gcv

package

v0.0.0-...-0da46e6 Latest Latest Go to latest Published: Aug 24, 2023 License: Apache-2.0 Imports: 24 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/GoogleCloudPlatform/config-validator

Links

Open Source Insights

Documentation ¶

Overview ¶

Package gcv provides a library and a RPC service for Forseti Config Validator.

Index ¶

Constants
func NewValidatorConfig(policyPaths []string, policyLibraryPath string) (*configs.Configuration, error)
type ConfigValidator
type ConstraintViolation
type Insight
type Option
- func DisableBuiltins(builtins ...string) Option
type ParallelValidator
- func NewParallelValidator(stopChannel <-chan struct{}, cv ConfigValidator) *ParallelValidator
- func (v *ParallelValidator) Review(ctx context.Context, request *validator.ReviewRequest) (*validator.ReviewResponse, error)
type Result
- func NewResult(target, name string, inputResource map[string]interface{}, ...) (*Result, error)
- func (r *Result) ToInsights() []*Insight
- func (r *Result) ToViolations() ([]*validator.Violation, error)
type StateInfo
type Validator

Constants ¶

View Source

const (
	ConstraintKey = "constraint"
)

Variables ¶

This section is empty.

Functions ¶

func NewValidatorConfig ¶

func NewValidatorConfig(policyPaths []string, policyLibraryPath string) (*configs.Configuration, error)

NewValidatorConfig returns a new ValidatorConfig. By default it will initialize the underlying query evaluation engine by loading supporting library, constraints, and constraint templates. We may want to make this initialization behavior configurable in the future.

Types ¶

type ConfigValidator ¶

type ConfigValidator interface {
	ReviewAsset(ctx context.Context, asset *validator.Asset) ([]*validator.Violation, error)
}

type ConstraintViolation ¶

type ConstraintViolation struct {
	// Message is a human readable message for the violation
	Message string
	// Metadata is the metadata returned by the constraint check
	Metadata map[string]interface{}
	// Constraint is the K8S resource of the constraint that triggered the violation
	Constraint *unstructured.Unstructured
	// Constraint Severity
	Severity string
}

ConstraintViolations represents an unsatisfied constraint

type Insight ¶

type Insight struct {
	// Name is the name for the insight, this will be of the format:
	// projects/<project number>/locations/global/insightTypes/<insight type>/insights/<name>
	// <insight type> generally represents the system generating the given insight.  <name> corresponds to the
	// unique insight generated by the system.
	// Example:
	// projects/123/locations/global/insightTypes/google.iam.policy.Insight/insights/abcd-1234
	Name string `json:"name,omitempty"`

	// Description is a human readable summary for the insight.
	// Example:
	// "Save cost by changing machine type from n1-standard-4 to custom-2-5120."
	Description string `json:"description,omitempty"`

	// TargetResources is a list of resources that are related to the finding.
	// Example:
	// ["//cloudresourcemanager.googleapis.com/projectnumbers/123"]
	TargetResources []string `json:"target_resources,omitempty"`

	// InsightSubtype is the subtype for the given insight.
	// Example:
	// "Save cost by changing machine type from n1-standard-4 to custom-2-5120."
	InsightSubtype string `json:"insight_subtype,omitempty"`

	// Content is a free-form field which is be used for storing arbitrary, check-specific data.
	Content interface{} `json:"content,omitempty"`

	// LastRefreshTime is the timestamp at which the insight was last generated.
	// Example:
	// "Save cost by changing machine type from n1-standard-4 to custom-2-5120."
	LastRefreshTime time.Time `json:"last_refresh_time,omitempty"` //omitted, will be added as part of job param

	// ObservationPeriod is the window of data over which the insight was generated, eg if the scanner analyzed the last
	// week of data, this value would be 7 days.
	ObservationPeriod time.Duration `json:"observation_period,omitempty"` // omitted, will be added as part of job param

	// StateInfo describes the state of the Insight.  Scanners must not populate this member.
	StateInfo StateInfo `json:"state_info,omitempty"`

	// Category for the insight, scanners may populate this member.
	// One of: COST, SECURITY, PERFORMANCE, MANAGEABILITY
	Category string `json:"category,omitempty"`
}

Insight is modeled after the cloud recommender insight.

type Option ¶

type Option = func(*initOptions)

func DisableBuiltins ¶

func DisableBuiltins(builtins ...string) Option

type ParallelValidator ¶

type ParallelValidator struct {
	// contains filtered or unexported fields
}

ParallelValidator handles making parallel calls to Validator during a Review call.

func NewParallelValidator ¶

func NewParallelValidator(stopChannel <-chan struct{}, cv ConfigValidator) *ParallelValidator

NewParallelValidator creates a new instance with the given stop channel and validator

func (*ParallelValidator) Review ¶

func (v *ParallelValidator) Review(ctx context.Context, request *validator.ReviewRequest) (*validator.ReviewResponse, error)

Review evaluates each asset in the review request in parallel and returns any violations found.

type Result ¶

type Result struct {
	// The name of the resource as given to Config Validator
	Name string
	// InputResource is the resource as given to Config Validator. This may be a
	// CAI Asset or a Terraform Resource Change.
	InputResource map[string]interface{}
	// ReviewResource is the resource sent to Constraint Framework for review.
	// This may be a CAI Asset, K8S resource, or Terraform Resource Change.
	ReviewResource map[string]interface{}
	// ConstraintViolations are the constraints that were not satisfied during review.
	ConstraintViolations []ConstraintViolation
}

Result is the result of reviewing an individual resource

func NewResult ¶

func NewResult(
	target, name string,
	inputResource map[string]interface{},
	reviewResource map[string]interface{},
	responses *cftypes.Responses) (*Result, error)

NewResult creates a Result from the provided CF Response.

func (*Result) ToInsights ¶

func (r *Result) ToInsights() []*Insight

ToInsights returns the result represented as a slice of insights.

func (*Result) ToViolations ¶

func (r *Result) ToViolations() ([]*validator.Violation, error)

type StateInfo ¶

type StateInfo struct {
	// State is the name of the insight state, one of ACTIVE, ACCEPTED, DISMISSED
	State string `json:"state,omitempty"`

	// StateMetadata is a user-extensible key-value map for holding arbitrary data.
	StateMetadata map[string]string `json:"state_metadata,omitempty"`
}

StateInfo is the state of the data.

type Validator ¶

type Validator struct {
	// contains filtered or unexported fields
}

Validator checks GCP resource metadata for constraint violation.

Expected usage pattern:

call NewValidator to create a new Validator
call AddData one or more times to add the GCP resource metadata to check
call Audit to validate the GCP resource metadata that has been added so far
call Reset to delete existing data
call AddData to add a new set of GCP resource metadata to check
call Reset to delete existing data

Any data added in AddData stays in the underlying rule evaluation engine's memory. To avoid out of memory errors, callers can invoke Reset to delete existing data.

func NewValidator ¶

func NewValidator(policyPaths []string, policyLibraryPath string, opts ...Option) (*Validator, error)

NewValidator returns a new Validator. By default it will initialize the underlying query evaluation engine by loading supporting library, constraints, and constraint templates. We may want to make this initialization behavior configurable in the future.

func NewValidatorFromConfig ¶

func NewValidatorFromConfig(config *configs.Configuration, opts ...Option) (*Validator, error)

NewValidatorFromConfig creates the validator from a config.

func NewValidatorFromContents ¶

func NewValidatorFromContents(policyFiles []*configs.PolicyFile, policyLibrary []string, opts ...Option) (*Validator, error)

NewValidatorFromContents returns a new Validator built from the provided contents of the policy constraints and policy library. This provides a way to create a validator directly from contents instead of reading from the file system. policyLibrary is a slice of file contents of all policy library files.

func (*Validator) ReviewAsset ¶

func (v *Validator) ReviewAsset(ctx context.Context, asset *validator.Asset) ([]*validator.Violation, error)

ReviewAsset reviews a single asset.

func (*Validator) ReviewJSON ¶

func (v *Validator) ReviewJSON(ctx context.Context, data string) (*Result, error)

ReviewJSON reviews the content of a JSON string

func (*Validator) ReviewTFResourceChange ¶

func (v *Validator) ReviewTFResourceChange(ctx context.Context, inputResource map[string]interface{}) ([]*validator.Violation, error)

ReviewTFResourceChange evaluates a single terraform resource change without any threading in the background.

func (*Validator) ReviewUnmarshalledJSON ¶

func (v *Validator) ReviewUnmarshalledJSON(ctx context.Context, asset map[string]interface{}) (*Result, error)

ReviewJSON evaluates a single asset without any threading in the background.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
configs configs helps with loading and parsing configuration files	configs helps with loading and parsing configuration files
oldconfigs

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL