monitorcompliance

package
v0.0.13 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 30, 2020 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Overview

Package monitorcompliance check asset compliance. Is the heart of RAM - Triggered by: resource or IAM policies assets feed messages in PubSub topics - Instances:

  • one per REGO rule
  • all constraints (yaml settings) related to a REGO rule are evaluated in the REGO rule instance

- Output:

  • PubSub violation topic
  • PubSub complianceStatus topic

- Cardinality:

  • When compliant one-one only the compliance state, no violations
  • When not compliant one-few 1 compliance state + n violations

- Automatic retrying: yes - Required environment variables:

  • ASSETSCOLLECTIONID the name of the FireStore collection grouping all assets documents
  • ENVIRONMENT the execution environment for RAM, eg, dev
  • OWNERLABELKEYNAME key name for the label identifying the asset owner
  • STATUS_TOPIC name of the PubSub topic used to output evaluated compliance states
  • VIOLATIONRESOLVERLABELKEYNAMEkey name for the label identifying the asset violation resolver
  • VIOLATION_TOPIC name of the PubSub topic used to output found violations

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func EntryPoint

func EntryPoint(ctxEvent context.Context, PubSubMessage ram.PubSubMessage, global *Global) error

EntryPoint is the function to be executed for each cloud function occurence

func Initialize

func Initialize(ctx context.Context, global *Global)

Initialize is to be executed in the init() function of the cloud function to optimize the cold start

Types

type Asset

type Asset struct {
	Name                    string          `json:"name"`
	Owner                   string          `json:"owner"`
	ViolationResolver       string          `json:"violationResolver"`
	AncestryPathDisplayName string          `json:"ancestryPathDisplayName"`
	AncestryPath            string          `json:"ancestryPath"`
	AncestryPathLegacy      string          `json:"ancestry_path"`
	AncestorsDisplayName    []string        `json:"ancestorsDisplayName"`
	Ancestors               []string        `json:"ancestors"`
	AssetType               string          `json:"assetType"`
	AssetTypeLegacy         string          `json:"asset_type"`
	IamPolicy               json.RawMessage `json:"iamPolicy"`
	IamPolicyLegacy         json.RawMessage `json:"iam_policy"`
	Resource                json.RawMessage `json:"resource"`
}

Asset Cloud Asset Metadata Duplicate "iamPolicy" and "assetType en ensure compatibility beetween format in CAI feed, aka real time, and CAI Export aka batch

type Assets

type Assets []Asset

Assets array of Asset

type ComplianceStatus

type ComplianceStatus struct {
	AssetName               string    `json:"assetName"`
	AssetInventoryTimeStamp time.Time `json:"assetInventoryTimeStamp"`
	AssetInventoryOrigin    string    `json:"assetInventoryOrigin"`
	RuleName                string    `json:"ruleName"`
	RuleDeploymentTimeStamp time.Time `json:"ruleDeploymentTimeStamp"`
	Compliant               bool      `json:"compliant"`
	Deleted                 bool      `json:"deleted"`
}

ComplianceStatus by asset, by rule, true/false compliance status

type CompliantLog

type CompliantLog struct {
	ComplianceStatus   ComplianceStatus `json:"complianceStatus"`
	AssetsJSONDocument json.RawMessage  `json:"assetsJSONDocument"`
}

CompliantLog log entry when compliant

type ConstraintConfig

type ConstraintConfig struct {
	APIVersion string             `json:"apiVersion"`
	Kind       string             `json:"kind"`
	Metadata   ConstraintMetadata `json:"metadata"`
	Spec       Spec               `json:"spec"`
}

ConstraintConfig expose content of the constraint yaml file

type ConstraintMetadata

type ConstraintMetadata struct {
	Name        string                 `json:"name"`
	Annotations map[string]interface{} `json:"annotation"`
}

ConstraintMetadata Constraint's metadata

type FeedMessage

type FeedMessage struct {
	Asset   Asset      `json:"asset"`
	Window  ram.Window `json:"window"`
	Deleted bool       `json:"deleted"`
	Origin  string     `json:"origin"`
}

FeedMessage Cloud Asset Inventory feed message

type FunctionConfig

type FunctionConfig struct {
	FunctionName   string    `json:"functionName"`
	DeploymentTime time.Time `json:"deploymentTime"`
	ProjectID      string    `json:"projectID"`
	Environment    string    `json:"environment"`
}

FunctionConfig function deployment settings

type Global

type Global struct {
	// contains filtered or unexported fields
}

Global structure for global variables to optimize the cloud function performances

type NonCompliance

type NonCompliance struct {
	Message  string                 `json:"message"`
	Metadata map[string]interface{} `json:"metadata"`
}

NonCompliance form the "deny" rego policy in a <templateName>.rego module

type Parameters

type Parameters map[string]json.RawMessage

Parameters Constraint's settings

type Settings

type Settings struct {
	WritabelOPAFolderPath string `json:"writabelOPAFolderPath"`
	AssetsFolderName      string `json:"assetsFolderName"`
	AssetsFileName        string `json:"assetsFileName"`
	OPAFolderPath         string `json:"OPAFolderPath"`
	RegoModulesFolderName string `json:"regoModulesFolderName"`
}

Settings the structure of the settings.json setting file

type Spec

type Spec struct {
	Severity   string                 `json:"severity"`
	Match      map[string]interface{} `json:"match"`
	Parameters map[string]interface{} `json:"parameters"`
}

Spec Constraint's specifications

type Violation

type Violation struct {
	NonCompliance    NonCompliance     `json:"nonCompliance"`
	FunctionConfig   FunctionConfig    `json:"functionConfig"`
	ConstraintConfig ConstraintConfig  `json:"constraintConfig"`
	FeedMessage      FeedMessage       `json:"feedMessage"`
	RegoModules      map[string]string `json:"regoModules"`
}

Violation from the "audit" rego policy in "audit.rego" module

type Violations

type Violations []Violation

Violations array of Violation

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL