diff --git a/charts/best-practices-ecs-tf-config/Chart.yaml b/charts/best-practices-ecs-tf-config/Chart.yaml new file mode 100644 index 00000000..be642e19 --- /dev/null +++ b/charts/best-practices-ecs-tf-config/Chart.yaml @@ -0,0 +1,14 @@ +apiVersion: v2 +name: best-practices-ecs-tf-config +description: Best practices ECS terraform config policy set +type: application +version: 0.1.0 +appVersion: 0.1.0 +keywords: + - kubernetes + - nirmata + - kyverno + - policy +maintainers: + - name: Nirmata + url: https://nirmata.com/ diff --git a/charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml b/charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml new file mode 100644 index 00000000..70a77637 --- /dev/null +++ b/charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml @@ -0,0 +1,32 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: check-awsvpc-network-mode + labels: + ecs.aws.network.kyverno.io: awsvpc + annotations: + policies.kyverno.io/title: Check awsvpc network mode + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + The awsvpc network mode restricts the flow of traffic between different + tasks or between your tasks and other services that run within your Amazon VPC. + The awsvpc network mode provides task-level network isolation for tasks + that run on Amazon EC2. +spec: + rules: + - name: check-awsvpc-network-mode + match: + all: + - ($analyzer): + resource: + type: terraform-config + - (resource.aws_ecs_task_definition && length(resource.aws_ecs_task_definition) > `0`): true + assert: + all: + - message: ECS services and tasks are required to use awsvpc network mode. + check: + resource: + ~.(aws_ecs_task_definition): + ~.(@): + network_mode: awsvpc \ No newline at end of file diff --git a/charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml b/charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml new file mode 100644 index 00000000..4749754d --- /dev/null +++ b/charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml @@ -0,0 +1,29 @@ +apiVersion: json.kyverno.io/v1alpha1 +kind: ValidatingPolicy +metadata: + name: validate-ecs-container-insights-enabled + annotations: + policies.kyverno.io/title: Validate ECS container insights are enabled + policies.kyverno.io/category: ECS Best Practices + policies.kyverno.io/severity: medium + policies.kyverno.io/description: >- + This Policy ensures that ECS clusters have container + insights enabled. +spec: + rules: + - name: container-insights + match: + all: + - ($analyzer): + resource: + type: terraform-config + - (resource.aws_ecs_cluster && length(resource.aws_ecs_cluster) > `0`): true + assert: + all: + - message: ECS container insights are not enabled + check: + resource: + ~.(aws_ecs_cluster): + ~.(@): + (setting[?name == 'containerInsights']): + - value: enabled \ No newline at end of file diff --git a/charts/best-practices-ecs-tf-config/templates/club-pols.yaml b/charts/best-practices-ecs-tf-config/templates/club-pols.yaml new file mode 100644 index 00000000..c3c51aa7 --- /dev/null +++ b/charts/best-practices-ecs-tf-config/templates/club-pols.yaml @@ -0,0 +1,4 @@ +{{ range $path, $_ := .Files.Glob "pols/**.yaml" }} +{{ $.Files.Get $path }} +--- +{{ end }} diff --git a/charts/best-practices-ecs-tf-config/values.yaml b/charts/best-practices-ecs-tf-config/values.yaml new file mode 100644 index 00000000..e69de29b