-
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
disallow environment variables from Secret Manager
Signed-off-by: Aleksandar Stojanov <[email protected]>
- Loading branch information
Showing
13 changed files
with
175 additions
and
98 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,32 @@ | ||
| export * as cloudrunService from "./disallowPublicIngress" | ||
| import * as gcp from "@pulumi/gcp"; | ||
|
|
||
| export const cloudrunPService = new gcp.cloudrun.Service("fail#1", { | ||
| location: "europe-west1", | ||
| metadata: { | ||
| annotations: { | ||
| "run.googleapis.com/ingress": "all", | ||
| }, | ||
| }, | ||
| template: { | ||
| spec: { | ||
| containers: [{ | ||
| image: "us-docker.pkg.dev/cloudrun/container/hello", | ||
| envs: [ | ||
| { | ||
| name: "FOO", | ||
| value: "bar", | ||
| }, | ||
| { | ||
| name: "SECRET_ENV_VAR", | ||
| valueFrom: { | ||
| secretKeyRef: { | ||
| name: "my-secret", | ||
| key: "1", | ||
| }, | ||
| }, | ||
| }, | ||
| ], | ||
| }], | ||
| }, | ||
| } | ||
| }); |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,53 @@ | ||
| export * as cloudrunV2Service from "./disallowPublicIngress" | ||
| import * as gcp from "@pulumi/gcp"; | ||
|
|
||
| export const cloudrunv2Service = new gcp.cloudrunv2.Service("fail#1", { | ||
| location: "europe-west1", | ||
| ingress: "INGRESS_TRAFFIC_ALL", | ||
| template: { | ||
| containers: [{ | ||
| image: "us-docker.pkg.dev/cloudrun/container/hello", | ||
| envs: [ | ||
| { | ||
| name: "FOO", | ||
| value: "bar", | ||
| }, | ||
| { | ||
| name: "SECRET_ENV_VAR", | ||
| valueSource: { | ||
| secretKeyRef: { | ||
| secret: "my-secret", | ||
| version: "1", | ||
| }, | ||
| }, | ||
| }, | ||
| ], | ||
| }], | ||
| }, | ||
| }); | ||
|
|
||
| export const cloudrunv2SJob = new gcp.cloudrunv2.Job("fail#1", { | ||
| location: "europe-west1", | ||
| template: { | ||
| template: { | ||
| containers: [{ | ||
| image: "us-docker.pkg.dev/cloudrun/container/hello", | ||
| envs: [ | ||
| { | ||
| name: "FOO", | ||
| value: "bar", | ||
| }, | ||
| { | ||
| name: "SECRET_ENV_VAR", | ||
| valueSource: { | ||
| secretKeyRef: { | ||
| secret: "my-secret", | ||
| version: "1", | ||
| }, | ||
| }, | ||
| }, | ||
| ], | ||
| }], | ||
| }, | ||
| }, | ||
| }); | ||
|
|
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1 +1,6 @@ | ||
| export * as backendService from "./backendService" | ||
| import * as gcp from "@pulumi/gcp"; | ||
|
|
||
| export const backendService = new gcp.compute.BackendService("fail#1", { | ||
| name: "fail#1", | ||
| loadBalancingScheme: "EXTERNAL" | ||
| }); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,3 @@ | ||
| export * as cloudrun from './cloudrun/index' | ||
| export * as cloudrunv2 from './cloudrunv2/index' | ||
| export * as compute from './compute/index' | ||
| export * as cloudrun from './cloudrun' | ||
| export * as cloudrunv2 from './cloudrunv2' | ||
| export * as compute from './compute' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| import { ResourceValidationArgs, ReportViolation, EnforcementLevel } from "@pulumi/policy"; | ||
|
|
||
| export const disallowEnvsSecrets = { | ||
| name: "cloudrun-service-disallow-envs-secrets", | ||
| description: "Check that CloudRun services do not use environment variables from secrets.", | ||
| enforcementLevel: "advisory" as EnforcementLevel, | ||
| validateResource: (args: ResourceValidationArgs, reportViolation: ReportViolation) => { | ||
| if (args.type === "gcp:cloudrun/service:Service") { | ||
| const containers = args.props.template.spec.containers; | ||
| if (containers) { | ||
| containers.forEach((container: any) => { | ||
| if (container.envs) { | ||
| container.envs.forEach((env: any) => { | ||
| if (env?.valueFrom?.secretKeyRef) { | ||
| reportViolation( | ||
| "CloudRun services should use secrets as mounted volumes." | ||
| ); | ||
| } | ||
| }); | ||
| } | ||
| }); | ||
| } | ||
| } | ||
| }, | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,7 @@ | ||
| import { disallowPublicIngress } from "./disallowPublicIngress"; | ||
| import { disallowEnvsSecrets } from "./disallowEnvsSecrets"; | ||
|
|
||
| export const cloudrunPolicies = [ | ||
| disallowEnvsSecrets, | ||
| disallowPublicIngress, | ||
| ]; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| import { ResourceValidationArgs, ReportViolation, EnforcementLevel } from "@pulumi/policy"; | ||
|
|
||
| export const serviceDisallowEnvsSecrets = { | ||
| name: "cloudrunv2-service-disallow-envs-secrets", | ||
| description: "Check that CloudRun2 services do not use environment variables from secrets.", | ||
| enforcementLevel: "advisory" as EnforcementLevel, | ||
| validateResource: (args: ResourceValidationArgs, reportViolation: ReportViolation) => { | ||
| if (args.type === "gcp:cloudrunv2/service:Service") { | ||
| const containers = args.props.template.containers; | ||
| if (containers) { | ||
| containers.forEach((container: any) => { | ||
| if (container.envs) { | ||
| container.envs.forEach((env: any) => { | ||
| if (env?.valueSource?.secretKeyRef) { | ||
| reportViolation( | ||
| "CloudRun2 services should use secrets as mounted volumes." | ||
| ); | ||
| } | ||
| }); | ||
| } | ||
| }); | ||
| } | ||
| } | ||
| }, | ||
| } | ||
|
|
||
| export const jobDisallowEnvsSecrets = { | ||
| name: "cloudrunv2-job-disallow-envs-secrets", | ||
| description: "Check that CloudRun2 jobs do not use environment variables from secrets.", | ||
| enforcementLevel: "advisory" as EnforcementLevel, | ||
| validateResource: (args: ResourceValidationArgs, reportViolation: ReportViolation) => { | ||
| if (args.type === "gcp:cloudrunv2/job:Job") { | ||
| const containers = args.props.template.template.containers; | ||
| if (containers) { | ||
| containers.forEach((container: any) => { | ||
| if (container.envs) { | ||
| container.envs.forEach((env: any) => { | ||
| if (env?.valueSource?.secretKeyRef) { | ||
| reportViolation( | ||
| "CloudRun2 jobs should use secrets as mounted volumes." | ||
| ); | ||
| } | ||
| }); | ||
| } | ||
| }); | ||
| } | ||
| } | ||
| }, | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,8 @@ | ||
| import { disallowPublicIngress } from "./disallowPublicIngress"; | ||
| import { serviceDisallowEnvsSecrets, jobDisallowEnvsSecrets } from "./disallowEnvsSecrets"; | ||
|
|
||
| export const cloudrunv2Policies = [ | ||
| serviceDisallowEnvsSecrets, | ||
| jobDisallowEnvsSecrets, | ||
| disallowPublicIngress, | ||
| ]; |