Adding terraform policies

controls/terraform-best-practices/check-awsvpc-network-mode.yaml

@@ -0,0 +1,27 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: check-awsvpc-network-mode
+  labels:
+    ecs.aws.network.kyverno.io: awsvpc
+  annotations:
+    policies.kyverno.io/title: Check awsvpc network mode
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      The awsvpc network mode restricts the flow of traffic between different 
+      tasks or between your tasks and other services that run within your Amazon VPC.
+      The awsvpc network mode provides task-level network isolation for tasks 
+      that run on Amazon EC2.
+spec:
+  rules:
+    - name: check-awsvpc-network-mode
+      match:
+        any:
+        - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: ECS services and tasks are required to use awsvpc network mode.
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'].values):
+                network_mode: awsvpc

controls/terraform-best-practices/validate-ecs-container-insights-enabled.yaml

@@ -0,0 +1,26 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-container-insights-enabled
+  annotations:
+    policies.kyverno.io/title: Validate ECS container insights are enabled
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This Policy ensures that ECS clusters have container
+      insights enabled.
+spec:
+  rules:
+    - name: validate-ecs-container-insights-enabled
+      match:
+        any:
+        - (planned_values.root_module.resources[?type=='aws_ecs_cluster'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: ECS container insights are not enabled
+          check:
+            ~.(planned_values.root_module.resources[?type == 'aws_ecs_cluster']):
+                values:
+                    (!setting): false
+                    ~.(setting || `[]`):
+                        value: enabled

controls/terraform-best-practices/validate-ecs-containers-nonprivileged-in-resource.yaml

@@ -0,0 +1,25 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-containers-nonprivileged-in-resource
+  annotations:
+    policies.kyverno.io/title: Validate ECS containers are set to non privileged.
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      When privileged is set to true, the container is given elevated permissions on the host container instance (similar to the root user). 
+      This policy checks if the privileged parameter in the container definition is set to false.
+spec:
+  rules:
+    - name: validate-ecs-containers-nonprivileged-in-resource
+      match:
+        any:
+        - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0` ): true
+      assert:
+        any:
+        - check:
+            ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']):
+                values:
+                    ~.(json_parse(container_definitions)):
+                        (!!privileged): false
+          message: The `privileged` field, if present, should be set to `false`

controls/terraform-best-practices/validate-ecs-containers-nonprivileged.yaml

@@ -0,0 +1,31 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-containers-nonprivileged
+  annotations:
+    policies.kyverno.io/title: Validate ECS containers are set to non privileged.
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      When privileged is set to true, the container is given elevated permissions on the host container instance (similar to the root user). 
+      This policy checks if the privileged parameter in the container definition is set to false.
+spec:
+  rules:
+    - name: validate-ecs-containers-nonprivileged
+      match:
+        any:
+        - (configuration.root_module.module_calls.ecs_container_definition != null): true
+      assert:
+        any:
+        - check:
+            (configuration.root_module.module_calls.ecs_container_definition.expressions.privileged == null): true
+          message: Containers `privileged` must be set to `false`.
+        - check:
+            configuration:
+                root_module:
+                    module_calls:
+                        ecs_container_definition:
+                            expressions:
+                                privileged:
+                                    constant_value: false
+          message: Containers must be set to non privileged.

controls/terraform-best-practices/validate-ecs-containers-readonly.yaml

@@ -0,0 +1,33 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-containers-readonly
+  annotations:
+    policies.kyverno.io/title: Validate if ECS Containers only have read-only access to its root filesystems
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if ECS Containers only have read-only 
+      access to its root filesystems.
+spec:
+  rules:
+    - name: validate-ecs-containers-readonly
+      match:
+        any:
+        - (configuration.root_module.module_calls.ecs_container_definition.expressions | length(@) > `0`): true
+      assert:
+        any:
+        - check:
+            (configuration.root_module.module_calls.ecs_container_definition.expressions.readonly_root_filesystem == null): true
+          message: >-
+            ECS Containers should have read-only access to its root filesystems
+        - check:
+            configuration:
+                root_module:
+                    module_calls:
+                        ecs_container_definition:
+                            expressions:
+                                readonly_root_filesystem:
+                                    constant_value: true
+          message: >-
+            `readonly_root_filesystem` should be set to `true`

controls/terraform-best-practices/validate-ecs-task-definition-log-configuration copy.yaml

@@ -0,0 +1,26 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-log-configuration
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task definition log configuration
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Checks if logConfiguration is set on active ECS Task Definitions.
+spec:
+  rules:
+    - name: validate-ecs-task-definition-log-configuration
+      match:
+        any:
+        - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: logConfiguration is not set for active ECS Task Definitions
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']):
+                values:
+                    ~.(json_parse(container_definitions)):
+                        (!logConfiguration): false

controls/terraform-best-practices/validate-ecs-task-definition-log-configuration.yaml

@@ -0,0 +1,32 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-log-configuration
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task definition log configuration
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if the ECS TaskDefiniteion does not have the 
+      logConfiguration resource defined or the value for logConfiguration 
+      is null in at least one container definition.
+spec:
+  rules:
+    - name: validate-ecs-task-definition-log-configuration
+      match:
+        any:
+        - (planned_values.root_module.resources[?type=='aws_ecs_service'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: logConfiguration is not defined for active ECS Task Definitions
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_ecs_service']):
+                values:
+                    (!service_connect_configuration): false
+        - message: logConfiguration is not set on active ECS Task Definitions
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_ecs_service']):
+                ~.(values.service_connect_configuration || `[]`):
+                    (!log_configuration): false

controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit copy.yaml

@@ -0,0 +1,27 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-memory-hard-limit
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition Memory Hard Limit
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if Amazon Elastic Container Service
+      (ECS) task definitions have a set memory limit for its container definitions.
+spec:
+  rules:
+    - name: validate-ecs-task-definition-memory-hard-limit
+      match:
+        any:
+        - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] != null): true
+      assert:
+        all:
+        - message: Memory limit for container definitions should be set
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']):
+                values:
+                    ~.(json_parse(container_definitions)):
+                        (!memory): false

controls/terraform-best-practices/validate-ecs-task-definition-memory-hard-limit.yaml

@@ -0,0 +1,25 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-memory-hard-limit
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition Memory Hard Limit
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if Amazon Elastic Container Service
+      (ECS) task definitions have a set memory limit for its container definitions.
+spec:
+  rules:
+    - name: validate-ecs-task-definition-memory-hard-limit
+      match:
+        any:
+        - (configuration.root_module.module_calls.ecs_container_definition.expressions | length(@) > `0`): true
+      assert:
+        all:
+        - message: Memory limit for container definitions should be set.
+          check:
+            (configuration.root_module.module_calls.ecs_container_definition.expressions):
+                (!memory): false

controls/terraform-best-practices/validate-ecs-task-definition-nonroot-user.yaml

@@ -0,0 +1,35 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-nonroot-user
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task definition nonroot user for EC2 instances
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy checks if ECSTaskDefinitions specify a user for 
+      Amazon Elastic Container Service (Amazon ECS) EC2 launch type 
+      containers to run on. The rule fails if the ‘user’ parameter is not present or set to ‘root’.
+spec:
+  rules:
+    - name: validate-ecs-task-definition-nonroot-user
+      match:
+        all:
+        - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0`): true
+        - ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']):
+            values:
+                requires_compatibilities:
+                    (contains(@, 'EC2')): true
+      assert:
+        all:
+        - message: For ECS EC2 containers, `user` parameter should not be set to `root`
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition']):
+                values:
+                    ~.(json_parse(container_definitions)):
+                        (!user): false
+                        (starts_with(user || '', '0:') || ends_with(user || '', ':0')): false
+                        (user != null): true
+                        ((user != '0')): true

controls/terraform-best-practices/validate-ecs-task-definition-pid-mode-check.yaml

@@ -0,0 +1,24 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-pid-mode-check
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS task definition PID mode check
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy ensures that ECS task definitions do not share the host's process namespace
+spec:
+  rules:
+    - name: validate-ecs-task-definition-pid-mode-check
+      match:
+        any:
+        - (planned_values.root_module.resources[?type=='aws_ecs_task_definition'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: ECS task definitions shares the host's process namespace
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'].values):
+                (pid_mode || 'task'): task

controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check-in-module.yaml

@@ -0,0 +1,30 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-user-for-host-mode-check-in-module
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition User for Host mode 
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy makes sure that ECS task definitions avoid using 
+      the root user for the host network mode or false privileges.
+spec:
+  rules:
+    - name: validate-ecs-task-definition-user-for-host-mode-check-in-module
+      match:
+        any:
+        - (configuration.root_module.module_calls.ecs_container_definition.expressions.privileged):
+            constant_value: false
+      assert:
+        all:
+        - message: Specify a non-root user or group to avoid privilege escalation.
+          check:
+            (configuration.root_module.module_calls.ecs_container_definition.expressions):
+                (!user): false
+                user:
+                    (starts_with(constant_value || '', '0:') || ends_with(constant_value || '', ':0')): false
+                    (constant_value != null): true
+                    (constant_value != '0'): true

controls/terraform-best-practices/validate-ecs-task-definition-user-for-host-mode-check.yaml

@@ -0,0 +1,35 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: validate-ecs-task-definition-user-for-host-mode-check
+  labels:
+    ecs.aws.tags.kyverno.io: ecs-service
+  annotations:
+    policies.kyverno.io/title: Validate ECS Task Definition User for Host mode 
+    policies.kyverno.io/category: ECS Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      This policy makes sure that ECS task definitions avoid using 
+      the root user for the host network mode or false privileges.
+spec:
+  rules:
+    - name: validate-ecs-task-definition-user-for-host-mode-check
+      match:
+        any:
+        - ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'].values):
+            network_mode: host
+        - ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'].values):
+            ~.(json_parse(container_definitions)):
+                privileged: false
+      assert:
+        all:
+        - message: User should be set to non-root user when using the host network mode or privileged set to false.
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_ecs_task_definition'] ):
+                values:
+                    ~.(json_parse(container_definitions)):
+                        (!user): false
+                        (starts_with(user || '', '0:') || ends_with(user || '', ':0')): false
+                        (user != null): true
+                        (user != '0'): true
+