feat: added sqs sub-chart for cloud-controls

Signed-off-by: Sanskar Sharma <[email protected]>
nirmata · Jan 31, 2025 · 37e22b1 · 37e22b1
1 parent 990165c
commit 37e22b1
Show file tree

Hide file tree

Showing 7 changed files with 165 additions and 0 deletions.
diff --git a/charts/cloud-controls/Chart.yaml b/charts/cloud-controls/Chart.yaml
@@ -28,3 +28,7 @@ dependencies:
     condition: aws-apigateway-best-practices.enabled
     version: 0.0.1
     repository: file://charts/apigateway
+  - name: aws-sqs-best-practices
+    condition: aws-sqs-best-practices.enabled
+    version: 0.0.1
+    repository: file://charts/sqs
diff --git a/charts/cloud-controls/charts/sqs/.helmignore b/charts/cloud-controls/charts/sqs/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/charts/cloud-controls/charts/sqs/Chart.yaml b/charts/cloud-controls/charts/sqs/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: aws-sqs-best-practices
+description: Aws SQS Best Practices CloudController Policy Set
+type: application
+version: 0.0.1
+keywords:
+  - kubernetes
+  - nirmata
+  - kyverno
+  - policy
+  - cloud-controller
+maintainers:
+  - name: Nirmata
+    url: https://nirmata.com/
diff --git a/charts/cloud-controls/charts/sqs/templates/check-message-retention-period.yaml b/charts/cloud-controls/charts/sqs/templates/check-message-retention-period.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkMessageRetentionPeriod" }}
+{{- $name := "check-message-retention-period" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+        policies.kyverno.io/title: check-message-retention-period
+        policies.kyverno.io/category: AWS SQS Best Practices
+        policies.kyverno.io/severity: medium
+        policies.kyverno.io/description: >-
+          This policy checks whether Message Retention Period is under 4 Days.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.queueName
+      match:
+        all:
+        - (metadata.provider): "AWS"
+        - (metadata.service): "SQS"
+        - (metadata.resource): "Queue"
+      context:
+      - name: messageRetentionPeriod
+        variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "messageRetentionPeriod" }}{{ index (index .Values $camelCaseName) "messageRetentionPeriod" }}{{ else }}345600{{ end }}{{ else }}345600{{ end }}
+      assert:
+        all:
+        - message: The MessageRetentionPeriod is more than 4 Days.
+          check:
+            payload:
+              (messageRetentionPeriod <= $messageRetentionPeriod): true
+{{- end }}
+{{- end }}
diff --git a/charts/cloud-controls/charts/sqs/templates/check-receive-message-wait-time.yaml b/charts/cloud-controls/charts/sqs/templates/check-receive-message-wait-time.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkReceiveMessageWaitTime" }}
+{{- $name := "check-receive-message-wait-time" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+        policies.kyverno.io/title: check-receive-message-wait-time
+        policies.kyverno.io/category: AWS SQS Best Practices
+        policies.kyverno.io/severity: medium
+        policies.kyverno.io/description: >-
+          This policy checks whether Receive Message Wait Time is less than 5 sec.
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.queueName
+      match:
+        all:
+        - (metadata.provider): "AWS"
+        - (metadata.service): "SQS"
+        - (metadata.resource): "Queue"
+      context:
+      - name: receiveMessageWaitTimeSeconds
+        variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "receiveMessageWaitTimeSeconds" }}{{ index (index .Values $camelCaseName) "receiveMessageWaitTimeSeconds" }}{{ else }}5{{ end }}{{ else }}5{{ end }}
+      assert:
+        all:
+        - message: The Receive Message Wait Time is less than 5 sec.
+          check:
+            payload:
+              (receiveMessageWaitTimeSeconds >= $receiveMessageWaitTimeSeconds): true
+{{- end }}
+{{- end }}
diff --git a/charts/cloud-controls/charts/sqs/templates/check-visiblity-timeout.yaml b/charts/cloud-controls/charts/sqs/templates/check-visiblity-timeout.yaml
@@ -0,0 +1,39 @@
+{{- if .Values.enabled }}
+{{- $camelCaseName := "checkVisiblityTimeout" }}
+{{- $name := "check-visiblity-timeout" }}
+{{- if not (has $name .Values.disabledPolicies) }}
+apiVersion: {{ .Values.global.apiVersion | default "nirmata.io/v1alpha1" }}
+kind: {{ .Values.global.policyKind | default "ValidatingPolicy" }}
+metadata:
+  name: {{ $name }}
+  annotations:
+        policies.kyverno.io/title: check-visiblity-timeout
+        policies.kyverno.io/category: AWS SQS Best Practices
+        policies.kyverno.io/severity: medium
+        policies.kyverno.io/description: >-
+          Check if the VisiblityTimemout is greater than 30 sec or not
+  labels:
+    app: kyverno
+spec:
+  failureAction: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "failureAction" }}{{ index (index .Values $camelCaseName) "failureAction" }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}{{ else }}{{ .Values.failureAction | default "Audit" }}{{ end }}
+  scan: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "scanner" }}{{ index (index .Values $camelCaseName) "scanner" }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}{{ else if hasKey .Values "scanner" }}{{ .Values.scanner }}{{ else }}true{{ end }}
+  admission: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "admission" }}{{ index (index .Values $camelCaseName) "admission" }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}{{ else if hasKey .Values "admission" }}{{ .Values.admission }}{{ else }}true{{ end }}
+  rules:
+    - name: {{ $name }}
+      identifier: payload.queueName
+      match:
+        all:
+        - (metadata.provider): "AWS"
+        - (metadata.service): "SQS"
+        - (metadata.resource): "Queue"
+      context:
+      - name: visibilityTimeout
+        variable: {{ if hasKey .Values $camelCaseName }}{{ if hasKey (index .Values $camelCaseName) "visibilityTimeout" }}{{ index (index .Values $camelCaseName) "visibilityTimeout" }}{{ else }}30{{ end }}{{ else }}30{{ end }}
+      assert:
+        all:
+        - message: The Visiblity Timemout is more than 30 sec.
+          check:
+            payload:
+              (visibilityTimeout <= $visibilityTimeout): true
+{{- end }}
+{{- end }}
diff --git a/charts/cloud-controls/values.yaml b/charts/cloud-controls/values.yaml
@@ -36,6 +36,13 @@ aws-apigateway-best-practices:
     burstLimit: 1500
     rateLimit: 2000
 
+aws-sqs-best-practices:
+  failureAction: Audit
+  enabled: true
+  scanner: true
+  admission: true
+  disabledPolicies: []
+
 global:
   policyKind: ValidatingPolicy
   apiVersion: nirmata.io/v1alpha1