Opening this in Forseti repo, since this affects Forseti and not other Config Validator clients.

The problem is that gcp-iam-audit-log-v1 policy does not work in forseti because the audit_config field gets ignored when converting from CAI json to proto.

Edit: Moving this to the policy-library since this is affecting not just Forseti.

https://github.com/forseti-security/policy-library/tree/master/lib
the lib function calls should be inlined in the template yaml files. So that the rego in the template yaml file doesn't require any additional dependencies.

We need to add an exclude for the GCPCMEKRotationConstraintV1, because once created, KMS keychains cannot be removed. As long as we don't have the 'delete keychain' option in the KMS API, we should be able to exclude unused keychains.

In the user guide you are referring to the Terraform Validator Tool, is its code source available ?

Currently, if you create a new VM with an external IP via Terraform with an ephemeral IP the constraint doesn't violate.

Hi
I get a problem to run the config validator in Forseti after updating the enforce labels constraint GCPEnforceLabelConstraintV1 and it seems to have to do with the regex. When running with the default

    mandatory_labels: 
      - "label1": "^label1-value$"
      - "label2": "^label2-value.*$"

all works fine but when switching to

    mandatory_labels: 
      - "environment": "^.*$"
      - "ownerteam": "^.*$"

we get the following error in GCP.

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/forseti_security-2.19.0-py3.6.egg/google/cloud/forseti/scanner/scanners/config_validator_util/validator_client.py", line 106, in audit
    return self.stub.Audit(validator_pb2.AuditRequest()).violations
  File "/usr/local/lib/python3.6/dist-packages/grpc/_channel.py", line 550, in __call__
    return _end_unary_response_blocking(state, call, False, None)
  File "/usr/local/lib/python3.6/dist-packages/grpc/_channel.py", line 467, in _end_unary_response_blocking
    raise _Rendezvous(state, None, None, deadline)
grpc._channel._Rendezvous: <_Rendezvous of RPC that terminated with:
	status = StatusCode.UNKNOWN
	details = "templates.templates.gcpGCPEnforceLabelConstraintV1:70: eval_type_error: re_match: operand 2 must be string but got null"
	debug_error_string = "{"created":"@1565381035.178658072","description":"Error received from peer","file":"src/core/lib/surface/call.cc","file_line":1036,"grpc_message":"templates.templates.gcpGCPEnforceLabelConstraintV1:70: eval_type_error: re_match: operand 2 must be string but got null","grpc_status":2}"

The current documentation for config sync describes how to setup with private repo. But user feedback is that there is preference to use public repo. Quick chat with @gkowalski-google that public repo will work, so we should update the documentation to reflect this.

https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster#protect_node_metadata

Let's add a mention of where to get the TF open source code as well - probably somewhere near the end of the "How to Use Terraform" section (https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md#how-to-use-terraform-validator)

To avoid issues like #40.

Is it straightforward as to what the purpose of each constraint is and the expected inputs?

Do we need to add docs / readme / comments anywhere?

Due to trademark problem, we cannot ref CIS directly unless the application is certified.

For example, forbidding the owner IAM role.

This is a feature request for having a scanner that checks VPC Service Controls to ensure the configuration is correct/appropriate.

Some basic checks like:

• only whitelisted services are included in the perimeter
• appropriate Access Levels are included in the perimeter
• only projects from our organization are included in the perimeter

It may make sense to have this scan work in conjunction with an Access Context Manager scan, since Access Levels and VPC-SC are tightly coupled (and their union defines the actual security controls on the organization).

Request for a very generic example

• by specifying a JMSEPath (or similar) type query

• and expected query value.

E.g along similar lines to the older KE scanner examples here where a key and value are used

https://github.com/forseti-security/forseti-security/blob/v2.14.0/rules/ke_scanner_rules.yaml

To support the Policy Library Sync change, update the documentation for how users can utilize this feature.

Too many line-spaces in the External IP constraint template

https://github.com/forseti-security/policy-library/blob/master/policies/templates/gcp_external_ip_access.yaml

I have tried a couple different ways to trigger the example policy located in policy-library/samples/storage_blacklist_public.yaml but am having no luck. The rego inside policy-library/policies/templates/gcp_storage_bucket_world_readable_v1.yaml is looking for

constraint := input.constraint
           	asset := input.asset
           	asset.asset_type == "storage.googleapis.com/Bucket"
           
           	world_readable_checks := [
           		asset.iam_policy.bindings[_].members[_] == "allUsers",
           		asset.iam_policy.bindings[_].members[_] == "allAuthenticatedUsers",
           	]
           
           	world_readable_checks[_] == true

Some of the example terraform code used to try and violate the constraint is:

variable "project" { }

provider "google" {
  project = "${var.project}"
}


resource "google_storage_bucket" "test-1" {
  name     = "test-1"
  }

resource "google_storage_bucket" "test-2" {
  name     = "test-2"
  }

  resource "google_storage_bucket_iam_policy" "member" {
  bucket = "${google_storage_bucket.test-1.name}"
  policy_data = "${data.google_iam_policy.foo-policy.policy_data}"
}


data "google_iam_policy" "foo-policy" {
  binding {
    role = "roles/storage.objectViewer"

    members = [
      "allUsers",
      "allAuthenticatedUsers",
    ]
  }
}

resource "google_storage_bucket_iam_binding" "binding1" {
  bucket = "${google_storage_bucket.test-2.name}"
  role        = "roles/storage.objectViewer"

  members = [
      "allUsers",
      "allAuthenticatedUsers",
    ]
}

resource "google_project_iam_policy" "project" {
  project = "${var.project}"
  policy_data = "${data.google_iam_policy.foo-policy.policy_data}"
}

This main.tf successfully creates two public buckets with IAM permissions attached for public read.

When running the config validator as a rpc server, the following error is observed and will block the server from starting:

2019/05/23 10:11:12 Failed to load server rpc error: code = InvalidArgument desc = 1 error occurred: templates.templates.gcpGCPSQLAllowedAuthorizedNetworksConstraintV1:22: rego_unsafe_var_error: var _ is unsafe

Add a constraint to ensure Stackdriver Logging is set to Enabled on Kubernetes Engine Clusters.

Some of the default constraint templates are referencing to the CAI v1beta1 resource type, e.g. google.compute.Network instead of compute.googleapis.com/Network

gcp_sql_ssl_v1.yaml template:

Is looking for:

asset.resource.settings.ipConfiguration.requireSsl == false

but the CAI returns:

[
  {
    "name": "<redacted>",
    "asset_type": "sqladmin.googleapis.com/Instance",
    "ancestry_path": "<redacted>",
    "resource": {
      "version": "v1beta4",
      "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/sqladmin/v1beta4/rest",
      "discovery_name": "DatabaseInstance",
      "parent": "<redacted>",
      "data": {
        "databaseVersion": "POSTGRES_9_6",
        "name": "master-instance",
        "project": "<redacted>",
        "region": "us-central1",
        "settings": {
          "ipConfiguration": {
            "ipv4Enabled": true,
            "requireSsl": false
          },
          "pricingPlan": "PER_USE",
          "replicationType": "SYNCHRONOUS",
          "storageAutoResize": true,
          "tier": "db-f1-micro"
        }
      }
    }
  }
]

It looks like it is missing "data" so I added it to the template:

asset.resource.data.settings.ipConfiguration.requireSsl == false

but that still does not catch the entry:

variable project {}

provider "google" {
  project = "${var.project}"
  region  = "us-east1"
}

resource "google_sql_database_instance" "master" {
  name = "master-instance"
  database_version = "POSTGRES_9_6"
  region = "us-central1"

  settings {
    # Second-generation instance tiers are based on the machine
    # type. See argument reference below.
    tier = "db-f1-micro"
    ip_configuration {
        ipv4_enabled = "true"
        require_ssl = "false"
    }
  }
}

When trying to feed the template yaml files to a Kubernetes cluster with Gatekeeper installed, it got denied by the Gatekeeper admission controller.

Sample error message:

Error from server (Template's name gcp-always-violates-v1 is not equal to the CRD's plural name: gcpalwaysviolatesconstraintsv1): error when creating "config-validator/dev/policy-library/policies/templates/gcp_always_violates_v1.yaml": admission webhook "validation.gatekeeper.sh" denied the request: Template's name gcp-always-violates-v1 is not equal to the CRD's plural name: gcpalwaysviolatesconstraintsv1

Looks like Gatekeeper is requiring that the constraint template's name (under metadata) needs to be the same as the CRD's plural name. This convention is not enforced in policy library today.

Currently, we reference a Cloud Shell image. It would be useful to have a straightforward "Open in Cloud Shell" for the whole policy repo which:

• Clones and opens the policy library repo
• Comes pre-installed with Terraform, Terraform Validator, and OPA
• Has python dependencies for Make scripts pre-installed

It appears that as the test fixtures are maintained today, the typical constraint template test often includes counting "denies" produced against the entirety of the asset fixtures for a particular resource type or set of resource types.

It seems likely that in many cases, producing new asset fixtures as required for testing newly-developed policies has the side effect of also modifying the fixture library used for testing existing policies, which may break their tests, requiring the developer of a new constraint to either spend time crafting fixtures that meet previous expectations of other constraint tests, or modify those tests (from other fixtures than they were working on in their branch) to account for the newly added fixtures.

Should we consider changing the paradigm such that there is a default set of fixtures, and then perhaps a subdirectory for constraint-specific fixtures? I considered implementing this myself for a policy PR I recently submitted, but thought maybe it should be raised as an issue first.

This template seam to detect as non compliant all the gke cluster where legacy end point are disabled.
It seams to work in the opposite way as expected.

Would it be possible to fix the rego file with
legacy_endpoints_enabled(node_pool) == false
Thanks

https://cloud.google.com/kubernetes-engine/docs/how-to/hardening-your-cluster

Section: Restrict Client Authentication Methods

CIS 7.02

Hi all,
Please add firewall and constraint sample policies to check

• if an SA can talk to another SA based on a regex on their names
• if TCP 22 or 3389 is opened to 0.0.0.0/0
• if TCP open ports specify a wide range : [1-65535]
• if a range of subnets are the only one allowed for ingress

Thank you
Best regards

"The one important additions is the config_validator_enabled field. It is not enabled by default; therefore you need to explicitly enable it."

Please can we reference which Forseti config file to update. Probably just easier to link to the latest template to make it clear.

• Review current CV docs about scaling
• Update or remove content that is outdated or has changed.

I don't think this data is up to date with core Forseti configurations as of late. I believe we have increased the standard VM sizes by default. Also there is work to page data into CV from Forseti which is to be released soon.

Can you please review the content here and ensure it is accurate or can be removed.

https://github.com/forseti-security/policy-library/blob/master/docs/user_guide.md#how-to-handle-scaling-for-large-resource-sets

How to handle scaling for large resource sets
If you want to scale for large resource sets, you need to add more RAM to your server**.** Upgrading the Forseti server VM to n1-standard-4 (15GB of RAM) should be able to handle most use cases. Depending on the state and size of your data, this may trigger a large number of violations. Currently GRPC has a payload size limitation of 4MB. If a scanner run results in > 4MB of violation data to be generated, that will result in an error.

In the future, we will consider the following changes:
Use streaming GRPC or paging the violation results.
Split the dataset into multiple chunks and process them separately.

Are you planning to support the Deployment Manager, if yes do you have a schedule otherwise do you need contributions ?

Based on go/policy-bundles - the recommended annotations would look something like:
bundles.validator.forsetisecurity.org/[bundle_key]: [control]

Please add details for all GKE Hardening Policies
Example:
description: Disable the Kubernetes web UI (Dashboard)
bundles.validator.forsetisecurity.org/gke-hardening-guideline:

The default target (if unspecified) should be organizations/* and match everything.

However, this isn't working. A constraint like this returns no violations:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPAlwaysViolatesConstraintV1
metadata:
  name: always_violates_all
spec:
  constraintVersion: 0.1.0
  severity: high
  parameters: {}

If i add the target, it works:

# Copyright 2019 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#      http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPAlwaysViolatesConstraintV1
metadata:
  name: always_violates_all
spec:
  constraintVersion: 0.1.0
  match:
    target: ["organization/*"]
  severity: high
  parameters: {}

We would like to have a template which allows only selected roles for given users. All other IAM bindings should be reported as violations. So instead of blacklisting all other roles, we would like to whitelist only few of them.

Example:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedRolesConstraintV1
metadata:
  name: whitelist_roles
  annotations:
    description: Only test.com groups can have appengine.appViewer and logging.viewer roles. All others bindings are not allowed.
spec:
  severity: high
  match:
    target: ["organization/*"]
    exclude: [] # optional, default is no exclusions
  parameters:
    role:
    - roles/appengine.appViewer
    - roles/logging.viewer
    members:
    - "group:*@test.com"

Similar to #180, we should add annotations that are related to Forseti, GKE, CIS, as these will make the policies much easier to be discoverable.

Please see #180 for example of what the annotation schema should be.

It was mentioned at the rego meeting that @charliewolf can do this.

The user guide is getting bigger and is harder to filter out information.

It appears that the template file is looking for a location setting but the CAI only returns regions and zones:

[
  {
    "name": "<redacted>",
    "asset_type": "sqladmin.googleapis.com/Instance",
    "ancestry_path": "<redacted>",
    "resource": {
      "version": "v1beta4",
      "discovery_document_uri": "https://www.googleapis.com/discovery/v1/apis/sqladmin/v1beta4/rest",
      "discovery_name": "DatabaseInstance",
      "parent": "//cloudresourcemanager.googleapis.com/projects/scalesec-dev",
      "data": {
        "databaseVersion": "POSTGRES_9_6",
        "name": "master-instance",
        "project": "scalesec-dev",
        "region": "us-central1",
        "settings": {
          "locationPreference": {
            "zone": "us-central1-a"
          },
          "pricingPlan": "PER_USE",
          "replicationType": "SYNCHRONOUS",
          "storageAutoResize": true,
          "tier": "db-f1-micro"
        }
      }
    }
  }
]

Template:

deny[{
          	"msg": message,
          	"details": metadata,
          }] {
          	constraint := input.constraint
          	lib.get_constraint_params(constraint, params)
          
          	asset := input.asset
          	asset.asset_type == "storage.googleapis.com/Bucket"
          
          	# Check if resource is in exempt list
          	exempt_list := params.exemptions
          	matches := {asset.name} & cast_set(exempt_list)
          	count(matches) == 0
          
          	# Check that location is in allowlist/denylist
          	target_locations := params.locations
          	asset_location := asset.resource.data.location
          	location_matches := ({upper(asset_location)} & cast_set(target_locations)) | ({lower(asset_location)} & cast_set(target_locations))
          	target_location_match_count(params.mode, desired_count)
          	count(location_matches) == desired_count
          
          	message := sprintf("%v is in a disallowed location.", [asset.name])
          	metadata := {"location": asset_location, "resource": asset.name}
          }

Tf code:

variable project {}

provider "google" {
  project = "${var.project}"
  region = "us-central1"
}

resource "google_sql_database_instance" "master" {
  name = "master-instance"
  database_version = "POSTGRES_9_6"
  region = "us-central1"

  settings {
    # Second-generation instance tiers are based on the machine
    # type. See argument reference below.
    tier = "db-f1-micro"
    location_preference {
    zone = "us-central1-a"
  }
  }
}

The documentation does talk about Cloud SQL "Locations": https://cloud.google.com/storage/docs/locations

but that does not match up with terraforms settings: https://www.terraform.io/docs/providers/google/r/sql_database_instance.html#region

I'm trying to use iam_restrict_role in whitelisting mode, but it doesn't generate any violations.

Here's my rule config:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPIAMAllowedBindingsConstraintV1
metadata:
  name: whitelist_viewer_role
  annotations:
    description: All projects must have viewer
spec:
  severity: high
  match:
    target: ["organization/*"]
    exclude: [] # optional, default is no exclusions
  parameters:
    mode: whitelist
    role: roles/viewer
    members:
    - "*"

Terraform config file:

provider "google" {
  version = "~> 2"
  project = "project-id"
}

resource "google_project_iam_member" "project" {
  project = "project-id"
  role    = "roles/editor"
  member  = "user:[email protected]"
}

GCP project id which I'm using doesn't have any Viewer configured. As I understand I should get violation because there is no any viewer role configured on my project. Is my understanding correct?

I'm using the following versions:

Terraform v0.11.14
+ provider.google v2.10.0

and Terraform validator in version: Build version: 2019-06-19

Attempting to write a constraint to enforce CMEK on Persistent Disks, but when generating test data I find that diskEncryptionKey: is not in the CAI output for my PDs. Opening issue per instructions in constraint_template_authoring.md.

We should add CI testing for all incoming pull requests. It should include:

• Running make test to test OPA files (unit test)
• Integrating testing with the config-validator or terraform-validator binaries to ensure templates can be successfully loaded and used

Afternoon,

I am working on the compute engine zone constraint and have tried denylist and allowlist.

constraint:

apiVersion: constraints.gatekeeper.sh/v1alpha1
kind: GCPComputeZoneConstraintV1
metadata:
  name: compute_zone_denylist_one
spec:
  severity: high
  match:
    target: ["organization/*"]
  parameters:
    mode: "denylist"
    zones:
      - asia-east1-b
    exemptions: []

tf code:

variable project {}

provider "google" {
  project = "${var.project}"
  region = "asia-east1"
}

resource "google_compute_instance" "common" {
    name         = "test-instance"
    machine_type = "n1-standard-1"
    zone = "asia-east1-b"

    boot_disk {
      initialize_params {
        image = "debian-cloud/debian-9"
      }
    }

    network_interface {
      network = "default"
    }
}

template is gcp_compute_zone_v1.yaml

Any insight into why this might not be marking as violation?