderPath string `json:"writabelOPAFolderPath"`
AssetsFolderName string `json:"assetsFolderName"`
AssetsFileName string `json:"assetsFileName"`
OPAFolderPath string `json:"OPAFolderPath"`
RegoModulesFolderName string `json:"regoModulesFolderName"`
}
Settings the structure of the settings.json setting file
type Spec ¶
type Spec struct {
Severity string `json:"severity"`
Match map[string]interface{} `json:"match"`
Parameters map[string]interface{} `json:"parameters"`
}
Spec Constraint's specifications
type Violation ¶
type Violation struct {
NonCompliance NonCompliance `json:"nonCompliance"`
FunctionConfig FunctionConfig `json:"functionConfig"`
ConstraintConfig ConstraintConfig `json:"constraintConfig"`
FeedMessage FeedMessage `json:"feedMessage"`
RegoModules map[string]string `json:"regoModules"`
}
Violation from the "audit" rego policy in "audit.rego" module
Source Files