Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Guardrails failure Issues and hardcoded resource names in rego policy #13

Open
jacyang2010 opened this issue Apr 13, 2023 · 2 comments
Open

Comments

@jacyang2010
Copy link
Contributor

jacyang2010 commented Apr 13, 2023

A rego policy parse error is spotted from the cloud build issued by the guardrails validation function as shown below and there is not any validation report generated because of this error.

starting build "14d58fa0-fda5-4cb7-9a34-ce2c132154fd"

FETCHSOURCE
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint: 	git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint: 	git branch -m <name>
Initialized empty Git repository in /workspace/.git/
From https://source.developers.google.com/p/lzpe-js08-guardrailsjs08/r/LzPeCLD-guardrails-policies-csr
 * branch            8b1241263fe9ae3cfd766e244a8dd131b82a1ff9 -> FETCH_HEAD
HEAD is now at 8b12412 Merge pull request #9 from cartyc/main
BUILD
Starting Step #0
Step #0: Already have image (with digest): gcr.io/cloud-builders/gcloud
Step #0: Copying gs://lzpe565977066779assetsguardrailsjs08/organizations/565977066779.json...
Step #0: / [0 files][    0.0 B/  3.2 MiB]                                                
/ [1 files][  3.2 MiB/  3.2 MiB]                                                
Step #0: Operation completed over 1 objects/3.2 MiB.                                      
Finished Step #0
Starting Step #1
Step #1: Already have image (with digest): gcr.io/cloud-builders/docker
Finished Step #1
Starting Step #2
Step #2: Already have image (with digest): gcr.io/cloud-builders/docker
Step #2: Unable to find image 'northamerica-northeast1-docker.pkg.dev/lzpe-js08-guardrailsjs08/lzpecld-guardrails-af-registry-afr/lzpeccr-guardrails-policies-cntr:latest' locally
Step #2: latest: Pulling from lzpe-js08-guardrailsjs08/lzpecld-guardrails-af-registry-afr/lzpeccr-guardrails-policies-cntr
Step #2: 26c5c85e47da: Already exists
Step #2: 89c09bbbc10a: Pulling fs layer
Step #2: b4dab82f7782: Pulling fs layer
Step #2: 1b2c23d7ae23: Pulling fs layer
Step #2: 89c09bbbc10a: Verifying Checksum
Step #2: 89c09bbbc10a: Download complete
Step #2: b4dab82f7782: Verifying Checksum
Step #2: b4dab82f7782: Download complete
Step #2: 89c09bbbc10a: Pull complete
Step #2: b4dab82f7782: Pull complete
Step #2: 1b2c23d7ae23: Verifying Checksum
Step #2: 1b2c23d7ae23: Download complete
Step #2: 1b2c23d7ae23: Pull complete
Step #2: Digest: sha256:99e07a711bacfe921a049a43ec2b266570f6287d573bbc3a7553ec14ad9e9c64
Step #2: Status: Downloaded newer image for northamerica-northeast1-docker.pkg.dev/lzpe-js08-guardrailsjs08/lzpecld-guardrails-af-registry-afr/lzpeccr-guardrails-policies-cntr:latest
Step #2: Checking ./assets/asset_inventory.json
Step #2: Error: running test: build compiler: parse module: 1 error occurred: policies/11-logging-and-monitoring/11-Logging-and-Monitoring.rego:18: rego_parse_error: unexpected import path, must begin with one of: {data, input}, got: future
Step #2: 	import future.keywords.in
Step #2: 	       ^
Finished Step #2
Starting Step #3
Step #3: Already have image (with digest): gcr.io/cloud-builders/docker
Step #3: ./assets/asset_inventory.json
Step #3: 
Finished Step #3
Starting Step #4
Step #4: Already have image (with digest): gcr.io/cloud-builders/docker
Finished Step #4
Starting Step #5
Step #5: Already have image (with digest): gcr.io/cloud-builders/gcloud
Step #5: Copying file:///assets/565977066779.json [Content-Type=application/json]...
Step #5: / [0 files][    0.0 B/   31.0 B]                                                
/ [1 files][   31.0 B/   31.0 B]                                                
Step #5: Operation completed over 1 objects/31.0 B.                                       
Finished Step #5
PUSH
DONE

After upgrading the conftest version to latest, some hardcoded very specific resource names are found from the validation report generated as shown below.

./assets/asset_inventory.json
+---------+------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| RESULT  | FILE | NAMESPACE |                                                                                                        MESSAGE                                                                                                        |
+---------+------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| failure | -
| |
|         |
| failure | -
| |
| failure | -
| |
|         |
| failure | -
| |
| main
|
|
| main
|
| main
|
|
| main
|
| Guardrail # 11: No                                                                                                                                                                                                    |
| storage bucket matching                                                                                                                                                                                               |
| 'logginglogsink-goc' found.                                                                                                                                                                                           |
| Guardrail # 11: The log sink                                                                                                                                                                                          |
| 'org_log_sink' does not exist.                                                                                                                                                                                        |
| Guardrail # 5: Resource containerregistry.googleapis.com/Image      

The proposed tested changes is attached below.
cloud-guardrails-gcp.patch

The changes from the patch.

  • Upgraded the conftest version to solve the rego keyword failures.
  • Refactored 11-Logging-and-Monitoring.rego to solve the sink and bucket name matching issues.
@fmichaelobrien
Copy link
Contributor

Sounds very good, we will review/pull once a PR is posted

@fmichaelobrien
Copy link
Contributor

See pr notes in #14 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants