UNPKG

@pulumi/google-compliance-policies

Version:

This repository contains a growing set of Compliance Policies to validate your infrastructure using Pulumi's Crossguard Policy-as-Code framework.

64 lines (63 loc) 2.9 kB
"use strict"; // Copyright 2016-2024, Pulumi Corporation. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // ------------------------------- WARNING ------------------------------------- // This file was programmatically generated. Do not edit unless you know what // you're doing. // ------------------------------- WARNING ------------------------------------- Object.defineProperty(exports, "__esModule", { value: true }); exports.Bucket = void 0; const bucket_1 = require("@pulumi/gcp/storage/bucket"); const policy_1 = require("@pulumi/policy"); const compliance_policy_manager_1 = require("@pulumi/compliance-policy-manager"); var Bucket; (function (Bucket) { /** * Check that Storage Bucket Public Access Prevention is enforced. * * @severity critical * @frameworks cis, iso27001, pcidss * @topics security, storage * @link https://cloud.google.com/storage/docs/public-access-prevention */ Bucket.enforcePublicAccessPrevention = compliance_policy_manager_1.policyManager.registerPolicy({ resourceValidationPolicy: { name: "gcp-storage-bucket-enforce-public-access-prevention", description: "Check that Storage Bucket Public Access Prevention is enforced.", configSchema: compliance_policy_manager_1.policyManager.policyConfigSchema, enforcementLevel: "advisory", validateResource: (0, policy_1.validateResourceOfType)(bucket_1.Bucket, (bucket, args, reportViolation) => { if (!compliance_policy_manager_1.policyManager.shouldEvalPolicy(args)) { return; } if (bucket.publicAccessPrevention) { if (bucket.publicAccessPrevention.toLowerCase() !== "enforced") { reportViolation("Storage Buckets should set the Public Access Prevent to 'enforced'."); } } else { // Implicitly set as `inherited` reportViolation("Storage Buckets should set the Public Access Prevent to 'enforced'."); } }), }, vendors: ["google"], services: ["storage"], severity: "critical", topics: ["storage", "security"], frameworks: ["iso27001", "pcidss", "cis"], }); })(Bucket || (Bucket = {})); exports.Bucket = Bucket;