-
Notifications
You must be signed in to change notification settings - Fork 0
/
ensure-vptm-enabled.sentinel
31 lines (24 loc) · 1.08 KB
/
ensure-vptm-enabled.sentinel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# This policy uses the Sentinel tfplan/v2 import to require that
# all GCE instances have machine types from an allowed list
# Import common-functions/tfplan-functions/tfplan-functions.sentinel
# with alias "plan"
import "tfplan-functions" as plan
# Allowed GCE Instance Types
# Include "null" to allow missing or computed values
secure_boot = true
# Get all GCE instances
allGCEInstances = plan.find_resources("google_compute_instance")
# Filter to GCE instances with violations
# Warnings will be printed for all violations since the last parameter is true
violatingGCEInstances = plan.filter_attribute_is_not_value(allGCEInstances,
"shielded_instance_config.0.enable_vtpm", true, true)
violatingGCEInstances = plan.filter_attribute_is_not_value(allGCEInstances,
"shielded_instance_config.0.enable_integrity_monitoring", true, true)
print(violatingGCEInstances)
# Count violations
violations = length(violatingGCEInstances["messages"])
print(violations)
# Main rule
main = rule {
violations is 0
}