Examples of IaC custom rules

Example of a simple boolean rule

Assume you have generated a new rule, CUSTOM-RULE-1 using the SDK , that is, snyk-iac-rules template --rule CUSTOM-RULE-1 and have a very simple fixture file containing a Terraform resource:

resource "aws_redshift_cluster" "denied" {
  cluster_identifier = "tf-redshift-cluster"
  node_type          = "dc1.large"
  tags = {
  }
}

Now, modify the generated Rego to enforce resources tagged with an owner:

1. Create a variable [name] to enumerate across all of the aws_redshift_cluster resources. This variable can be named anything you like, for example, i, j, name, and so on.

2. Store this into the resource variable by assigning the value to it with a walrus operator :=; e.g. resource := input.resource.aws_redshift_cluster[name]

3. Check whether the owner tag exists for each resource; to do that, check if the path resource.tags.owner is defined. If it is undefined, it will evaluate as undefined. So, use the NOT keyword in front of it, which will evaluate to TRUE; for example,not resource.tags.owner

The modified Rego is:

package rules

deny[msg] {
    resource := input.resource.aws_redshift_cluster[name]
    not resource.tags.owner

    msg := {
        "publicId": "CUSTOM-RULE-1",
        "title": "Missing an owner from tag",
        "severity": "medium",
        "msg": sprintf("input.resource.aws_redshift_cluster[%s].tags", [name]),
        "issue": "",
        "impact": "",
        "remediation": "",
        "references": [],
    }
}

The test for this rule verifies that the Rego rule can identify that the fixture at the beginning of this guide is invalid:

Example with logical AND

Try and extend the preceding example and update the rule to allow all cases that satisfy two conditions:

1. A resource has an “owner” tag AND

2. A resource has a “description” tag

To test this new condition, generate a new rule CUSTOM-RULE-2 using the template command and write the following fixture file:

Joining multiple expressions together expresses logical AND.

• You can do this with the ; operator.

• Or, you can omit the ; (AND) operator by splitting expressions across multiple lines.

The test for this rule will look the same as the one for CUSTOM-RULE-1, but the name of the test and the first two arguments passed to the testing.evaluate_test_cases function will differ:

Example with logical OR

You can also rewrite the rule above by combining the NOT operator with the OR functionality.

Update the example in a new rule CUSTOM-RULE-3, to deny all cases that fail either of the two conditions, to deny all aws_redshift_cluster resources that are missing either:

1. an “owner” tag , OR

2. A “description” tag

For this, use two new fixture files, one for each case:

To express logical OR in Rego, define multiple rules or functions with the same name. This is also described in the OPA documentation for Logical OR.

First, add a function that will implement the NOT for each tag. Then, call this function with the resource:

This will successfully return all the rules that deny.

The test for this rule will now contain multiple test cases, to show that the logical OR works as expected:

Example with strings

Extend this further and add a third condition. Deny all resources that are missing any of the following:

1. An “owner” tag , OR

2. A “description” tag, OR

3. The email of the owner does not belong to the “@corp-domain.com” domain

The test for this rule will look very similar to the ones from previous example and will also require its own fixture file.

Example with XOR

Now assume you want to add more complexity and check the following:

• If the tag type is a “user”, then the tag “email” exists as well.

• If not, assuming the other type is a “service”, we want it has a serviceDescription.

• These two will be mutually exclusive; if the first condition applies, the second one does not, and vice versa.

To do this, refactor your code to use a checkTags helper function. This can check whether there are any tags, but also check for the two conditions above with an OR.

To convert this to an XOR you can use an else rule:

If you want to try it out yourselves, use the same example in this OPA Playground.

The test for this rule will look very similar to the ones from the previous example and will also require its own fixture file.

Examples with grouped resources

You can also iterate over many resources by adding them to an array of resources.

One way to leverage this is to implement denylist rules.

For example, you may want to ensure that if someone defines a Kubernetes ConfigMap, then they cannot use it to store sensitive information such as passwords, secret keys, and access tokens.

You can do that and expand what is defined as "sensitive information" over time by defining a group of sensitive tokens inside a denylist:

Any key containing the substrings "pass", "secret", "key", and "token" can be considered sensitive and so should not be included in the ConfigMap.