GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → skorfmann → cloudpatrol

skorfmann / cloudpatrol

Licence: Apache-2.0 license
Policy as Code for the Cloud Development Kit (CDK)

Programming Languages

typescript
32286 projects
javascript
184084 projects - #8 most used programming language

Labels

awscloudcdkaws-cdkpolicy-as-code

Projects that are alternatives of or similar to cloudpatrol

rds-snapshot-export-to-s3-pipeline
RDS Snapshot Export to S3 Pipeline
Stars: ✭ 88 (+319.05%)
Mutual labels:  cdk, aws-cdk
document-understanding-solution
Example of integrating & using Amazon Textract, Amazon Comprehend, Amazon Comprehend Medical, Amazon Kendra to automate the processing of documents for use cases such as enterprise search and discovery, control and compliance, and general business process workflow.
Stars: ✭ 180 (+757.14%)
Mutual labels:  cdk, aws-cdk
cdk-examples
AWS CDK Examples Repository
Stars: ✭ 49 (+133.33%)
Mutual labels:  cdk, aws-cdk
cdk-constructs
Shared constructs for AWS CDK
Stars: ✭ 34 (+61.9%)
Mutual labels:  cdk, aws-cdk
aws-pdf-textract-pipeline
🔍 Data pipeline for crawling PDFs from the Web and transforming their contents into structured data using AWS textract. Built with AWS CDK + TypeScript
Stars: ✭ 141 (+571.43%)
Mutual labels:  cdk, aws-cdk
aws-cdk-github-oidc
CDK constructs to use OpenID Connect for authenticating your Github Action workflow with AWS IAM
Stars: ✭ 59 (+180.95%)
Mutual labels:  cdk, aws-cdk
document-processing-pipeline-for-regulated-industries
A boilerplate solution for processing image and PDF documents for regulated industries, with lineage and pipeline operations metadata services.
Stars: ✭ 36 (+71.43%)
Mutual labels:  cdk, aws-cdk
aws-cdk-project-template-for-devops
This repository provides best practices and template framework for developing AWS Cloud Development Kit(CDK)-based applications effectively, quickly and collaboratively.
Stars: ✭ 18 (-14.29%)
Mutual labels:  cdk
datajob
Build and deploy a serverless data pipeline on AWS with no effort.
Stars: ✭ 101 (+380.95%)
Mutual labels:  aws-cdk
jetkit-cdk
Cloud-native TypeScript API development kit for AWS CDK.
Stars: ✭ 33 (+57.14%)
Mutual labels:  cdk
aws-serverless-fullstack-swift-apple-carplay-example
This application demonstrates a full-stack Apple CarPlay app that uses Swift for both the UI and the backend services in AWS. The app accesses Lambda functions written in Swift and deployed from Docker images. The app accesses Amazon Location Service and a 3rd party weather api to display information in the vicinity of the user.
Stars: ✭ 84 (+300%)
Mutual labels:  cdk
rode
Rode facilitates Automated Governance in your software supply chain. This repository contains the rode API which is the primary interface between the rode UI or rode Collectors and metadata storage in Grafeas. The rode API provides functions for metadata search and storage as well as policy creation and evaluation.
Stars: ✭ 48 (+128.57%)
Mutual labels:  policy-as-code
http-api-aws-fargate-cdk
Build HTTP API Based Services using Amazon API Gateway, AWS PrivateLink, AWS Fargate and AWS CDK
Stars: ✭ 5 (-76.19%)
Mutual labels:  aws-cdk
data-lake-as-code
Data Lake as Code, featuring ChEMBL and OpenTargets
Stars: ✭ 133 (+533.33%)
Mutual labels:  aws-cdk
cdk-microservices-labs
Hugo Style Documents
Stars: ✭ 12 (-42.86%)
Mutual labels:  cdk
aws-ecs-devops-using-aws-cdk
This repository provides a general DevOps practices such MSA, IaC, CICD and Monitoring. AWS various services are used to provide DevOps best practices.
Stars: ✭ 110 (+423.81%)
Mutual labels:  cdk
amazon-sagemaker-model-serving-using-aws-cdk
This repository provides AI/ML service(MachineLearning model serving) modernization solution using Amazon SageMaker, AWS CDK, and AWS Serverless services.
Stars: ✭ 23 (+9.52%)
Mutual labels:  cdk
effective-cdk
Sharing all the best practices of CDK
Stars: ✭ 11 (-47.62%)
Mutual labels:  cdk
policy-server
Webhook server that evaluates WebAssembly policies to validate Kubernetes requests
Stars: ✭ 111 (+428.57%)
Mutual labels:  policy-as-code
cdk-chalice
AWS CDK construct for AWS Chalice
Stars: ✭ 41 (+95.24%)
Mutual labels:  aws-cdk
View All Similar Projects ➔

cloudpatrol.png

Policy as Code for the Cloud Development Kit

Cloud Patrol let's you define common policies with remediation strategies for your AWS CDK stacks and enforce them across your CDK stacks / applications.

NB: This is an alpha release - Everything might change.

Use Cases

Make sure your Cloud resources are:

  • Tagged properly
  • Secure by default
  • Following naming conventions
  • Within your budget
  • Not provisioned with hardcoded secrets
  • Pretty much whatever you can think of :)

Geetting Started

yarn add cloudpatrol

Example

Given this example:

import * as cdk from '@aws-cdk/core';
import { ExampleStack } from '../lib/example-stack';
import { AwsCdkPatrol } from 'cloudpatrol/lib'
import { awsDefaults } from 'cloudpatrol/policies/aws/packs/good-defaults'

const app = new cdk.App();
const stack = new ExampleStack(app, 'ExampleStack');

const cloudPatrol = new AwsCdkPatrol(awsDefaults)
cloudPatrol.check(stack)

We can do the following:

example

Check the full example.

Reports

Currently, there are two reporting mechanisms:

AWS CDK inline report

As part of your normal CDK commands (e.g. cdk synth --app bin/example.js), will perform reporting on the Construct nodes itself and stop the synth process on errors.

Terminal Report

For CI / CD workflows and local testing, just execute your CDK app directly with node (e.g. node ./bin/example.js). This is great for dedicated validation of policies without the synthesized output.

Custom Reporting

Hasn't been implemented, yet. But it's on the agenda, and probably possible right now with a bit of effort.

Policies

Full Example

/**
 * This Policy ensures that a bucket is properly versioned
 *
 * @cloudformationResource AWS::S3::Bucket
 * @see https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-versioningconfig.html
 */
export class BucketVersioningPolicy extends Policy implements PolicyInterface {  
  public policyName = 'Bucket Versioning'
  public description = 'This ensures that a bucket is properly versioned'
  public link = 'https//docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-bucket-versioningconfig.html'
  public scope = s3.CfnBucket
  
  public validator(node: s3.CfnBucket, reporter: Reportable): void { 
    if (!node.versioningConfiguration || 
      (!cdk.Tokenization.isResolvable(node.versioningConfiguration) && node.versioningConfiguration.status !== 'Enabled')) {
      reporter.addWarning(node, this, 'Bucket versioning is not enabled');
    }
  }
}

Implemented Policies

Custom Policies

Policies have to follow this schema

class YourCustomPolicy extends Policy implements PolicyInterface {
  //...
}

Scope

There are two options to define the scope of a Policy:

Define an explicit scope:

class YourCustomPolicy extends Policy implements PolicyInterface {
  //...
  public scope = s3.CfnBucket
  //...
}

Overwrite isApplicable:

class YourCustomPolicy extends Policy implements PolicyInterface {
  //...
  public isApplicable(node: cdk.Resource): boolean {
    // your custom logic here
  }
  //...

Policy Validation Logic

class YourCustomPolicy extends Policy implements PolicyInterface {
  //...
  public validator(node: s3.CfnBucket, reporter: Reportable, context: PolicyContext): void { 
    // your custom logic here.
  }
  //...

Found issues can be reported via the reporter object. You can report multiple issues per Policy. There are three different issue severities:

  • Info
  • Warning
  • Error

context is persistent across the entire Stack validation and can be passed in for dynamic information.

How does it work?

Cloud Patrol makes use of Aspects to visit all nodes in a given Construct (e.g. your stack). Aspects will be applied in the prepare stage, which will be called before synthesizing the stack. That's great if you're going to synthesize anyway. However, if you just wanna run the Cloud Patrol checks, we have to invoke the preparation by ourselves. Something along the lines of this:

  stack.node.applyAspect(this);
  cdk.ConstructNode.prepare(stack.node);

Roadmap

  • Simplify Policy definition
  • Drop dependency to aws-cdk/core where possible, extract the rest to dedicated package
  • Publish policies as separate package (e.g. @cloudpatrol/aws-policies)
  • Implement remediation strategies
  • Documentation
  • Policy generator
  • Modularize and detangle Reporter to allow multiple ways of reporting
  • Github Actions for easy integration
  • .cloudpatrol file?
  • Provide more policies out of the box
  • CLI which autodetects Stacks for inspection
  • Integration tests against the last X releases of the AWS CDK
  • Integrate supported languages of jsii
  • Integrate in CDK based frameworks like cdk8s and terrastack
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].