Documentation ¶
Index ¶
- Variables
- func ContainsString(s []string, e string) bool
- type APICall
- type Account
- type Action
- type ActionTrigger
- type CompliancePolicy
- type CompliantCheck
- type CompliantCheckResult
- type Condition
- type Config
- func (cfg Config) GetAPICallConfigs(apiCall string, accountID string, vpc string, policyType string) ([]CompliancePolicy, []APICall)
- func (cfg Config) GetAccount(id string) *Account
- func (cfg Config) GetAccountAssumedRoleArn(id string) string
- func (cfg Config) GetAccountRoleArn(id string) string
- func (cfg Config) GetAccountRoleArnSession(id string) string
- func (cfg Config) GetActionByIdAndPolicyName(id string, policyName string) *Action
- func (cfg Config) GetBucketAndFolder() (string, string)
- func (cfg Config) GetCompliancePolicy(id string) *CompliancePolicy
- func (cfg Config) GetEC2Policy(id string) *CompliancePolicy
- func (cfg Config) GetLdapConfig() LdapConfig
- func (cfg Config) GetS3Policy(id string) *CompliancePolicy
- func (cfg Config) GetSecurityGroupPolicy(id string) *CompliancePolicy
- func (cfg Config) ShouldStoreOnDynamoDB() bool
- type DynamoDBConfig
- type EmailNotification
- type EventUserInfo
- type LdapConfig
- type ResourceOperation
- type S3Config
- type SesConfig
- type TagResource
- type TimeCondition
Constants ¶
This section is empty.
Variables ¶
var Log = newLogger()
var LogicalConditionsTypes = []string{"AND", "OR"}
var ValidEmailFieldNames = []string{"State.Creator", "APIEvent.UserIdentity.ARN", "State.Owner", "State.Operator"}
Functions ¶
func ContainsString ¶
Types ¶
type APICall ¶
type APICall struct { Name string `hcl:",key"` Tag []TagResource `hcl:"tag"` Compliant []CompliantCheck `hcl:"compliant"` }
APICall can have the following values:
CreateTags DeleteTags AuthorizeSecurityGroupEgress AuthorizeSecurityGroupIngress CreateSecurityGroup DeleteSecurityGroup RevokeSecurityGroupEgress RevokeSecurityGroupIngress
func (APICall) CheckCompliance ¶
func (ac APICall) CheckCompliance(getResourceProperties func(string) []string, resourceId string, eventuser EventUserInfo) []CompliantCheckResult
CheckCompliance checks all compliance definitions
func (APICall) SetTag ¶
func (ac APICall) SetTag(getValueFromTemplate func(input string) (string, error), resourceTaggingFunction func(string, string) error, triggerResourceAction func( string, string))
SetTag applies resource tags
getValueFromTemplate func(input string) (string, error):
Function pointer to parse input e.g. with the help of a templating library
resourceTaggingFunction func(string, string) error:
Resource specific function to set the tags
triggerResourceAction func(string, string):
Arguments: property, action Function that provides the action functionality of the configuration
type Action ¶
type Action struct { Name string `hcl:",key"` Email EmailNotification `hcl:"email"` Condition []TimeCondition `hcl:"condition"` Operation []ResourceOperation `hcl:"operation"` }
The action to take in response to a non-compliant check
type ActionTrigger ¶
type CompliancePolicy ¶
type CompliantCheck ¶
type CompliantCheck struct { Name string `hcl:",key"` PolicyName string `hcl:"policy_name"` StateOwner string `hcl:"state_owner"` // pattern to check Schema string `hcl:"schema"` // pattern negation trigger - negate regular extension defined in schema Negate bool `hcl:"negate"` Mandatory bool `hcl:"mandatory"` Description string `hcl:"description"` Condition []Condition `hcl:"condition"` Actions []string `hcl:"actions"` }
CompliantCheck checks whether the resource property "Name" is compliant
with what defined in "Schema"
func (CompliantCheck) IsCompliant ¶
func (c CompliantCheck) IsCompliant(prop string, value string) (bool, error)
IsCompliant returns true, nil if the property is compliant, false, nil if it is not compliant false, error in case the compliance check is not matching the property
type CompliantCheckResult ¶
type CompliantCheckResult struct { IsCompliant bool Check CompliantCheck EventUser EventUserInfo EventType string Value, ResourceId string DateAndTypeComposite string CreationDate time.Time }
func (CompliantCheckResult) IsIpPermissionsCheck ¶
func (ccres CompliantCheckResult) IsIpPermissionsCheck() bool
Return true if the compliant check associated with this result is related to an IpPermissions-type event; return false otherwise.
func (CompliantCheckResult) IsSameCheck ¶
func (ccres CompliantCheckResult) IsSameCheck(otherOne CompliantCheckResult) bool
Compare the values of two CompliantCheckResult objects, except from "IsCompliant" "Value"
and "Date". Return true if the values are the same; return false otherwise
func (CompliantCheckResult) IsSameCheckResult ¶
func (ccres CompliantCheckResult) IsSameCheckResult(otherOne CompliantCheckResult) bool
Compare the values of two CompliantCheckResult objects, except from "Date".
Return true if the values are are the same; return false otherwise
type Config ¶
type Config struct { Region string `hcl:"region"` AccessKey string `hcl:"access_key"` SecretKey string `hcl:"secret_key"` SecurityGroupPolicy []CompliancePolicy `hcl:"security_group_policy"` EC2Policy []CompliancePolicy `hcl:"ec2_policy"` S3Policy []CompliancePolicy `hcl:"s3_policy"` AreBotUserSession string `hcl:"arebot_user_session_name"` Account []Account `hcl:"account"` LdapConfig LdapConfig `hcl:"ldap_config"` S3Config S3Config `hcl:"s3_config"` SesConfig SesConfig `hcl:"ses_config"` DynamoDBConfig DynamoDBConfig `hcl:"dynamodb_config"` }
Config type
func ParseConfig ¶
ParseConfig parse the given HCL string into a Config struct.
func (Config) GetAPICallConfigs ¶
func (cfg Config) GetAPICallConfigs(apiCall string, accountID string, vpc string, policyType string) ([]CompliancePolicy, []APICall)
GetAPICallConfigs returns all APICall configuration objects for a given apiCall
func (Config) GetAccount ¶
GetAccount returns the Config object of account <number>
func (Config) GetAccountAssumedRoleArn ¶
GetAccountAssumedRoleArn transfers the role ARN into the user identity of the role of the account iam -> sts assume role
func (Config) GetAccountRoleArn ¶
GetAccountRoleArn returns the configured role ARN for the account given as ID and returns an empty string otherwise
func (Config) GetAccountRoleArnSession ¶
GetAccountRoleArnSession returns the session part of the role as it is configured. Returns an empty string otherwise.
func (Config) GetActionByIdAndPolicyName ¶
func (Config) GetBucketAndFolder ¶
func (Config) GetCompliancePolicy ¶
func (cfg Config) GetCompliancePolicy(id string) *CompliancePolicy
func (Config) GetEC2Policy ¶
func (cfg Config) GetEC2Policy(id string) *CompliancePolicy
func (Config) GetLdapConfig ¶
func (cfg Config) GetLdapConfig() LdapConfig
func (Config) GetS3Policy ¶
func (cfg Config) GetS3Policy(id string) *CompliancePolicy
func (Config) GetSecurityGroupPolicy ¶
func (cfg Config) GetSecurityGroupPolicy(id string) *CompliancePolicy
func (Config) ShouldStoreOnDynamoDB ¶
type DynamoDBConfig ¶
type EmailNotification ¶
type EventUserInfo ¶
type EventUserInfo struct {
AccountId, Username, EmailAddress, Region string
}
type LdapConfig ¶
type ResourceOperation ¶
type ResourceOperation struct { }
type TagResource ¶
type TagResource struct { Name string `hcl:",key"` Key string `hcl:"key"` Value string `hcl:"value"` }
TagResource will trigger a resource tagging with a fixed key, value pair