opa rules fix for bucket

unamachi · unamachi · commit 6d221f0215a8 · 2023-09-13T11:38:36.000+05:30
diff --git a/cd3_automation_toolkit/user-scripts/OPA/Storage/oci_deny_public_bucket.rego b/cd3_automation_toolkit/user-scripts/OPA/Storage/oci_deny_public_bucket.rego
@@ -6,19 +6,45 @@ package terraform
 import input as tfplan
 
 
+package terraform
+
+#Ensure no object storage buckets are publicly visible.
+#Ensure object storage buckets are encrypted with a CMK.
+#Ensure versioning is enabled for buckets.
+import input as tfplan
+
+
 deny[reason] {
 	r = tfplan.resource_changes[_]
 	r.mode == "managed"
 	r.type == "oci_objectstorage_bucket"
 	r.change.after.access_type == "ObjectRead"
+#	r.change.after.kms_key_id == null
+#    r.change.after.versioning == "Disabled"
+
+	reason := sprintf("%-40s :: OCI buckets must be private as per CIS standard's",
+	                    [r.address])
+}
+
+deny[reason] {
+	r = tfplan.resource_changes[_]
+	r.mode == "managed"
+	r.type == "oci_objectstorage_bucket"
 	r.change.after.kms_key_id == null
-    r.change.after.versioning == "Disabled"
 
-	reason := sprintf("%-40s :: OCI buckets must be private/versioning enabled/encrypted with CMK as per CIS standard's",
+	reason := sprintf("%-40s :: OCI buckets must be encrypted with CMK as per CIS standard's",
 	                    [r.address])
 }
 
+deny[reason] {
+	r = tfplan.resource_changes[_]
+	r.mode == "managed"
+	r.type == "oci_objectstorage_bucket"
+   r.change.after.versioning == "Disabled"
 
+	reason := sprintf("%-40s :: OCI buckets should be private/versioning enabled/encrypted with CMK as per CIS standard's",
+	                    [r.address])
+}
 
 #To enforce encryption at rest for object storage:
 default enforce_object_storage_encryption = false
