nirmata · pns-nirmata · May 31, 2024 · May 30, 2024
diff --git a/charts/best-practices-ecs-tf-config/Chart.yaml b/charts/best-practices-ecs-tf-config/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: best-practices-ecs-tf-config
+description: Best practices ECS terraform config policy set
+type: application
+version: 0.1.0
+appVersion: 0.1.0
+keywords:
+  - kubernetes
+  - nirmata
+  - kyverno
+  - policy
+maintainers:
+  - name: Nirmata
+    url: https://nirmata.com/
diff --git a/charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml b/charts/best-practices-ecs-tf-config/pols/check-aws-vpc-network-mode.yaml
@@ -0,0 +1,32 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-awsvpc-network-mode
+  labels:
+    ecs.aws.network.kyverno.io: awsvpc
+  annotations:
+    policies.kyverno.io/title: Check awsvpc network mode
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The awsvpc network mode restricts the flow of traffic between different 
+      tasks or between your tasks and other services that run within your Amazon VPC.
+      The awsvpc network mode provides task-level network isolation for tasks 
+      that run on Amazon EC2.
+spec:
+  rules:
+    - name: check-awsvpc-network-mode
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (resource.aws_ecs_task_definition && length(resource.aws_ecs_task_definition) > `0`): true
+      assert:
+        all:
+        - message: ECS services and tasks are required to use awsvpc network mode.
+          check:
+            resource:
+              ~.(aws_ecs_task_definition):
+                ~.(@):
+                  network_mode: awsvpc
diff --git a/charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml b/charts/best-practices-ecs-tf-config/pols/validate-ecs-container-insights-enabled.yaml
@@ -0,0 +1,29 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-container-insights-enabled
+  annotations:
+    policies.kyverno.io/title: Validate ECS container insights are enabled
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This Policy ensures that ECS clusters have container
+      insights enabled.
+spec:
+  rules:
+    - name: container-insights
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (resource.aws_ecs_cluster && length(resource.aws_ecs_cluster) > `0`): true
+      assert:
+        all:
+        - message: ECS container insights are not enabled
+          check:
+            resource:
+              ~.(aws_ecs_cluster):
+                ~.(@):
+                  (setting[?name == 'containerInsights']):
+                    - value: enabled
diff --git a/charts/best-practices-ecs-tf-config/templates/club-pols.yaml b/charts/best-practices-ecs-tf-config/templates/club-pols.yaml
@@ -0,0 +1,4 @@
+{{ range $path, $_ :=  .Files.Glob  "pols/**.yaml" }}
+{{ $.Files.Get $path }}
+---
+{{ end }}
diff --git a/charts/best-practices-ecs-tf-config/values.yaml b/charts/best-practices-ecs-tf-config/values.yaml