From fdc751d0c45565d5a60eed090c73b1e524045ef5 Mon Sep 17 00:00:00 2001
From: Anusha Hegde <anusha.hegde@nirmata.com>
Date: Fri, 31 May 2024 11:16:20 +0200
Subject: [PATCH] Add helm chart for S3 policies (#136)

These are sample S3 policies for terraform-config
---
 charts/best-practices-s3-tf-config/Chart.yaml | 14 ++++++++
 .../pols/disable-s3-acl.yaml                  | 30 +++++++++++++++++
 .../pols/enable-lifecycle-configuration.yaml  | 30 +++++++++++++++++
 .../pols/enable-server-access-logging.yaml    | 29 ++++++++++++++++
 .../pols/s3-cross-region-replication.yaml     | 33 +++++++++++++++++++
 .../pols/s3-enable-versioning.yaml            | 33 +++++++++++++++++++
 .../templates/club-pols.yaml                  |  4 +++
 .../best-practices-s3-tf-config/values.yaml   |  0
 8 files changed, 173 insertions(+)
 create mode 100644 charts/best-practices-s3-tf-config/Chart.yaml
 create mode 100644 charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml
 create mode 100644 charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml
 create mode 100644 charts/best-practices-s3-tf-config/pols/enable-server-access-logging.yaml
 create mode 100644 charts/best-practices-s3-tf-config/pols/s3-cross-region-replication.yaml
 create mode 100644 charts/best-practices-s3-tf-config/pols/s3-enable-versioning.yaml
 create mode 100644 charts/best-practices-s3-tf-config/templates/club-pols.yaml
 create mode 100644 charts/best-practices-s3-tf-config/values.yaml

diff --git a/charts/best-practices-s3-tf-config/Chart.yaml b/charts/best-practices-s3-tf-config/Chart.yaml
new file mode 100644
index 00000000..920296fd
--- /dev/null
+++ b/charts/best-practices-s3-tf-config/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: best-practices-s3-tf-config
+description: Best practices S3 terraform-config
+type: application
+version: 0.1.0
+appVersion: 0.1.0
+keywords:
+  - kubernetes
+  - nirmata
+  - kyverno
+  - policy
+maintainers:
+  - name: Nirmata
+    url: https://nirmata.com/
diff --git a/charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml b/charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml
new file mode 100644
index 00000000..9d057641
--- /dev/null
+++ b/charts/best-practices-s3-tf-config/pols/disable-s3-acl.yaml
@@ -0,0 +1,30 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: disable-s3-access-control-list
+  annotations:
+    policies.kyverno.io/title: Disable S3 Access Control List 
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      S3 Object Ownership is an Amazon S3 bucket-level setting that
+      you can use to control ownership of objects uploaded to your bucket 
+      and to disable or enable ACLs. By default, Object Ownership is set to
+      the Bucket owner enforced setting and all ACLs are disabled. 
+      When ACLs are disabled, the bucket owner owns all the objects in the bucket
+      and manages access to data exclusively using access management policies.
+spec:
+  rules:
+    - name: disable-s3-access-control-list
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls' || type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Access Control List(ACL) should be disabled for an S3 Bucket
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_ownership_controls'].values.rule[]):
+                  object_ownership: BucketOwnerEnforced 
\ No newline at end of file
diff --git a/charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml b/charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml
new file mode 100644
index 00000000..bb885f84
--- /dev/null
+++ b/charts/best-practices-s3-tf-config/pols/enable-lifecycle-configuration.yaml
@@ -0,0 +1,30 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: s3-lifecycle-configuration
+  annotations:
+    policies.kyverno.io/title: s3-lifecycle-configuration 
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      S3 Lifecycle manage your objects so that they are stored cost effectively
+      throughout their lifecycle. This policy ensures the lifecycle_configuration
+      is set when creating an S3 bucket.
+spec:
+  rules:
+    - name: check-s3-lifecycle-configuration
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Use the `aws_s3_bucket_lifecycle_configuration` resource to enable lifecycle configuration.
+          check:
+            (planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration'] | length(@) > `0`): true
+        - message: S3 Bucket Lifecycle Configuration 'status' needs to be set to 'Enabled'
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration']):
+              (values.rule[?status=='Enabled'] | length(@) > `0`): true
diff --git a/charts/best-practices-s3-tf-config/pols/enable-server-access-logging.yaml b/charts/best-practices-s3-tf-config/pols/enable-server-access-logging.yaml
new file mode 100644
index 00000000..79d94d46
--- /dev/null
+++ b/charts/best-practices-s3-tf-config/pols/enable-server-access-logging.yaml
@@ -0,0 +1,29 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: enable-s3-server-access-logging
+  annotations:
+    policies.kyverno.io/title: enable-s3-server-access-logging
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Server access logging provides detailed records for the
+      requests that are made to an Amazon S3 bucket. Server access
+      logs are useful for many applications. For example, access
+      log information can be useful in security and access audits.
+      This information can also help you learn about your customer
+      base and understand your Amazon S3 bill.
+spec:
+  rules:
+    - name: enable-s3-server-access-logging
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Use the aws_s3_bucket_logging resource to enable server access logging
+          check:
+            (planned_values.root_module.resources[?type=='aws_s3_bucket_logging'] | length(@) > `0`): true
diff --git a/charts/best-practices-s3-tf-config/pols/s3-cross-region-replication.yaml b/charts/best-practices-s3-tf-config/pols/s3-cross-region-replication.yaml
new file mode 100644
index 00000000..3adbd275
--- /dev/null
+++ b/charts/best-practices-s3-tf-config/pols/s3-cross-region-replication.yaml
@@ -0,0 +1,33 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: enable-s3-cross-region-replication
+  annotations:
+    policies.kyverno.io/title: enable-s3-cross-region-replication
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Replication enables automatic, asynchronous copying of objects
+      across Amazon S3 buckets. Buckets that are configured for object
+      replication can be owned by the same AWS account or by different
+      accounts. You can replicate objects to a single destination bucket
+      or to multiple destination buckets. The destination buckets can be
+      in different AWS Regions or within the same Region as the source bucket.
+spec:
+  rules:
+    - name: check-s3-cross-region-replication
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Use the `aws_s3_bucket_replication_configuration` resource to set the status to Enabled
+          check:
+            (planned_values.root_module.resources[?type=='aws_s3_bucket_replication_configuration'] | length(@) > `0`): true
+        - message:  Set S3 Bucket Cross Region Replication status to 'Enabled'
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_replication_configuration']):
+              (values.rule[?status=='Enabled'] | length(@) > `0`): true
diff --git a/charts/best-practices-s3-tf-config/pols/s3-enable-versioning.yaml b/charts/best-practices-s3-tf-config/pols/s3-enable-versioning.yaml
new file mode 100644
index 00000000..e270d560
--- /dev/null
+++ b/charts/best-practices-s3-tf-config/pols/s3-enable-versioning.yaml
@@ -0,0 +1,33 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: enable-s3-versioning
+  annotations:
+    policies.kyverno.io/title: enable-s3-versioning 
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Versioning in Amazon S3 is a means of keeping multiple variants of an object 
+      in the same bucket. You can use the S3 Versioning feature to preserve, retrieve,
+      and restore every version of every object stored in your buckets. With versioning 
+      you can recover more easily from both unintended user actions and application 
+      failures. After versioning is enabled for a bucket, if Amazon S3 receives multiple
+      write requests for the same object simultaneously, it stores all of those objects.
+spec:
+  rules:
+    - name: check-s3-versioning-setting
+      match:
+        all:
+        - ($analyzer):
+            resource:
+              type: terraform-config
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Use the `aws_s3_bucket_versioning` resource to enable versioning.
+          check:
+            (planned_values.root_module.resources[?type=='aws_s3_bucket_versioning'] | length(@) > `0`): true
+        - message: S3 Bucket Versioning needs to be set to 'Enabled'
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_versioning']):
+              (values.versioning_configuration[?status=='Enabled'] | length(@) > `0`): true
diff --git a/charts/best-practices-s3-tf-config/templates/club-pols.yaml b/charts/best-practices-s3-tf-config/templates/club-pols.yaml
new file mode 100644
index 00000000..c3c51aa7
--- /dev/null
+++ b/charts/best-practices-s3-tf-config/templates/club-pols.yaml
@@ -0,0 +1,4 @@
+{{ range $path, $_ :=  .Files.Glob  "pols/**.yaml" }}
+{{ $.Files.Get $path }}
+---
+{{ end }}
diff --git a/charts/best-practices-s3-tf-config/values.yaml b/charts/best-practices-s3-tf-config/values.yaml
new file mode 100644
index 00000000..e69de29b