forked from hashicorp/terraform-sentinel-policies
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathrestrict-sagemaker-notebooks.sentinel
28 lines (23 loc) · 1.21 KB
/
restrict-sagemaker-notebooks.sentinel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# This policy uses the Sentinel tfplan/v2 import to require that
# all Sagemaker Notebook instances have root access and direct internet access
# disabled
# Import common-functions/tfplan-functions/tfplan-functions.sentinel
# with alias "plan"
import "tfplan-functions" as plan
# Get all Sagemaker notebooks
allSagemakerNotebooks = plan.find_resources("aws_sagemaker_notebook_instance")
# Filter to Sagemaker notebooks that have root_access set to "Enabled"
# or missing.
# Warnings will be printed for all violations since the last parameter is true
sagemakerNotebooksWithRootAccess = plan.filter_attribute_is_not_value(
allSagemakerNotebooks, "root_access", "Disabled", true)
# Filter to Sagemaker notebooks that have direct_internet_access set to "Enabled"
# or missing.
# Warnings will be printed for all violations since the last parameter is true
sagemakerNotebooksWithDirectInternetAccess = plan.filter_attribute_is_not_value(
allSagemakerNotebooks, "direct_internet_access", "Disabled", true)
# Main rule
validated = length(sagemakerNotebooksWithRootAccess["messages"]) is 0 and length(sagemakerNotebooksWithDirectInternetAccess["messages"]) is 0
main = rule {
validated is true
}