feat: policies

Author: gusfcarvalho

.github/workflows/build-and-upload.yml

@@ -0,0 +1,34 @@
+name: Build and Upload Artifacts
+
+on:
+  workflow_call:
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v2
+        with:
+          version: latest
+      - name: Run OPA Build
+        run: |
+          mkdir -p dist/
+          opa build -b policies -o dist/bundle.tar.gz
+      - name: Bundle
+        uses: softprops/action-gh-release@v2
+        with:
+          files: dist/bundle.tar.gz
+      - name: Install gooci cli
+        run: go install github.com/compliance-framework/gooci@latest
+      - name: Authenticate gooci cli
+        run: gooci login ghcr.io --username ${{ github.actor }} --password ${{ secrets.GITHUB_TOKEN }}
+      - name: gooci Upload Version
+        run: gooci upload-single dist/bundle.tar.gz ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:${{github.ref_name}}
+      - name: gooci Upload Latest
+        if: "!github.event.release.prerelease"
+        run: gooci upload-single dist/bundle.tar.gz ghcr.io/${{ github.repository_owner }}/${{ github.event.repository.name }}:latest
+        

.github/workflows/push.yaml

@@ -0,0 +1,13 @@
+name: Push
+
+on:
+  pull_request:
+  push:
+    branches:
+      - '*'
+
+jobs:
+  test:
+    permissions:
+      contents: read
+    uses: ./.github/workflows/test.yml

.github/workflows/release.yml

@@ -0,0 +1,13 @@
+name: New Release
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  release:
+    permissions:
+      packages: write
+      contents: write
+    uses: ./.github/workflows/build-and-upload.yml

.github/workflows/test.yml

@@ -0,0 +1,23 @@
+name: OPA Test
+
+on:
+  workflow_call:
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      - name: Setup OPA
+        uses: open-policy-agent/setup-opa@v2
+        with:
+          version: 1.6.0
+
+      - name: Run OPA Tests
+        run: opa test policies
+
+      - name: Run OPA Check
+        run: opa check policies

.gitignore

@@ -0,0 +1,6 @@
+.idea/
+data/
+dist/
+*.tar.gz
+
+testdata/

Makefile

@@ -0,0 +1,26 @@
+# Check if OPA CLI is installed
+OPA := $(shell command -v opa 2> /dev/null)
+ifeq ($(OPA),)
+$(error "opa CLI not found. Please install it: https://www.openpolicyagent.org/docs/latest/cli/")
+endif
+
+##@ Help
+help: ## Display this concise help, ie only the porcelain target
+	@awk 'BEGIN {FS = ":.*##"; printf "\033[1mUsage\033[0m\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-30s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+help-all: ## Display all help items, ie including plumbing targets
+	@awk 'BEGIN {FS = ":.*#"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?#/ { printf "  \033[36m%-25s\033[0m %s\n", $$1, $$2 } /^#@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
+
+##@ Policies
+test: ## Test policy files
+	@OPA test policies
+
+validate: ## Validate policy files
+	@opa check policies
+
+clean: # Cleanup build artifacts
+	@rm -f dist/*
+
+build: clean ## Build the policy bundle
+	@mkdir -p dist/
+	@opa build -b policies -o dist/bundle.tar.gz

policies/cloud_custodian_resources_detected.rego

@@ -0,0 +1,53 @@
+package compliance_framework.cloud_custodian_resources_detected
+
+# Policy:
+# 1) any matched resources in a Cloud Custodian check should produce a violation.
+# 2) any execution error in a Cloud Custodian check should produce a violation.
+
+check_name := object.get(object.get(input, "check", {}), "name", "unknown-check")
+
+execution := object.get(input, "execution", {})
+result := object.get(input, "result", {})
+
+check_status := object.get(execution, "status", "unknown")
+
+resources := object.get(result, "resources", [])
+
+resource_count := count(resources) if {
+  is_array(resources)
+}
+
+resource_count := 0 if {
+  not is_array(resources)
+}
+
+has_resources if {
+  is_array(resources)
+  resource_count > 0
+}
+
+execution_error_message := object.get(execution, "error", "")
+execution_error_list := object.get(execution, "errors", [])
+
+has_execution_error if {
+  execution_error_message != ""
+}
+
+has_execution_error if {
+  is_array(execution_error_list)
+  count(execution_error_list) > 0
+}
+
+violation[{"remarks": msg}] if {
+  has_resources
+  msg := sprintf("Cloud Custodian check %q matched %d resource(s).", [check_name, resource_count])
+}
+
+violation[{"remarks": msg}] if {
+  has_execution_error
+  msg := sprintf("Cloud Custodian check %q failed during execution (status=%q). error=%v errors=%v", [check_name, check_status, execution_error_message, execution_error_list])
+}
+
+title := sprintf("Cloud Custodian check %q status=%q", [check_name, check_status])
+
+description := sprintf("Cloud Custodian check %q evaluated with status %q and matched %d resource(s). Execution errors (if any) are treated as violations.", [check_name, check_status, resource_count])

policies/cloud_custodian_resources_detected_test.rego

@@ -0,0 +1,117 @@
+package compliance_framework.cloud_custodian_resources_detected_test
+
+import data.compliance_framework.cloud_custodian_resources_detected
+
+test_violation_when_resources_detected if {
+  fixture := {
+    "check": {"name": "ec2-public-ip-check"},
+    "execution": {"status": "success", "error": "", "errors": []},
+    "result": {
+      "resources": [{"InstanceId": "i-123"}]
+    }
+  }
+
+  cloud_custodian_resources_detected.violation[{
+    "remarks": "Cloud Custodian check \"ec2-public-ip-check\" matched 1 resource(s)."
+  }] with input as fixture
+}
+
+test_violation_when_execution_error_detected if {
+  fixture := {
+    "check": {"name": "ec2-public-ip-check"},
+    "execution": {
+      "status": "error",
+      "error": "custodian execution failed",
+      "errors": ["custodian execution failed"]
+    },
+    "result": {
+      "resources": []
+    }
+  }
+
+  cloud_custodian_resources_detected.violation[{
+    "remarks": "Cloud Custodian check \"ec2-public-ip-check\" failed during execution (status=\"error\"). error=custodian execution failed errors=[\"custodian execution failed\"]"
+  }] with input as fixture
+}
+
+test_violation_when_only_execution_errors_list_present if {
+  fixture := {
+    "check": {"name": "ec2-public-ip-check"},
+    "execution": {
+      "status": "error",
+      "error": "",
+      "errors": ["custodian execution failed"]
+    },
+    "result": {
+      "resources": []
+    }
+  }
+
+  count(cloud_custodian_resources_detected.violation) == 1 with input as fixture
+
+  cloud_custodian_resources_detected.violation[{
+    "remarks": "Cloud Custodian check \"ec2-public-ip-check\" failed during execution (status=\"error\"). error= errors=[\"custodian execution failed\"]"
+  }] with input as fixture
+}
+
+test_dynamic_title_and_description if {
+  fixture := {
+    "check": {"name": "ec2-public-ip-check"},
+    "execution": {"status": "error", "error": "boom", "errors": ["boom"]},
+    "result": {
+      "resources": [{"InstanceId": "i-123"}, {"InstanceId": "i-456"}]
+    }
+  }
+
+  cloud_custodian_resources_detected.title == "Cloud Custodian check \"ec2-public-ip-check\" status=\"error\"" with input as fixture
+  cloud_custodian_resources_detected.description == "Cloud Custodian check \"ec2-public-ip-check\" evaluated with status \"error\" and matched 2 resource(s). Execution errors (if any) are treated as violations." with input as fixture
+
+  count(cloud_custodian_resources_detected.violation) == 2 with input as fixture
+
+  cloud_custodian_resources_detected.violation[{
+    "remarks": "Cloud Custodian check \"ec2-public-ip-check\" matched 2 resource(s)."
+  }] with input as fixture
+
+  cloud_custodian_resources_detected.violation[{
+    "remarks": "Cloud Custodian check \"ec2-public-ip-check\" failed during execution (status=\"error\"). error=boom errors=[\"boom\"]"
+  }] with input as fixture
+}
+
+test_no_violation_when_no_resources if {
+  fixture := {
+    "check": {"name": "ec2-public-ip-check"},
+    "execution": {"status": "success", "error": "", "errors": []},
+    "result": {
+      "resources": []
+    }
+  }
+
+  count(cloud_custodian_resources_detected.violation) == 0 with input as fixture
+}
+
+test_violation_when_check_missing_uses_unknown_check if {
+  fixture := {
+    "execution": {"status": "success", "error": "", "errors": []},
+    "result": {
+      "resources": [{"InstanceId": "i-123"}]
+    }
+  }
+
+  cloud_custodian_resources_detected.violation[{
+    "remarks": "Cloud Custodian check \"unknown-check\" matched 1 resource(s)."
+  }] with input as fixture
+}
+
+test_no_violation_when_resources_is_not_array if {
+  fixture := {
+    "check": {"name": "ec2-public-ip-check"},
+    "execution": {"status": "success", "error": "", "errors": []},
+    "result": {
+      "resources": null
+    }
+  }
+
+  count(cloud_custodian_resources_detected.violation) == 0 with input as fixture
+  cloud_custodian_resources_detected.title == "Cloud Custodian check \"ec2-public-ip-check\" status=\"success\"" with input as fixture
+  cloud_custodian_resources_detected.description == "Cloud Custodian check \"ec2-public-ip-check\" evaluated with status \"success\" and matched 0 resource(s). Execution errors (if any) are treated as violations." with input as fixture
+}