A resource policy evaluation library
Project description
resource-policy-evaluation-library
The resource-policy-evaluation-library (rpe-lib) evaluates whether or not a given resource adheres to defined policies. It also attempts to remediate any policy violations.
Resources
The library works on resources
and expects a fairly simple interface to any resource you wish to evaluate policy on. It expects an object with the following functions defined:
class MyResource:
# Returns the body of a given resource as a dictionary
def get(self):
pass
# Takes the body of a resource, and attempts to update the resource
def update(self, body):
pass
# Returns the resource type as a string
# Note: This should be a dotted-string that the engines will use to determine what policies are relevant
type(self):
pass
Some resources are provided with rpe-lib, and hopefully that will continue to grow, but it's not required that you use the provided resource classes.
Engines
Policy evaluation/enforcement is handled by the policy engines:
Open Policy Agent Engine
The OPA engine evaluates policy against resources using an Open Policy Agent server. Policies need to be namespaced properly for the OPA Engine to locate them, and evaluate policy properly. Note: This won't work in cases where policy enforcement is more complicated that minor edits to the body of the resource. All remediation is implemented in OPA's policy language Rego
.
The policies should be namespaced as <resource.type()>.policy.<policy_name>
. For example, the micromanager.resources.gcp.GcpSqlInstance
resource has a type of gcp.sqladmin.instances
, so a policy requiring backups to be enabled might be namespaced gcp.sqladmin.instances.policy.backups
. The policy should implement the following rules:
valid
: . Returns true if the provided resource adheres to the policyremediate
: . Returns theinput
resource altered to adhere to policyFor each resource.type() you also need to define a
policies
rule and aviolations
rule. This allows the OPA engine to query all violations for a given resource type in a single API call. These probably wont need to change, other than the package name, and look like this (again with themicromanager.resources.gcp.GcpSqlInstance
example):package gcp.sqladmin.instances policies [policy_name] { policy := data.gcp.sqladmin.instances.policy[policy_name] } violations [policy_name] { policy := data.gcp.sqladmin.instances.policy[policy_name] policy.valid != true }
Examples
Using the OPA engine
This assumes you have the
opa
binary in your path# First, start opa with our policies opa run --server ./policy/
Now we need to create an RPE instance with the opa engine configured to use the local OPA server:
from rpe import RPE config = { 'policy_engines': [ { 'type': 'opa', 'url': 'http://localhost:8181/v1/data' } ] } # Create a resource object with details about the resource we want to evaluate res = Resource.factory( 'gcp', { 'resource_name':'my-sql-instance-name', 'project_id':'my-gcp-project', 'resource_type':'sqladmin.instances' }, credentials=<gcp-credentials> ) rpe = RPE(config) violations = rpe.violations(res) for (engine, violation) in violations: print(engine, violation) engine.remediate(res, violation)
Uses
- Forseti Real-time Enforcer - The Forseti Real-time enforcer uses rpe-lib for the evaluation and enforcement of policy for Google Cloud resources. It uses a Stackdriver log export to a Pub/Sub topic to trigger enforcement.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.