使用 Rego 編寫自訂規則

本文將說明如何使用 Rego 政策語言編寫自訂規則。您可以在 Workload Manager 中使用這些規則,根據貴機構定義的最佳做法評估工作負載。

詳情請參閱「Workload Manager 中的自訂規則簡介」。

事前準備

使用 Rego 編寫自訂規則

Google 提供 GitHub 範例存放區,其中包含一組預先定義的規則,可用於評估工作負載。這些範例涵蓋多種用途。從存放區選取規則,或是建立描述評估需求的規則 (.rego) 檔案。

自訂規則包含以下各節:

  • 中繼資料。下列欄位會定義規則中繼資料:

    • DETAILS:規則的簡短說明。
    • SEVERITY:使用者定義的值,定義違反規則的嚴重程度。例如 HIGHCRITICALMEDIUMLOW
    • ASSET_TYPE:支援的資產之一。請參閱「支援的資料來源」。
    • TAGS:一或多個規則標記。這些標記可協助篩選規則。

  • 套件宣告。例如:templates.google.compute.instance.label

  • 匯入陳述式。例如:data.validator.google.lib as lib

  • 規則定義:定義規則的一組指示。

規則範例

您可以在 GoogleCloudPlatform/workload-manager GitHub 存放區中找到下列規則範例。您可以將這些規則原封不動地上傳至 Cloud Storage 值區,然後用來執行評估作業。或者,您也可以根據貴機構的政策修改規則,然後將檔案上傳至 Cloud Storage 值區

  • 範例 1:確保 VM 至少有一個標籤。
  • 範例 2:確保工作負載不會使用 Compute Engine 預設服務帳戶。
  • 範例 3:確保工作負載中的 VM 不會使用外部 IP 位址。

如需可在 Workload Manager 中使用的規則範例完整清單,請參閱 GoogleCloudPlatform/workload-manager GitHub 存放區。

範例 1

確認 Compute Engine 資源至少有一個代碼。

# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

########################################################################
# DETAILS:  MUST have atleast one tag
# SEVERITY: Medium
# ASSET_TYPE: compute.googleapis.com/Instance
# TAGS: Tags, Cost, Management, Compute Engine
########################################################################

package google.compute.instance.tags

import data.validator.google.lib as lib
import data.validator.google.lib.parameters as gparam
import future.keywords

asset := input.asset

params:= lib.get_default(gparam.global_parameters,"compute",{})

deny [{"msg": message, "details": metadata}] {

	# Check if resource is in exempt list
	exempt_list := lib.get_default(params, "exemptions", [])
	exempt := {asset.name} & {ex | ex := exempt_list[_]}
	not count(exempt) != 0

	tags := lib.get_default(asset.resource.data, "tags", {"items": []})
	count(tags.items) == 0

	message:="Compute resource is missing tags. Ensure appropriate tags are applied."

	metadata:={"name": asset.name}
}

範例 2

確保工作負載不會使用 Compute Engine 預設服務帳戶

# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

########################################################################
# DETAILS:  MUST NOT use default service account
# SEVERITY: Medium
# ASSET_TYPE: compute.googleapis.com/Instance
# TAGS: Defaults, Management, Compute Engine
########################################################################

package google.compute.defaultserviceAccount

import data.validator.google.lib as lib
import data.validator.google.lib.parameters as gparam
import future.keywords

asset := input.asset

input_enriched := object.union({"resource": {"data": {"serviceAccounts": []}}}, asset)

params := lib.get_default(gparam.global_parameters, "compute", {})

deny[{
	"msg": "Disallowed default service account",
	"details": {"name": asset.name},
}] {

	account = input_enriched.resource.data.serviceAccounts[_]
	endswith(account.email, params.default_sa)
}

範例 3

確保工作負載中的 VM 不會使用外部 IP 位址。

# Copyright 2024 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

########################################################################
# DETAILS:  Ensure VMs dont have External IP
# SEVERITY: High
# ASSET_TYPE: compute.googleapis.com/Instance
# TAGS: Security, Network, Compute Engine, External IP, VM, Virtual Machine
########################################################################

package google.compute.instance.approved.external.ip

import data.validator.google.lib as lib
import data.validator.google.lib.parameters as gparam
import future.keywords

asset := input.asset

params := lib.get_default(gparam.global_parameters, "compute", {})

deny [{"msg": message, "details": metadata}] {

	# Check if resource is in exempt list
	exempt_list := lib.get_default(params, "exemptions", [])
	exempt := {asset.name} & {ex | ex := exempt_list[_]}
	not count(exempt) != 0

	# Find network access config block w/ external IP
	instance := asset.resource.data
	access_config := instance.networkInterfaces[_].accessConfigs
	count(access_config) > 0

	message := sprintf("%v : VM Instance has external IP. current config: %v",[asset.name, access_config])
	metadata := {"name": asset.name}
}

將規則上傳至 Cloud Storage 值區

建立 .rego 檔案後,請將檔案上傳至 Cloud Storage 值區。Cloud Storage 值區的頂層必須包含 /lib/rules 資料夾:

  • lib
    • parameters.rego
    • utils.rego
  • /rules
    • rule_name1.rego
    • rule_name2.rego

後續步驟