Using Wildcards

[l3112]

I have a policy (that works!) -- How would one implement wildcards so that it is read?

allow[msg] bucket := input.aws.s3.buckets[_] bucket.name.value == "comp-"_

Allow buckets if they start with comp-
The buckets should always start with comp-, everything after the dash can be whatever.

I did see that ( _ ) is used, and when I tried variations in line 3, the underscore is always considered an error or unsafe except the following;

bucket.name.value == ["comp"][_]

and that doesn't give me the results needed.

[anderseknert]

Hi @l3112!

The wildcard can't be used in strings like that. I assume you want to test that any bucket name starts with "comp-"? A rule could then use the startswith built-in function:

allow {
    bucket := input.aws.s3.buckets[_]
    startswith(bucket.name.value, "comp-")
}

If you're requirement is that every bucket name starts with "comp-", you could use the every construct, like:

import future.keywords.every

allow {
    every bucket in input.aws.s3.buckets {
    	startswith(bucket.name.value, "comp-") 
    }
}

Obviously might look somewhat different depending on your requirements, but that should be somewhere to start from :)

[anderseknert]

result.new is not a function OPA provides, so I don't know what that does. What does the whole rule look like?

[l3112]

package custom.aws.s3.no_insecure_buckets

import future.keywords.every

allow {
    every bucket in input.aws.s3.buckets {
    	startswith(bucket.name.value, "comp-") #change what's in quotes
    }
}


deny[msg] {
    every bucket in input.aws.s3.buckets {
    	not startswith(bucket.name.value, "comp-") 
    }
    msg := "Bucket name should start with  'comp-'"}`

I was looking at the follow code from here as an example;

`package custom.aws.s3.no_insecure_buckets

import data.lib.result

deny[res] {
    bucket := input.aws.s3.buckets[_]
    bucket.name.value == "insecure-bucket"
    msg := "Bucket name should not be 'insecure-bucket'"
    res := result.new(msg, bucket.name)
}`

[anderseknert]

Gotcha! That looks like something specific to tfsec, so unless you're writing policy for that context, that function isn't going to work. You could still return the name of the bucket for each violation:

deny[msg] {
    bucket := input.aws.s3.buckets[_]
    not startswith(bucket.name.value, "comp-") 
    msg := sprintf("Bucket name %q does not start with 'comp-'", [bucket.name.value])
}

If you are writing policy in that context, you'd need to check with the tfsec people how it's meant to work. I have no idea :)

[l3112]

Yep, it's tfsec, thank you for all your help!

[anderseknert]

Looks like you were missing their import:

import data.lib.result

Perhaps it was just that?