From db7cb937d113088031e5ae92177607d988d77d5a Mon Sep 17 00:00:00 2001 From: Ludovico Magnocavallo Date: Wed, 7 Aug 2024 14:09:37 +0200 Subject: [PATCH] VPC-SC factory JSON Schemas (#2477) --- .../1-vpcsc/data/access-levels/geo.yaml | 2 + modules/vpc-sc/README.md | 2 + .../vpc-sc/schemas/access-level.schema.json | 99 +++++++++++++++++++ .../vpc-sc/schemas/egress-policy.schema.json | 75 ++++++++++++++ .../vpc-sc/schemas/ingress-policy.schema.json | 83 ++++++++++++++++ 5 files changed, 261 insertions(+) create mode 100644 modules/vpc-sc/schemas/access-level.schema.json create mode 100644 modules/vpc-sc/schemas/egress-policy.schema.json create mode 100644 modules/vpc-sc/schemas/ingress-policy.schema.json diff --git a/fast/stages/1-vpcsc/data/access-levels/geo.yaml b/fast/stages/1-vpcsc/data/access-levels/geo.yaml index 556e94aaa..6d820363a 100644 --- a/fast/stages/1-vpcsc/data/access-levels/geo.yaml +++ b/fast/stages/1-vpcsc/data/access-levels/geo.yaml @@ -12,6 +12,8 @@ # See the License for the specific language governing permissions and # limitations under the License. +# yaml-language-server: $schema=../../../../../modules/vpc-sc/schemas/access-level.schema.json + # this is just an example that reflects the FAST core team members' locations # and needs to be edited, or not referenced in the perimeter variable conditions: diff --git a/modules/vpc-sc/README.md b/modules/vpc-sc/README.md index e48bdba1c..9b4158f77 100644 --- a/modules/vpc-sc/README.md +++ b/modules/vpc-sc/README.md @@ -216,6 +216,8 @@ module "test" { This module implements support for three distinct factories, used to create and manage access levels, egress policies and ingress policies via YAML files. The YAML files syntax is a 1:1 match for the corresponding variables, and the factory data is merged at runtime with any data set in variables, which take precedence in case of key overlaps. +JSON Schema files for each factory object are available in the [`schemas`](./schemas/) folder, and can be used to validate input YAML data with [`validate-yaml`](https://github.com/gerald1248/validate-yaml) or any of the available tools and libraries. + This is an example that uses all three factories. Note that the factory configuration points to folders, where each file represents one resource. ```hcl diff --git a/modules/vpc-sc/schemas/access-level.schema.json b/modules/vpc-sc/schemas/access-level.schema.json new file mode 100644 index 000000000..eec12a761 --- /dev/null +++ b/modules/vpc-sc/schemas/access-level.schema.json @@ -0,0 +1,99 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "VPC-SC access level", + "type": "object", + "additionalProperties": false, + "properties": { + "combining_function": { + "type": "string" + }, + "conditions": { + "type": "array", + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "device_policy": { + "type": "object", + "required": [ + "require_admin_approval", + "require_corp_owned" + ], + "additionalProperties": false, + "properties": { + "allowed_device_management_levels": { + "type": "array", + "items": { + "type": "string" + } + }, + "allowed_encryption_statuses": { + "type": "array", + "items": { + "type": "string" + } + }, + "require_admin_approval": { + "type": "boolean" + }, + "require_corp_owned": { + "type": "boolean" + }, + "require_screen_lock": { + "type": "boolean" + }, + "os_constraints": { + "type": "array", + "required": [ + "os_type" + ], + "items": { + "type": "object", + "additionalProperties": false, + "properties": { + "os_type": { + "type": "string" + }, + "minimum_version": { + "type": "string" + }, + "require_verified_chrome_os": { + "type": "boolean" + } + } + } + } + } + }, + "ip_subnetworks": { + "type": "array", + "items": { + "type": "string" + } + }, + "members": { + "type": "array", + "items": { + "type": "string" + } + }, + "negate": { + "type": "boolean" + }, + "regions": { + "type": "array", + "items": { + "type": "string" + } + }, + "required_access_levels": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } + } +} \ No newline at end of file diff --git a/modules/vpc-sc/schemas/egress-policy.schema.json b/modules/vpc-sc/schemas/egress-policy.schema.json new file mode 100644 index 000000000..e13004758 --- /dev/null +++ b/modules/vpc-sc/schemas/egress-policy.schema.json @@ -0,0 +1,75 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "VPC-SC egress policy", + "type": "object", + "required": [ + "from", + "to" + ], + "additionalProperties": false, + "properties": { + "from": { + "type": "object", + "additionalProperties": false, + "properties": { + "identity_type": { + "enum": [ + "IDENTITY_TYPE_UNSPECIFIED", + "ANY_IDENTITY", + "ANY_USER_ACCOUNT", + "ANY_SERVICE_ACCOUNT", + "" + ] + }, + "identities": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "to": { + "type": "object", + "additionalProperties": false, + "properties": { + "operations": { + "type": "array", + "items": { + "type": "object", + "required": [ + "service_name" + ], + "additionalProperties": false, + "properties": { + "method_selectors": { + "type": "array", + "items": { + "type": "string" + } + }, + "permission_selectors": { + "type": "array", + "items": { + "type": "string" + } + }, + "service_name": { + "type": "string" + } + } + } + }, + "resources": { + "type": "array", + "items": { + "type": "string" + } + }, + "resource_type_external": { + "type": "boolean" + } + } + } + } +} \ No newline at end of file diff --git a/modules/vpc-sc/schemas/ingress-policy.schema.json b/modules/vpc-sc/schemas/ingress-policy.schema.json new file mode 100644 index 000000000..0c19ab935 --- /dev/null +++ b/modules/vpc-sc/schemas/ingress-policy.schema.json @@ -0,0 +1,83 @@ +{ + "$schema": "http://json-schema.org/draft-07/schema#", + "title": "VPC-SC ingress policy", + "type": "object", + "required": [ + "from", + "to" + ], + "additionalProperties": false, + "properties": { + "from": { + "type": "object", + "additionalProperties": false, + "properties": { + "access_levels": { + "type": "array", + "items": { + "type": "string" + } + }, + "identity_type": { + "enum": [ + "IDENTITY_TYPE_UNSPECIFIED", + "ANY_IDENTITY", + "ANY_USER_ACCOUNT", + "ANY_SERVICE_ACCOUNT", + "" + ] + }, + "identities": { + "type": "array", + "items": { + "type": "string" + } + }, + "resources": { + "type": "array", + "items": { + "type": "string" + } + } + } + }, + "to": { + "type": "object", + "additionalProperties": false, + "properties": { + "operations": { + "type": "array", + "items": { + "type": "object", + "required": [ + "service_name" + ], + "properties": { + "method_selectors": { + "type": "array", + "items": { + "type": "string" + } + }, + "permission_selectors": { + "type": "array", + "items": { + "type": "string" + }, + "service_name": { + "type": "string" + } + } + } + } + }, + "resources": { + "type": "array", + "items": { + "type": "string" + } + } + } + } + } +} \ No newline at end of file