Update yaml controls to match max line-length (#3520)

* Update yaml controls to match max line-length

* Add test for stage 0 with hardened datasets

---------

Co-authored-by: Julio Castillo <jccb@google.com>

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudrunDisableEnvironmentVariablePattern.yaml

@@ -12,12 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 custom.cloudrunDisableEnvironmentVariablePattern:
   action_type: DENY
   condition: |-
-    resource.spec.template.spec.containers.exists(container, container.env.exists(env, ["[sS][eE][cC][rR][eE][tT]", "[kK][eE][yY]", "[pP][aA][sS][sS][wW][oO][rR][dD]", "[tT][oO][kK][eE][nN]"].exists(pattern, env.name.matches(pattern))))
+    resource.spec.template.spec.containers.exists(container,
+      container.env.exists(env,
+        ["[sS][eE][cC][rR][eE][tT]", "[kK][eE][yY]", "[pP][aA][sS][sS][wW][oO][rR][dD]", "[tT][oO][kK][eE][nN]"].exists(
+          pattern, env.name.matches(pattern)
+        )
+      )
+    )
   description: Enforce that certain patterns are not used in environment variables
     of Cloud Run Service or Cloud Run Functions
   display_name: Disable usage of certain patterns in Cloud Run Service or Cloud Run

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlEnforcePasswordComplexity.yaml

@@ -12,12 +12,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 custom.cloudsqlEnforcePasswordComplexity:
   action_type: DENY
   condition: |-
-    resource.settings.passwordValidationPolicy.complexity != "COMPLEXITY_DEFAULT" || resource.settings.passwordValidationPolicy.minLength < 12
+    resource.settings.passwordValidationPolicy.complexity != 'COMPLEXITY_DEFAULT' ||
+    resource.settings.passwordValidationPolicy.minLength < 12
   description: Ensure that Cloud SQL instance is configured with a password complexity
     to be combination of lowercase, uppercase, numeric, and non-alphanumeric characters
   display_name: Require Cloud SQL instances to configure password complexity to COMPLEXITY_DEFAULT

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireMySQLDatabaseFlags.yaml

@@ -12,14 +12,16 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 custom.cloudsqlRequireMySQLDatabaseFlags:
   action_type: DENY
   condition: |-
     resource.databaseVersion.startsWith('MYSQL') && (
-      (resource.settings.databaseFlags.exists(flag, flag.name == 'skip_show_database' && flag.value == 'on') == false) ||
-      (resource.settings.databaseFlags.exists(flag, flag.name == 'local_infile' && flag.value == 'off') == false)
+      !resource.settings.databaseFlags.exists(flag,
+        flag.name == 'skip_show_database' && flag.value == 'on'
+      ) ||
+      !resource.settings.databaseFlags.exists(flag,
+        flag.name == 'local_infile' && flag.value == 'off'
+      )
     )
   description: Ensure Cloud SQL for MySQL instance database flags are set correctly
     (e.g skip_show_database, local_infile)

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePointInTimeRecovery.yaml

@@ -12,12 +12,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 custom.cloudsqlRequirePointInTimeRecovery:
   action_type: DENY
   condition: |-
-    (resource.databaseVersion.contains("POSTGRES") || resource.databaseVersion.contains("SQLSERVER")) && resource.settings.backupConfiguration.pointInTimeRecoveryEnabled == false
+    (resource.databaseVersion.contains("POSTGRES")
+      || resource.databaseVersion.contains("SQLSERVER"))
+      && resource.settings.backupConfiguration.pointInTimeRecoveryEnabled == false
   description: Ensure that Cloud SQL instance is configure enable point in time recovery
     in the backup configuration. This setting is possibly for Postgres and SQLServer
     databases.

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequirePostgreSQLDatabaseFlags.yaml

@@ -12,20 +12,22 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 custom.cloudsqlRequirePostgreSQLDatabaseFlags:
   action_type: DENY
   condition: |-
     resource.databaseVersion.startsWith('POSTGRES') && (
-      !resource.settings.databaseFlags.exists(flag, flag.name == 'log_connections' && flag.value == 'on') ||
-      !resource.settings.databaseFlags.exists(flag, flag.name == 'log_disconnections' && flag.value == 'on') ||
-      !resource.settings.databaseFlags.exists(flag, flag.name == 'log_min_duration_statement' && flag.value == '-1') ||
-      !resource.settings.databaseFlags.exists(flag, flag.name == 'cloudsql.enable_pgaudit' && flag.value == 'on') ||
-      resource.settings.databaseFlags.exists(flag, flag.name == 'log_min_messages' && flag.value in ['error' , 'log', 'fatal', 'panic']) ||
-      resource.settings.databaseFlags.exists(flag, flag.name == 'log_min_error_statement' && flag.value in ['log', 'fatal', 'panic']) ||
-      resource.settings.databaseFlags.exists(flag, flag.name == 'log_error_verbosity' && flag.value in ['terse']) ||
-      resource.settings.databaseFlags.exists(flag, flag.name == 'log_statement' && flag.value in ['none'])
+      !resource.settings.databaseFlags.exists(f, f.name == 'log_connections' && f.value == 'on') ||
+      !resource.settings.databaseFlags.exists(f, f.name == 'log_disconnections' && f.value == 'on') ||
+      !resource.settings.databaseFlags.exists(f, f.name == 'log_min_duration_statement' && f.value == '-1') ||
+      !resource.settings.databaseFlags.exists(f, f.name == 'cloudsql.enable_pgaudit' && f.value == 'on') ||
+      resource.settings.databaseFlags.exists(f, f.name == 'log_error_verbosity' && f.value == 'terse') ||
+      resource.settings.databaseFlags.exists(f, f.name == 'log_statement' && f.value == 'none') ||
+      resource.settings.databaseFlags.exists(f,
+        f.name == 'log_min_messages' && f.value in ['error' , 'log', 'fatal', 'panic']
+      ) ||
+      resource.settings.databaseFlags.exists(f,
+        f.name == 'log_min_error_statement' && f.value in ['log', 'fatal', 'panic']
+      )
     )
   description: Ensure Cloud SQL for PostgreSQL instance database flags are set correctly
     (e.g log_connections)

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.cloudsqlRequireSQLServerDatabaseFlags.yaml

@@ -12,19 +12,31 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 custom.cloudsqlRequireSQLServerDatabaseFlags:
   action_type: DENY
   condition: |-
     resource.databaseVersion.startsWith('SQLSERVER') && (
-      resource.settings.databaseFlags.exists(flag, flag.name == 'external scripts enabled' && flag.value == 'on') ||
-      resource.settings.databaseFlags.exists(flag, flag.name == 'cross db ownership chaining' && flag.value == 'on') ||
-      resource.settings.databaseFlags.exists(flag, flag.name == 'contained database authentication' && flag.value == 'on') ||
-      resource.settings.databaseFlags.exists(flag, flag.name == 'user connections' && flag.value != '0') ||
-      resource.settings.databaseFlags.exists(flag, flag.name == 'user options' && flag.value != '0') ||
-      !resource.settings.databaseFlags.exists(flag, flag.name == 'remote access' && flag.value == 'off') ||
-      !resource.settings.databaseFlags.exists(flag, flag.name == '3625' && flag.value == 'on')
+      resource.settings.databaseFlags.exists(flag,
+        flag.name == 'external scripts enabled' && flag.value == 'on'
+      ) ||
+      resource.settings.databaseFlags.exists(flag,
+        flag.name == 'cross db ownership chaining' && flag.value == 'on'
+      ) ||
+      resource.settings.databaseFlags.exists(flag,
+        flag.name == 'contained database authentication' && flag.value == 'on'
+      ) ||
+      resource.settings.databaseFlags.exists(flag,
+        flag.name == 'user connections' && flag.value != '0'
+      ) ||
+      resource.settings.databaseFlags.exists(flag,
+        flag.name == 'user options' && flag.value != '0'
+      ) ||
+      !resource.settings.databaseFlags.exists(flag,
+        flag.name == 'remote access' && flag.value == 'off'
+      ) ||
+      !resource.settings.databaseFlags.exists(flag,
+        flag.name == '3625' && flag.value == 'on'
+      )
     )
   description: Ensure Cloud SQL for SQLServer instance database flags are set correctly
     (e.g external scripts enabled ...)

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.dnsAllowedSigningAlgorithms.yaml

@@ -12,12 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 custom.dnsAllowedSigningAlgorithms:
   action_type: DENY
   condition: |-
-    resource.visibility == "PUBLIC" && resource.dnssecConfig.state == "ON" && resource.dnssecConfig.defaultKeySpecs.exists(spec, spec.algorithm in  ["ECDSAP256SHA256"] == false)
+    resource.visibility == 'PUBLIC' &&
+    resource.dnssecConfig.state == 'ON' &&
+    resource.dnssecConfig.defaultKeySpecs.exists(spec,
+      spec.algorithm in ["ECDSAP256SHA256"] == false
+    )
   description: Ensure that allowed signing algorithms are used for the Key-Signing
     key and Zone-Signing key in Cloud DNS DNSSEC
   display_name: Require Cloud DNS DNSSEC configured to use only allowed algorithms

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.gkeDisableLegacyMetadataEndpoints.yaml

@@ -12,12 +12,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 custom.gkeDisableLegacyMetadataEndpoints:
   action_type: DENY
   condition: |-
-    ('disable-legacy-endpoints' in resource.config.metadata && resource.config.metadata['disable-legacy-endpoints'] == 'false')
+    ('disable-legacy-endpoints' in resource.config.metadata &&
+    resource.config.metadata['disable-legacy-endpoints'] == 'false')
   description: Enforce that GKE clusters are created with legacy metadata endpoints
     disabled
   display_name: Disable legacy metadata endpoints

fast/stages/0-org-setup/datasets/hardened/organization/custom-constraints/custom.iamDisablePublicBindings.yaml

@@ -12,12 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 custom.iamDisablePublicBindings:
   action_type: DENY
   condition: |-
-    resource.bindings.exists(binding, binding.members.exists(member, MemberSubjectMatches(member, ['allUsers', 'allAuthenticatedUsers'])))
+    resource.bindings.exists(binding,
+      binding.members.exists(member,
+        MemberSubjectMatches(member, ['allUsers', 'allAuthenticatedUsers'])
+      )
+    )
   description: Ensure no use of public bindings (allUsers, allAuthenticatedUsers)
   display_name: Deny use of public access bindings with allUsers or allAuthenticatedUsers
   method_types:

fast/stages/0-org-setup/datasets/hardened/organization/observability/firewallRuleChanges.yaml

@@ -39,7 +39,8 @@ alerts:
         Firewall rule changes.
 
         This alert helps ensure security by monitoring creation, modification, or
-        deletion of firewall rules. ``` resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.patch"
+        deletion of firewall rules.
+        ``` resource.type="gce_firewall_rule" AND (protoPayload.methodName:"compute.firewalls.patch"
         OR protoPayload.methodName:"compute.firewalls.insert" OR protoPayload.methodName:"compute.firewalls.delete")
         ```'
       mime_type: text/markdown

fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudrunRequireIngressInternalAndLoadBalancer.yaml

@@ -12,13 +12,14 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 cloudrunRequireIngressInternalAndLoadBalancer:
   description: Detect if Cloud Run services are not configured to allow only internal
     traffic and traffic from load balancer
   predicate:
-    expression: (!resource.metadata.annotations['run.googleapis.com/ingress'].matches('internal-and-cloud-load-balancing'))
+    expression: |-
+      (
+        !resource.metadata.annotations['run.googleapis.com/ingress'].matches('internal-and-cloud-load-balancing')
+      )
   recommendation: Ensure Cloud Run services are configured to allow only internal
     traffic and traffic from load balancer
   resource_selector:

fast/stages/0-org-setup/datasets/hardened/organization/scc-sha-custom-modules/cloudsqlRequirePointInTimeRecovery.yaml

@@ -12,12 +12,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# yamllint disable rule:line-length
-
 cloudsqlRequirePointInTimeRecovery:
   description: Detect if the CloudSQL instances have point in time recovery disabled
   predicate:
-    expression: (!resource.settings.backupConfiguration.binaryLogEnabled && !resource.settings.backupConfiguration.pointInTimeRecoveryEnabled
+    expression: |-
+      (
+        !resource.settings.backupConfiguration.binaryLogEnabled &&
+        !resource.settings.backupConfiguration.pointInTimeRecoveryEnabled
       )
   recommendation: Ensure the CloudSQL instances have point in time recovery enabled
   resource_selector: