@dotzen/dotzen 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/README.md +45 -0
- package/bin/dotzen.js +3 -0
- package/dist/cli/check.d.ts +9 -0
- package/dist/cli/check.js +79 -0
- package/dist/cli/main.d.ts +1 -0
- package/dist/cli/main.js +141 -0
- package/dist/cli/scaffold.d.ts +36 -0
- package/dist/cli/scaffold.js +171 -0
- package/dist/engine/evaluate.d.ts +31 -0
- package/dist/engine/evaluate.js +590 -0
- package/dist/hcl/model.d.ts +91 -0
- package/dist/hcl/model.js +5 -0
- package/dist/hcl/normalize.d.ts +16 -0
- package/dist/hcl/normalize.js +462 -0
- package/dist/hcl/parse.d.ts +13 -0
- package/dist/hcl/parse.js +85 -0
- package/dist/index.d.ts +3 -0
- package/dist/index.js +37 -0
- package/dist/report/report.d.ts +18 -0
- package/dist/report/report.js +109 -0
- package/dist/result/errors.d.ts +27 -0
- package/dist/result/errors.js +3 -0
- package/dist/result/result.d.ts +22 -0
- package/dist/result/result.js +37 -0
- package/dist/spec/load.d.ts +14 -0
- package/dist/spec/load.js +78 -0
- package/dist/spec/rule.d.ts +161 -0
- package/dist/spec/rule.js +190 -0
- package/dist/version/config.d.ts +29 -0
- package/dist/version/config.js +66 -0
- package/dist/vocabulary/azure.d.ts +63 -0
- package/dist/vocabulary/azure.js +88 -0
- package/dist/vocabulary/gcp.d.ts +57 -0
- package/dist/vocabulary/gcp.js +80 -0
- package/dist/vocabulary/index.d.ts +174 -0
- package/dist/vocabulary/index.js +235 -0
- package/package.json +74 -0
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.readDotzenJson = readDotzenJson;
|
|
37
|
+
exports.enforceVersion = enforceVersion;
|
|
38
|
+
const fs = __importStar(require("fs"));
|
|
39
|
+
const path = __importStar(require("path"));
|
|
40
|
+
const result_1 = require("../result/result");
|
|
41
|
+
const CANDIDATES = ['dotzen.json', path.join('.zen', 'dotzen.json')];
|
|
42
|
+
function readDotzenJson(cwd) {
|
|
43
|
+
for (const rel of CANDIDATES) {
|
|
44
|
+
const p = path.join(cwd, rel);
|
|
45
|
+
if (fs.existsSync(p)) {
|
|
46
|
+
const parsed = JSON.parse(fs.readFileSync(p, 'utf8'));
|
|
47
|
+
return (0, result_1.ok)({ config: parsed, baseDir: path.dirname(p) });
|
|
48
|
+
}
|
|
49
|
+
}
|
|
50
|
+
return (0, result_1.err)({ kind: 'ConfigNotFound', path: path.join(cwd, 'dotzen.json') });
|
|
51
|
+
}
|
|
52
|
+
/**
|
|
53
|
+
* The first thing the CLI does. Refuse to run on a version mismatch
|
|
54
|
+
* (doc 03 / engine-dev skill). No pin configured => proceed.
|
|
55
|
+
*/
|
|
56
|
+
function enforceVersion(config, running) {
|
|
57
|
+
if (!config.version)
|
|
58
|
+
return (0, result_1.ok)(config);
|
|
59
|
+
if (config.version === running)
|
|
60
|
+
return (0, result_1.ok)(config);
|
|
61
|
+
return (0, result_1.err)({
|
|
62
|
+
kind: 'VersionMismatch',
|
|
63
|
+
required: config.version,
|
|
64
|
+
running,
|
|
65
|
+
});
|
|
66
|
+
}
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Azure (azurerm) vocabulary. Kept in its own provider module — not merged
|
|
3
|
+
* into the AWS `AwsResource`/`AwsAttribute` enums — so each cloud's `spec.ts`
|
|
4
|
+
* reads in its own idiom and the enums stay small ("Prose as Code"). The
|
|
5
|
+
* shared `AnyResource`/`AnyAttribute` unions (in ./index) let the
|
|
6
|
+
* cloud-neutral engine accept every provider's vocabulary.
|
|
7
|
+
*/
|
|
8
|
+
export declare enum AzureResource {
|
|
9
|
+
NetworkSecurityGroup = "azurerm_network_security_group",
|
|
10
|
+
NetworkSecurityRule = "azurerm_network_security_rule",
|
|
11
|
+
StorageAccount = "azurerm_storage_account",
|
|
12
|
+
MssqlServer = "azurerm_mssql_server",
|
|
13
|
+
KeyVault = "azurerm_key_vault",
|
|
14
|
+
KubernetesCluster = "azurerm_kubernetes_cluster",
|
|
15
|
+
LinuxWebApp = "azurerm_linux_web_app",
|
|
16
|
+
WindowsWebApp = "azurerm_windows_web_app",
|
|
17
|
+
PostgresqlServer = "azurerm_postgresql_server",
|
|
18
|
+
MysqlServer = "azurerm_mysql_server",
|
|
19
|
+
ContainerRegistry = "azurerm_container_registry",
|
|
20
|
+
CosmosdbAccount = "azurerm_cosmosdb_account",
|
|
21
|
+
RoleDefinition = "azurerm_role_definition",
|
|
22
|
+
RoleAssignment = "azurerm_role_assignment",
|
|
23
|
+
ManagedDisk = "azurerm_managed_disk",
|
|
24
|
+
MonitorDiagnosticSetting = "azurerm_monitor_diagnostic_setting",
|
|
25
|
+
ApiManagement = "azurerm_api_management"
|
|
26
|
+
}
|
|
27
|
+
export declare enum AzureAttribute {
|
|
28
|
+
AllowNestedItemsToBePublic = "allow_nested_items_to_be_public",
|
|
29
|
+
MinTlsVersion = "min_tls_version",
|
|
30
|
+
PublicNetworkAccessEnabled = "public_network_access_enabled",
|
|
31
|
+
MinimumTlsVersion = "minimum_tls_version",
|
|
32
|
+
AdministratorLoginPassword = "administrator_login_password",
|
|
33
|
+
PurgeProtectionEnabled = "purge_protection_enabled",
|
|
34
|
+
PrivateClusterEnabled = "private_cluster_enabled",
|
|
35
|
+
LocalAccountDisabled = "local_account_disabled",
|
|
36
|
+
HttpsOnly = "https_only",
|
|
37
|
+
SslEnforcementEnabled = "ssl_enforcement_enabled",
|
|
38
|
+
AdminEnabled = "admin_enabled",
|
|
39
|
+
RoleActions = "permissions.actions",
|
|
40
|
+
RoleDefinitionName = "role_definition_name",
|
|
41
|
+
NetworkRulesDefaultAction = "network_rules.default_action",
|
|
42
|
+
NetworkAclsDefaultAction = "network_acls.default_action",
|
|
43
|
+
DiskEncryptionSetId = "disk_encryption_set_id",
|
|
44
|
+
TargetResourceId = "target_resource_id",
|
|
45
|
+
EnableFrontendTls10 = "security.enable_frontend_tls10",
|
|
46
|
+
EnableFrontendTls11 = "security.enable_frontend_tls11",
|
|
47
|
+
EnableBackendSsl30 = "security.enable_backend_ssl30"
|
|
48
|
+
}
|
|
49
|
+
export declare enum BuiltInRole {
|
|
50
|
+
Owner = "Owner",
|
|
51
|
+
Contributor = "Contributor"
|
|
52
|
+
}
|
|
53
|
+
export declare enum NetworkDefaultAction {
|
|
54
|
+
Deny = "Deny"
|
|
55
|
+
}
|
|
56
|
+
export declare enum StorageTlsVersion {
|
|
57
|
+
Tls12 = "TLS1_2"
|
|
58
|
+
}
|
|
59
|
+
export declare enum SqlTlsVersion {
|
|
60
|
+
V10 = "1.0",
|
|
61
|
+
V11 = "1.1",
|
|
62
|
+
V12 = "1.2"
|
|
63
|
+
}
|
|
@@ -0,0 +1,88 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Azure (azurerm) vocabulary. Kept in its own provider module — not merged
|
|
4
|
+
* into the AWS `AwsResource`/`AwsAttribute` enums — so each cloud's `spec.ts`
|
|
5
|
+
* reads in its own idiom and the enums stay small ("Prose as Code"). The
|
|
6
|
+
* shared `AnyResource`/`AnyAttribute` unions (in ./index) let the
|
|
7
|
+
* cloud-neutral engine accept every provider's vocabulary.
|
|
8
|
+
*/
|
|
9
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
10
|
+
exports.SqlTlsVersion = exports.StorageTlsVersion = exports.NetworkDefaultAction = exports.BuiltInRole = exports.AzureAttribute = exports.AzureResource = void 0;
|
|
11
|
+
var AzureResource;
|
|
12
|
+
(function (AzureResource) {
|
|
13
|
+
AzureResource["NetworkSecurityGroup"] = "azurerm_network_security_group";
|
|
14
|
+
// Standalone NSG rule (the decomposed form of an inline `security_rule`).
|
|
15
|
+
AzureResource["NetworkSecurityRule"] = "azurerm_network_security_rule";
|
|
16
|
+
AzureResource["StorageAccount"] = "azurerm_storage_account";
|
|
17
|
+
AzureResource["MssqlServer"] = "azurerm_mssql_server";
|
|
18
|
+
AzureResource["KeyVault"] = "azurerm_key_vault";
|
|
19
|
+
AzureResource["KubernetesCluster"] = "azurerm_kubernetes_cluster";
|
|
20
|
+
AzureResource["LinuxWebApp"] = "azurerm_linux_web_app";
|
|
21
|
+
AzureResource["WindowsWebApp"] = "azurerm_windows_web_app";
|
|
22
|
+
AzureResource["PostgresqlServer"] = "azurerm_postgresql_server";
|
|
23
|
+
AzureResource["MysqlServer"] = "azurerm_mysql_server";
|
|
24
|
+
AzureResource["ContainerRegistry"] = "azurerm_container_registry";
|
|
25
|
+
AzureResource["CosmosdbAccount"] = "azurerm_cosmosdb_account";
|
|
26
|
+
AzureResource["RoleDefinition"] = "azurerm_role_definition";
|
|
27
|
+
AzureResource["RoleAssignment"] = "azurerm_role_assignment";
|
|
28
|
+
AzureResource["ManagedDisk"] = "azurerm_managed_disk";
|
|
29
|
+
AzureResource["MonitorDiagnosticSetting"] = "azurerm_monitor_diagnostic_setting";
|
|
30
|
+
AzureResource["ApiManagement"] = "azurerm_api_management";
|
|
31
|
+
})(AzureResource || (exports.AzureResource = AzureResource = {}));
|
|
32
|
+
var AzureAttribute;
|
|
33
|
+
(function (AzureAttribute) {
|
|
34
|
+
// Storage account
|
|
35
|
+
AzureAttribute["AllowNestedItemsToBePublic"] = "allow_nested_items_to_be_public";
|
|
36
|
+
AzureAttribute["MinTlsVersion"] = "min_tls_version";
|
|
37
|
+
AzureAttribute["PublicNetworkAccessEnabled"] = "public_network_access_enabled";
|
|
38
|
+
// MSSQL server
|
|
39
|
+
AzureAttribute["MinimumTlsVersion"] = "minimum_tls_version";
|
|
40
|
+
AzureAttribute["AdministratorLoginPassword"] = "administrator_login_password";
|
|
41
|
+
// Key Vault
|
|
42
|
+
AzureAttribute["PurgeProtectionEnabled"] = "purge_protection_enabled";
|
|
43
|
+
// AKS
|
|
44
|
+
AzureAttribute["PrivateClusterEnabled"] = "private_cluster_enabled";
|
|
45
|
+
AzureAttribute["LocalAccountDisabled"] = "local_account_disabled";
|
|
46
|
+
// App Service (Linux/Windows web app)
|
|
47
|
+
AzureAttribute["HttpsOnly"] = "https_only";
|
|
48
|
+
// PostgreSQL / MySQL single server
|
|
49
|
+
AzureAttribute["SslEnforcementEnabled"] = "ssl_enforcement_enabled";
|
|
50
|
+
// Container Registry
|
|
51
|
+
AzureAttribute["AdminEnabled"] = "admin_enabled";
|
|
52
|
+
// RBAC (role_definition permissions block flattens to a list)
|
|
53
|
+
AzureAttribute["RoleActions"] = "permissions.actions";
|
|
54
|
+
AzureAttribute["RoleDefinitionName"] = "role_definition_name";
|
|
55
|
+
// Network default-deny (nested) + CMK + diagnostic association
|
|
56
|
+
AzureAttribute["NetworkRulesDefaultAction"] = "network_rules.default_action";
|
|
57
|
+
AzureAttribute["NetworkAclsDefaultAction"] = "network_acls.default_action";
|
|
58
|
+
AzureAttribute["DiskEncryptionSetId"] = "disk_encryption_set_id";
|
|
59
|
+
AzureAttribute["TargetResourceId"] = "target_resource_id";
|
|
60
|
+
// API Management legacy protocol toggles (nested under `security`)
|
|
61
|
+
AzureAttribute["EnableFrontendTls10"] = "security.enable_frontend_tls10";
|
|
62
|
+
AzureAttribute["EnableFrontendTls11"] = "security.enable_frontend_tls11";
|
|
63
|
+
AzureAttribute["EnableBackendSsl30"] = "security.enable_backend_ssl30";
|
|
64
|
+
})(AzureAttribute || (exports.AzureAttribute = AzureAttribute = {}));
|
|
65
|
+
// Built-in Azure roles that grant broad control (for denyValue on an
|
|
66
|
+
// azurerm_role_assignment).
|
|
67
|
+
var BuiltInRole;
|
|
68
|
+
(function (BuiltInRole) {
|
|
69
|
+
BuiltInRole["Owner"] = "Owner";
|
|
70
|
+
BuiltInRole["Contributor"] = "Contributor";
|
|
71
|
+
})(BuiltInRole || (exports.BuiltInRole = BuiltInRole = {}));
|
|
72
|
+
// The secure default_action for storage/key-vault network rules.
|
|
73
|
+
var NetworkDefaultAction;
|
|
74
|
+
(function (NetworkDefaultAction) {
|
|
75
|
+
NetworkDefaultAction["Deny"] = "Deny";
|
|
76
|
+
})(NetworkDefaultAction || (exports.NetworkDefaultAction = NetworkDefaultAction = {}));
|
|
77
|
+
// Storage account TLS floor (note the storage-specific `TLS1_2` spelling).
|
|
78
|
+
var StorageTlsVersion;
|
|
79
|
+
(function (StorageTlsVersion) {
|
|
80
|
+
StorageTlsVersion["Tls12"] = "TLS1_2";
|
|
81
|
+
})(StorageTlsVersion || (exports.StorageTlsVersion = StorageTlsVersion = {}));
|
|
82
|
+
// MSSQL server TLS versions (a bare numeric string, unlike storage).
|
|
83
|
+
var SqlTlsVersion;
|
|
84
|
+
(function (SqlTlsVersion) {
|
|
85
|
+
SqlTlsVersion["V10"] = "1.0";
|
|
86
|
+
SqlTlsVersion["V11"] = "1.1";
|
|
87
|
+
SqlTlsVersion["V12"] = "1.2";
|
|
88
|
+
})(SqlTlsVersion || (exports.SqlTlsVersion = SqlTlsVersion = {}));
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* GCP (google) vocabulary. Its own provider module, like Azure's — behind
|
|
3
|
+
* the shared `AnyResource`/`AnyAttribute` unions in ./index. Members drop
|
|
4
|
+
* the provider prefix (`GcpResource.StorageBucket`), matching AWS/Azure.
|
|
5
|
+
*
|
|
6
|
+
* Note the concept-not-parity mapping: GCP's public-exposure and
|
|
7
|
+
* over-permission risks live in IAM *members* (`allUsers`) and *primitive
|
|
8
|
+
* roles* (`roles/owner`), which are the analog of an AWS `Action:"*"`
|
|
9
|
+
* wildcard — expressed here with the generic `denyValue` condition.
|
|
10
|
+
*/
|
|
11
|
+
export declare enum GcpResource {
|
|
12
|
+
ComputeFirewall = "google_compute_firewall",
|
|
13
|
+
StorageBucket = "google_storage_bucket",
|
|
14
|
+
StorageBucketIamMember = "google_storage_bucket_iam_member",
|
|
15
|
+
ProjectIamMember = "google_project_iam_member",
|
|
16
|
+
ComputeInstance = "google_compute_instance",
|
|
17
|
+
SqlDatabaseInstance = "google_sql_database_instance",
|
|
18
|
+
ContainerCluster = "google_container_cluster",
|
|
19
|
+
KmsCryptoKey = "google_kms_crypto_key",
|
|
20
|
+
ComputeSubnetwork = "google_compute_subnetwork"
|
|
21
|
+
}
|
|
22
|
+
export declare enum GcpAttribute {
|
|
23
|
+
PublicAccessPrevention = "public_access_prevention",
|
|
24
|
+
UniformBucketLevelAccess = "uniform_bucket_level_access",
|
|
25
|
+
Member = "member",
|
|
26
|
+
Role = "role",
|
|
27
|
+
ServiceAccountScopes = "service_account.scopes",
|
|
28
|
+
RootPassword = "root_password",
|
|
29
|
+
Ipv4Enabled = "settings.ip_configuration.ipv4_enabled",
|
|
30
|
+
SslMode = "settings.ip_configuration.ssl_mode",
|
|
31
|
+
CanIpForward = "can_ip_forward",
|
|
32
|
+
EnableSecureBoot = "shielded_instance_config.enable_secure_boot",
|
|
33
|
+
EnableLegacyAbac = "enable_legacy_abac",
|
|
34
|
+
EnablePrivateNodes = "private_cluster_config.enable_private_nodes",
|
|
35
|
+
NetworkPolicyEnabled = "network_policy.enabled",
|
|
36
|
+
RotationPeriod = "rotation_period",
|
|
37
|
+
VersioningEnabled = "versioning.enabled"
|
|
38
|
+
}
|
|
39
|
+
export declare enum PublicAccessPreventionMode {
|
|
40
|
+
Enforced = "enforced"
|
|
41
|
+
}
|
|
42
|
+
export declare enum IamMember {
|
|
43
|
+
AllUsers = "allUsers",
|
|
44
|
+
AllAuthenticatedUsers = "allAuthenticatedUsers"
|
|
45
|
+
}
|
|
46
|
+
export declare enum PrimitiveRole {
|
|
47
|
+
Owner = "roles/owner",
|
|
48
|
+
Editor = "roles/editor"
|
|
49
|
+
}
|
|
50
|
+
export declare enum OauthScope {
|
|
51
|
+
CloudPlatform = "https://www.googleapis.com/auth/cloud-platform",
|
|
52
|
+
CloudPlatformAlias = "cloud-platform"
|
|
53
|
+
}
|
|
54
|
+
export declare enum SqlSslMode {
|
|
55
|
+
EncryptedOnly = "ENCRYPTED_ONLY",
|
|
56
|
+
TrustedClientCertRequired = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED"
|
|
57
|
+
}
|
|
@@ -0,0 +1,80 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* GCP (google) vocabulary. Its own provider module, like Azure's — behind
|
|
4
|
+
* the shared `AnyResource`/`AnyAttribute` unions in ./index. Members drop
|
|
5
|
+
* the provider prefix (`GcpResource.StorageBucket`), matching AWS/Azure.
|
|
6
|
+
*
|
|
7
|
+
* Note the concept-not-parity mapping: GCP's public-exposure and
|
|
8
|
+
* over-permission risks live in IAM *members* (`allUsers`) and *primitive
|
|
9
|
+
* roles* (`roles/owner`), which are the analog of an AWS `Action:"*"`
|
|
10
|
+
* wildcard — expressed here with the generic `denyValue` condition.
|
|
11
|
+
*/
|
|
12
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
13
|
+
exports.SqlSslMode = exports.OauthScope = exports.PrimitiveRole = exports.IamMember = exports.PublicAccessPreventionMode = exports.GcpAttribute = exports.GcpResource = void 0;
|
|
14
|
+
var GcpResource;
|
|
15
|
+
(function (GcpResource) {
|
|
16
|
+
GcpResource["ComputeFirewall"] = "google_compute_firewall";
|
|
17
|
+
GcpResource["StorageBucket"] = "google_storage_bucket";
|
|
18
|
+
GcpResource["StorageBucketIamMember"] = "google_storage_bucket_iam_member";
|
|
19
|
+
GcpResource["ProjectIamMember"] = "google_project_iam_member";
|
|
20
|
+
GcpResource["ComputeInstance"] = "google_compute_instance";
|
|
21
|
+
GcpResource["SqlDatabaseInstance"] = "google_sql_database_instance";
|
|
22
|
+
GcpResource["ContainerCluster"] = "google_container_cluster";
|
|
23
|
+
GcpResource["KmsCryptoKey"] = "google_kms_crypto_key";
|
|
24
|
+
GcpResource["ComputeSubnetwork"] = "google_compute_subnetwork";
|
|
25
|
+
})(GcpResource || (exports.GcpResource = GcpResource = {}));
|
|
26
|
+
var GcpAttribute;
|
|
27
|
+
(function (GcpAttribute) {
|
|
28
|
+
// Storage bucket
|
|
29
|
+
GcpAttribute["PublicAccessPrevention"] = "public_access_prevention";
|
|
30
|
+
GcpAttribute["UniformBucketLevelAccess"] = "uniform_bucket_level_access";
|
|
31
|
+
// IAM member (bucket + project)
|
|
32
|
+
GcpAttribute["Member"] = "member";
|
|
33
|
+
GcpAttribute["Role"] = "role";
|
|
34
|
+
// Compute instance (nested → dotted)
|
|
35
|
+
GcpAttribute["ServiceAccountScopes"] = "service_account.scopes";
|
|
36
|
+
// Cloud SQL
|
|
37
|
+
GcpAttribute["RootPassword"] = "root_password";
|
|
38
|
+
GcpAttribute["Ipv4Enabled"] = "settings.ip_configuration.ipv4_enabled";
|
|
39
|
+
GcpAttribute["SslMode"] = "settings.ip_configuration.ssl_mode";
|
|
40
|
+
// Compute instance hardening
|
|
41
|
+
GcpAttribute["CanIpForward"] = "can_ip_forward";
|
|
42
|
+
GcpAttribute["EnableSecureBoot"] = "shielded_instance_config.enable_secure_boot";
|
|
43
|
+
// GKE (google_container_cluster)
|
|
44
|
+
GcpAttribute["EnableLegacyAbac"] = "enable_legacy_abac";
|
|
45
|
+
GcpAttribute["EnablePrivateNodes"] = "private_cluster_config.enable_private_nodes";
|
|
46
|
+
GcpAttribute["NetworkPolicyEnabled"] = "network_policy.enabled";
|
|
47
|
+
// KMS
|
|
48
|
+
GcpAttribute["RotationPeriod"] = "rotation_period";
|
|
49
|
+
// Storage bucket hardening
|
|
50
|
+
GcpAttribute["VersioningEnabled"] = "versioning.enabled";
|
|
51
|
+
})(GcpAttribute || (exports.GcpAttribute = GcpAttribute = {}));
|
|
52
|
+
var PublicAccessPreventionMode;
|
|
53
|
+
(function (PublicAccessPreventionMode) {
|
|
54
|
+
PublicAccessPreventionMode["Enforced"] = "enforced";
|
|
55
|
+
})(PublicAccessPreventionMode || (exports.PublicAccessPreventionMode = PublicAccessPreventionMode = {}));
|
|
56
|
+
// Public IAM principals — the GCP "public exposure" anti-pattern.
|
|
57
|
+
var IamMember;
|
|
58
|
+
(function (IamMember) {
|
|
59
|
+
IamMember["AllUsers"] = "allUsers";
|
|
60
|
+
IamMember["AllAuthenticatedUsers"] = "allAuthenticatedUsers";
|
|
61
|
+
})(IamMember || (exports.IamMember = IamMember = {}));
|
|
62
|
+
// Primitive roles — the GCP over-permission anti-pattern (analog of `*`).
|
|
63
|
+
var PrimitiveRole;
|
|
64
|
+
(function (PrimitiveRole) {
|
|
65
|
+
PrimitiveRole["Owner"] = "roles/owner";
|
|
66
|
+
PrimitiveRole["Editor"] = "roles/editor";
|
|
67
|
+
})(PrimitiveRole || (exports.PrimitiveRole = PrimitiveRole = {}));
|
|
68
|
+
// Broad OAuth scopes on an instance service account (both alias + full URL).
|
|
69
|
+
var OauthScope;
|
|
70
|
+
(function (OauthScope) {
|
|
71
|
+
OauthScope["CloudPlatform"] = "https://www.googleapis.com/auth/cloud-platform";
|
|
72
|
+
OauthScope["CloudPlatformAlias"] = "cloud-platform";
|
|
73
|
+
})(OauthScope || (exports.OauthScope = OauthScope = {}));
|
|
74
|
+
// Cloud SQL SSL modes considered secure (the insecure default is
|
|
75
|
+
// ALLOW_UNENCRYPTED_AND_ENCRYPTED). Use with `mustBeOneOf`.
|
|
76
|
+
var SqlSslMode;
|
|
77
|
+
(function (SqlSslMode) {
|
|
78
|
+
SqlSslMode["EncryptedOnly"] = "ENCRYPTED_ONLY";
|
|
79
|
+
SqlSslMode["TrustedClientCertRequired"] = "TRUSTED_CLIENT_CERTIFICATE_REQUIRED";
|
|
80
|
+
})(SqlSslMode || (exports.SqlSslMode = SqlSslMode = {}));
|
|
@@ -0,0 +1,174 @@
|
|
|
1
|
+
import { AzureResource, AzureAttribute } from './azure';
|
|
2
|
+
import { GcpResource, GcpAttribute } from './gcp';
|
|
3
|
+
/**
|
|
4
|
+
* Closed vocabulary for every domain value (doc 02). No bare strings.
|
|
5
|
+
*
|
|
6
|
+
* NOTE: doc 02 specifies `const enum`. We use regular `enum` here because
|
|
7
|
+
* `const enum` cannot be inlined across files by the esbuild/Vitest
|
|
8
|
+
* transpiler under `isolatedModules`. Regular `enum` gives the identical
|
|
9
|
+
* typo-safety (a misspelled member is a compile error); only cross-file
|
|
10
|
+
* inlining differs, which is irrelevant here. See doc 02 note.
|
|
11
|
+
*/
|
|
12
|
+
export declare enum AwsResource {
|
|
13
|
+
SecurityGroup = "aws_security_group",
|
|
14
|
+
VpcSecurityGroupIngressRule = "aws_vpc_security_group_ingress_rule",
|
|
15
|
+
DbInstance = "aws_db_instance",
|
|
16
|
+
S3Bucket = "aws_s3_bucket",
|
|
17
|
+
S3BucketAcl = "aws_s3_bucket_acl",
|
|
18
|
+
S3BucketPublicAccessBlock = "aws_s3_bucket_public_access_block",
|
|
19
|
+
S3BucketPolicy = "aws_s3_bucket_policy",
|
|
20
|
+
EbsVolume = "aws_ebs_volume",
|
|
21
|
+
EfsFileSystem = "aws_efs_file_system",
|
|
22
|
+
KmsKey = "aws_kms_key",
|
|
23
|
+
Instance = "aws_instance",
|
|
24
|
+
DynamodbTable = "aws_dynamodb_table",
|
|
25
|
+
EcrRepository = "aws_ecr_repository",
|
|
26
|
+
IamPolicy = "aws_iam_policy",
|
|
27
|
+
IamRolePolicy = "aws_iam_role_policy",
|
|
28
|
+
EcsService = "aws_ecs_service",
|
|
29
|
+
EksCluster = "aws_eks_cluster",
|
|
30
|
+
Lb = "aws_lb",
|
|
31
|
+
LbListener = "aws_lb_listener",
|
|
32
|
+
EcsTaskDefinition = "aws_ecs_task_definition",
|
|
33
|
+
SecretsmanagerSecretVersion = "aws_secretsmanager_secret_version",
|
|
34
|
+
RdsCluster = "aws_rds_cluster",
|
|
35
|
+
RedshiftCluster = "aws_redshift_cluster",
|
|
36
|
+
ElasticacheReplicationGroup = "aws_elasticache_replication_group",
|
|
37
|
+
S3BucketServerSideEncryptionConfiguration = "aws_s3_bucket_server_side_encryption_configuration",
|
|
38
|
+
S3BucketVersioning = "aws_s3_bucket_versioning",
|
|
39
|
+
SecretsmanagerSecret = "aws_secretsmanager_secret",
|
|
40
|
+
SecretsmanagerSecretRotation = "aws_secretsmanager_secret_rotation",
|
|
41
|
+
Vpc = "aws_vpc",
|
|
42
|
+
FlowLog = "aws_flow_log",
|
|
43
|
+
Subnet = "aws_subnet",
|
|
44
|
+
Cloudtrail = "aws_cloudtrail",
|
|
45
|
+
IamAccountPasswordPolicy = "aws_iam_account_password_policy",
|
|
46
|
+
ApiGatewayMethod = "aws_api_gateway_method",
|
|
47
|
+
ApiGatewayStage = "aws_api_gateway_stage",
|
|
48
|
+
Apigatewayv2Stage = "aws_apigatewayv2_stage"
|
|
49
|
+
}
|
|
50
|
+
export declare enum Block {
|
|
51
|
+
EncryptionConfig = "encryption_config",
|
|
52
|
+
NetworkInterfaceAccessConfig = "network_interface.access_config",
|
|
53
|
+
LogConfig = "log_config",
|
|
54
|
+
Logging = "logging",
|
|
55
|
+
AccessLogSettings = "access_log_settings"
|
|
56
|
+
}
|
|
57
|
+
export declare enum Wildcard {
|
|
58
|
+
All = "*"
|
|
59
|
+
}
|
|
60
|
+
export declare enum ApiGatewayAuthorization {
|
|
61
|
+
None = "NONE"
|
|
62
|
+
}
|
|
63
|
+
export { AzureResource, AzureAttribute, StorageTlsVersion, SqlTlsVersion, BuiltInRole, NetworkDefaultAction, } from './azure';
|
|
64
|
+
export { GcpResource, GcpAttribute, PublicAccessPreventionMode, IamMember, PrimitiveRole, OauthScope, SqlSslMode, } from './gcp';
|
|
65
|
+
export type AnyResource = AwsResource | AzureResource | GcpResource;
|
|
66
|
+
export type AnyAttribute = AwsAttribute | AzureAttribute | GcpAttribute;
|
|
67
|
+
export declare enum Port {
|
|
68
|
+
SSH = 22,
|
|
69
|
+
RDP = 3389,
|
|
70
|
+
Postgres = 5432,
|
|
71
|
+
MySQL = 3306
|
|
72
|
+
}
|
|
73
|
+
export declare enum Cidr {
|
|
74
|
+
Internet = "0.0.0.0/0",
|
|
75
|
+
InternetV6 = "::/0"
|
|
76
|
+
}
|
|
77
|
+
export declare enum Effect {
|
|
78
|
+
Block = "block",
|
|
79
|
+
Warn = "warn",
|
|
80
|
+
RequireApproval = "require_approval"
|
|
81
|
+
}
|
|
82
|
+
export declare enum Tag {
|
|
83
|
+
Team = "team",
|
|
84
|
+
CostCenter = "cost_center",
|
|
85
|
+
Environment = "environment",
|
|
86
|
+
DataClassification = "data_classification"
|
|
87
|
+
}
|
|
88
|
+
export declare enum AwsAttribute {
|
|
89
|
+
StorageEncrypted = "storage_encrypted",
|
|
90
|
+
PubliclyAccessible = "publicly_accessible",
|
|
91
|
+
MultiAz = "multi_az",
|
|
92
|
+
DeletionProtection = "deletion_protection",
|
|
93
|
+
IamDatabaseAuthenticationEnabled = "iam_database_authentication_enabled",
|
|
94
|
+
Encrypted = "encrypted",
|
|
95
|
+
EnableKeyRotation = "enable_key_rotation",
|
|
96
|
+
BlockPublicAcls = "block_public_acls",
|
|
97
|
+
BlockPublicPolicy = "block_public_policy",
|
|
98
|
+
IgnorePublicAcls = "ignore_public_acls",
|
|
99
|
+
RestrictPublicBuckets = "restrict_public_buckets",
|
|
100
|
+
BackupRetentionPeriod = "backup_retention_period",
|
|
101
|
+
HttpTokens = "metadata_options.http_tokens",
|
|
102
|
+
ServerSideEncryptionEnabled = "server_side_encryption.enabled",
|
|
103
|
+
PointInTimeRecoveryEnabled = "point_in_time_recovery.enabled",
|
|
104
|
+
ImageScanOnPush = "image_scanning_configuration.scan_on_push",
|
|
105
|
+
RootBlockDeviceEncrypted = "root_block_device.encrypted",
|
|
106
|
+
AssociatePublicIpAddress = "associate_public_ip_address",
|
|
107
|
+
AssignPublicIp = "network_configuration.assign_public_ip",
|
|
108
|
+
EndpointPublicAccess = "vpc_config.endpoint_public_access",
|
|
109
|
+
AccessLogsEnabled = "access_logs.enabled",
|
|
110
|
+
DropInvalidHeaderFields = "drop_invalid_header_fields",
|
|
111
|
+
PublicAccessCidrs = "vpc_config.public_access_cidrs",
|
|
112
|
+
EnabledClusterLogTypes = "enabled_cluster_log_types",
|
|
113
|
+
SslPolicy = "ssl_policy",
|
|
114
|
+
Protocol = "protocol",
|
|
115
|
+
SecretString = "secret_string",
|
|
116
|
+
Password = "password",
|
|
117
|
+
MasterPassword = "master_password",
|
|
118
|
+
AuthToken = "auth_token",
|
|
119
|
+
Bucket = "bucket",
|
|
120
|
+
SecretId = "secret_id",
|
|
121
|
+
VpcId = "vpc_id",
|
|
122
|
+
MapPublicIpOnLaunch = "map_public_ip_on_launch",
|
|
123
|
+
AssignIpv6AddressOnCreation = "assign_ipv6_address_on_creation",
|
|
124
|
+
IsMultiRegionTrail = "is_multi_region_trail",
|
|
125
|
+
EnableLogFileValidation = "enable_log_file_validation",
|
|
126
|
+
KmsKeyId = "kms_key_id",
|
|
127
|
+
MinimumPasswordLength = "minimum_password_length",
|
|
128
|
+
RequireSymbols = "require_symbols",
|
|
129
|
+
RequireNumbers = "require_numbers",
|
|
130
|
+
RequireUppercaseCharacters = "require_uppercase_characters",
|
|
131
|
+
RequireLowercaseCharacters = "require_lowercase_characters",
|
|
132
|
+
PasswordReusePrevention = "password_reuse_prevention",
|
|
133
|
+
MaxPasswordAge = "max_password_age",
|
|
134
|
+
Authorization = "authorization",
|
|
135
|
+
XrayTracingEnabled = "xray_tracing_enabled"
|
|
136
|
+
}
|
|
137
|
+
export declare enum TlsPolicy {
|
|
138
|
+
Legacy2015 = "ELBSecurityPolicy-2015-05",
|
|
139
|
+
Tls10 = "ELBSecurityPolicy-TLS-1-0-2015-04",
|
|
140
|
+
Tls11 = "ELBSecurityPolicy-TLS-1-1-2017-01"
|
|
141
|
+
}
|
|
142
|
+
export declare enum Protocol {
|
|
143
|
+
Http = "HTTP",
|
|
144
|
+
Https = "HTTPS",
|
|
145
|
+
Tcp = "TCP",
|
|
146
|
+
Tls = "TLS"
|
|
147
|
+
}
|
|
148
|
+
export declare enum EksLogType {
|
|
149
|
+
Api = "api",
|
|
150
|
+
Audit = "audit",
|
|
151
|
+
Authenticator = "authenticator",
|
|
152
|
+
ControllerManager = "controllerManager",
|
|
153
|
+
Scheduler = "scheduler"
|
|
154
|
+
}
|
|
155
|
+
export declare enum HttpTokens {
|
|
156
|
+
Optional = "optional",
|
|
157
|
+
Required = "required"
|
|
158
|
+
}
|
|
159
|
+
export declare enum Acl {
|
|
160
|
+
Private = "private",
|
|
161
|
+
PublicRead = "public-read",
|
|
162
|
+
PublicReadWrite = "public-read-write"
|
|
163
|
+
}
|
|
164
|
+
export declare enum Environment {
|
|
165
|
+
Development = "development",
|
|
166
|
+
Staging = "staging",
|
|
167
|
+
Production = "production"
|
|
168
|
+
}
|
|
169
|
+
export declare enum Approver {
|
|
170
|
+
PlatformTeam = "platform-team",
|
|
171
|
+
SecurityArchitect = "security-architect",
|
|
172
|
+
FinOps = "finops",
|
|
173
|
+
SRE = "sre"
|
|
174
|
+
}
|