@dotzen/dotzen 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,235 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.Approver = exports.Environment = exports.Acl = exports.HttpTokens = exports.EksLogType = exports.Protocol = exports.TlsPolicy = exports.AwsAttribute = exports.Tag = exports.Effect = exports.Cidr = exports.Port = exports.SqlSslMode = exports.OauthScope = exports.PrimitiveRole = exports.IamMember = exports.PublicAccessPreventionMode = exports.GcpAttribute = exports.GcpResource = exports.NetworkDefaultAction = exports.BuiltInRole = exports.SqlTlsVersion = exports.StorageTlsVersion = exports.AzureAttribute = exports.AzureResource = exports.ApiGatewayAuthorization = exports.Wildcard = exports.Block = exports.AwsResource = void 0;
4
+ /**
5
+ * Closed vocabulary for every domain value (doc 02). No bare strings.
6
+ *
7
+ * NOTE: doc 02 specifies `const enum`. We use regular `enum` here because
8
+ * `const enum` cannot be inlined across files by the esbuild/Vitest
9
+ * transpiler under `isolatedModules`. Regular `enum` gives the identical
10
+ * typo-safety (a misspelled member is a compile error); only cross-file
11
+ * inlining differs, which is irrelevant here. See doc 02 note.
12
+ */
13
+ var AwsResource;
14
+ (function (AwsResource) {
15
+ AwsResource["SecurityGroup"] = "aws_security_group";
16
+ // The modern decomposed form of security-group ingress.
17
+ AwsResource["VpcSecurityGroupIngressRule"] = "aws_vpc_security_group_ingress_rule";
18
+ AwsResource["DbInstance"] = "aws_db_instance";
19
+ AwsResource["S3Bucket"] = "aws_s3_bucket";
20
+ // The modern decomposed form of an S3 bucket ACL (inline `acl` was
21
+ // deprecated in AWS provider v4).
22
+ AwsResource["S3BucketAcl"] = "aws_s3_bucket_acl";
23
+ AwsResource["S3BucketPublicAccessBlock"] = "aws_s3_bucket_public_access_block";
24
+ AwsResource["S3BucketPolicy"] = "aws_s3_bucket_policy";
25
+ AwsResource["EbsVolume"] = "aws_ebs_volume";
26
+ AwsResource["EfsFileSystem"] = "aws_efs_file_system";
27
+ AwsResource["KmsKey"] = "aws_kms_key";
28
+ AwsResource["Instance"] = "aws_instance";
29
+ AwsResource["DynamodbTable"] = "aws_dynamodb_table";
30
+ AwsResource["EcrRepository"] = "aws_ecr_repository";
31
+ AwsResource["IamPolicy"] = "aws_iam_policy";
32
+ AwsResource["IamRolePolicy"] = "aws_iam_role_policy";
33
+ AwsResource["EcsService"] = "aws_ecs_service";
34
+ AwsResource["EksCluster"] = "aws_eks_cluster";
35
+ AwsResource["Lb"] = "aws_lb";
36
+ AwsResource["LbListener"] = "aws_lb_listener";
37
+ AwsResource["EcsTaskDefinition"] = "aws_ecs_task_definition";
38
+ AwsResource["SecretsmanagerSecretVersion"] = "aws_secretsmanager_secret_version";
39
+ AwsResource["RdsCluster"] = "aws_rds_cluster";
40
+ AwsResource["RedshiftCluster"] = "aws_redshift_cluster";
41
+ AwsResource["ElasticacheReplicationGroup"] = "aws_elasticache_replication_group";
42
+ AwsResource["S3BucketServerSideEncryptionConfiguration"] = "aws_s3_bucket_server_side_encryption_configuration";
43
+ AwsResource["S3BucketVersioning"] = "aws_s3_bucket_versioning";
44
+ AwsResource["SecretsmanagerSecret"] = "aws_secretsmanager_secret";
45
+ AwsResource["SecretsmanagerSecretRotation"] = "aws_secretsmanager_secret_rotation";
46
+ AwsResource["Vpc"] = "aws_vpc";
47
+ AwsResource["FlowLog"] = "aws_flow_log";
48
+ AwsResource["Subnet"] = "aws_subnet";
49
+ AwsResource["Cloudtrail"] = "aws_cloudtrail";
50
+ AwsResource["IamAccountPasswordPolicy"] = "aws_iam_account_password_policy";
51
+ AwsResource["ApiGatewayMethod"] = "aws_api_gateway_method";
52
+ AwsResource["ApiGatewayStage"] = "aws_api_gateway_stage";
53
+ AwsResource["Apigatewayv2Stage"] = "aws_apigatewayv2_stage";
54
+ })(AwsResource || (exports.AwsResource = AwsResource = {}));
55
+ // Nested block names/paths, for `mustHaveBlock` / `denyBlockPresence`.
56
+ var Block;
57
+ (function (Block) {
58
+ Block["EncryptionConfig"] = "encryption_config";
59
+ // A GCP instance access_config (nested in network_interface) = public IP.
60
+ Block["NetworkInterfaceAccessConfig"] = "network_interface.access_config";
61
+ // GCP subnetwork VPC flow logs / storage bucket access logging.
62
+ Block["LogConfig"] = "log_config";
63
+ Block["Logging"] = "logging";
64
+ // AWS API Gateway stage access logging.
65
+ Block["AccessLogSettings"] = "access_log_settings";
66
+ })(Block || (exports.Block = Block = {}));
67
+ // Wildcard sentinel for list/value checks (e.g. an IAM/RBAC action of "*").
68
+ var Wildcard;
69
+ (function (Wildcard) {
70
+ Wildcard["All"] = "*";
71
+ })(Wildcard || (exports.Wildcard = Wildcard = {}));
72
+ // AWS API Gateway method authorization types. `NONE` = unauthenticated.
73
+ var ApiGatewayAuthorization;
74
+ (function (ApiGatewayAuthorization) {
75
+ ApiGatewayAuthorization["None"] = "NONE";
76
+ })(ApiGatewayAuthorization || (exports.ApiGatewayAuthorization = ApiGatewayAuthorization = {}));
77
+ // Multi-provider surface: the cloud-neutral engine (rules, conditions,
78
+ // normalized model) accepts any provider's resource/attribute vocabulary
79
+ // via these unions. Add a provider = add its module to the union here.
80
+ var azure_1 = require("./azure");
81
+ Object.defineProperty(exports, "AzureResource", { enumerable: true, get: function () { return azure_1.AzureResource; } });
82
+ Object.defineProperty(exports, "AzureAttribute", { enumerable: true, get: function () { return azure_1.AzureAttribute; } });
83
+ Object.defineProperty(exports, "StorageTlsVersion", { enumerable: true, get: function () { return azure_1.StorageTlsVersion; } });
84
+ Object.defineProperty(exports, "SqlTlsVersion", { enumerable: true, get: function () { return azure_1.SqlTlsVersion; } });
85
+ Object.defineProperty(exports, "BuiltInRole", { enumerable: true, get: function () { return azure_1.BuiltInRole; } });
86
+ Object.defineProperty(exports, "NetworkDefaultAction", { enumerable: true, get: function () { return azure_1.NetworkDefaultAction; } });
87
+ var gcp_1 = require("./gcp");
88
+ Object.defineProperty(exports, "GcpResource", { enumerable: true, get: function () { return gcp_1.GcpResource; } });
89
+ Object.defineProperty(exports, "GcpAttribute", { enumerable: true, get: function () { return gcp_1.GcpAttribute; } });
90
+ Object.defineProperty(exports, "PublicAccessPreventionMode", { enumerable: true, get: function () { return gcp_1.PublicAccessPreventionMode; } });
91
+ Object.defineProperty(exports, "IamMember", { enumerable: true, get: function () { return gcp_1.IamMember; } });
92
+ Object.defineProperty(exports, "PrimitiveRole", { enumerable: true, get: function () { return gcp_1.PrimitiveRole; } });
93
+ Object.defineProperty(exports, "OauthScope", { enumerable: true, get: function () { return gcp_1.OauthScope; } });
94
+ Object.defineProperty(exports, "SqlSslMode", { enumerable: true, get: function () { return gcp_1.SqlSslMode; } });
95
+ var Port;
96
+ (function (Port) {
97
+ Port[Port["SSH"] = 22] = "SSH";
98
+ Port[Port["RDP"] = 3389] = "RDP";
99
+ Port[Port["Postgres"] = 5432] = "Postgres";
100
+ Port[Port["MySQL"] = 3306] = "MySQL";
101
+ })(Port || (exports.Port = Port = {}));
102
+ var Cidr;
103
+ (function (Cidr) {
104
+ Cidr["Internet"] = "0.0.0.0/0";
105
+ Cidr["InternetV6"] = "::/0";
106
+ })(Cidr || (exports.Cidr = Cidr = {}));
107
+ var Effect;
108
+ (function (Effect) {
109
+ Effect["Block"] = "block";
110
+ Effect["Warn"] = "warn";
111
+ Effect["RequireApproval"] = "require_approval";
112
+ })(Effect || (exports.Effect = Effect = {}));
113
+ var Tag;
114
+ (function (Tag) {
115
+ Tag["Team"] = "team";
116
+ Tag["CostCenter"] = "cost_center";
117
+ Tag["Environment"] = "environment";
118
+ Tag["DataClassification"] = "data_classification";
119
+ })(Tag || (exports.Tag = Tag = {}));
120
+ var AwsAttribute;
121
+ (function (AwsAttribute) {
122
+ AwsAttribute["StorageEncrypted"] = "storage_encrypted";
123
+ AwsAttribute["PubliclyAccessible"] = "publicly_accessible";
124
+ AwsAttribute["MultiAz"] = "multi_az";
125
+ AwsAttribute["DeletionProtection"] = "deletion_protection";
126
+ AwsAttribute["IamDatabaseAuthenticationEnabled"] = "iam_database_authentication_enabled";
127
+ // Encryption at rest (aws_ebs_volume, aws_efs_file_system)
128
+ AwsAttribute["Encrypted"] = "encrypted";
129
+ // aws_kms_key
130
+ AwsAttribute["EnableKeyRotation"] = "enable_key_rotation";
131
+ // aws_s3_bucket_public_access_block
132
+ AwsAttribute["BlockPublicAcls"] = "block_public_acls";
133
+ AwsAttribute["BlockPublicPolicy"] = "block_public_policy";
134
+ AwsAttribute["IgnorePublicAcls"] = "ignore_public_acls";
135
+ AwsAttribute["RestrictPublicBuckets"] = "restrict_public_buckets";
136
+ AwsAttribute["BackupRetentionPeriod"] = "backup_retention_period";
137
+ // Nested-block attributes are addressed with a dotted path (the engine
138
+ // flattens `block { attr = ... }` to `block.attr`).
139
+ AwsAttribute["HttpTokens"] = "metadata_options.http_tokens";
140
+ AwsAttribute["ServerSideEncryptionEnabled"] = "server_side_encryption.enabled";
141
+ AwsAttribute["PointInTimeRecoveryEnabled"] = "point_in_time_recovery.enabled";
142
+ AwsAttribute["ImageScanOnPush"] = "image_scanning_configuration.scan_on_push";
143
+ // EC2 instance
144
+ AwsAttribute["RootBlockDeviceEncrypted"] = "root_block_device.encrypted";
145
+ AwsAttribute["AssociatePublicIpAddress"] = "associate_public_ip_address";
146
+ // ECS / EKS / ELB
147
+ AwsAttribute["AssignPublicIp"] = "network_configuration.assign_public_ip";
148
+ AwsAttribute["EndpointPublicAccess"] = "vpc_config.endpoint_public_access";
149
+ AwsAttribute["AccessLogsEnabled"] = "access_logs.enabled";
150
+ AwsAttribute["DropInvalidHeaderFields"] = "drop_invalid_header_fields";
151
+ // List-valued (EKS)
152
+ AwsAttribute["PublicAccessCidrs"] = "vpc_config.public_access_cidrs";
153
+ AwsAttribute["EnabledClusterLogTypes"] = "enabled_cluster_log_types";
154
+ // ALB / NLB listener
155
+ AwsAttribute["SslPolicy"] = "ssl_policy";
156
+ AwsAttribute["Protocol"] = "protocol";
157
+ // Secret-bearing attributes (must be a reference, never a literal)
158
+ AwsAttribute["SecretString"] = "secret_string";
159
+ AwsAttribute["Password"] = "password";
160
+ AwsAttribute["MasterPassword"] = "master_password";
161
+ AwsAttribute["AuthToken"] = "auth_token";
162
+ // Cross-resource association keys (child -> parent, for mustHaveAssociated)
163
+ AwsAttribute["Bucket"] = "bucket";
164
+ AwsAttribute["SecretId"] = "secret_id";
165
+ AwsAttribute["VpcId"] = "vpc_id";
166
+ // VPC subnet exposure
167
+ AwsAttribute["MapPublicIpOnLaunch"] = "map_public_ip_on_launch";
168
+ AwsAttribute["AssignIpv6AddressOnCreation"] = "assign_ipv6_address_on_creation";
169
+ // CloudTrail (audit logging)
170
+ AwsAttribute["IsMultiRegionTrail"] = "is_multi_region_trail";
171
+ AwsAttribute["EnableLogFileValidation"] = "enable_log_file_validation";
172
+ AwsAttribute["KmsKeyId"] = "kms_key_id";
173
+ // IAM account password policy
174
+ AwsAttribute["MinimumPasswordLength"] = "minimum_password_length";
175
+ AwsAttribute["RequireSymbols"] = "require_symbols";
176
+ AwsAttribute["RequireNumbers"] = "require_numbers";
177
+ AwsAttribute["RequireUppercaseCharacters"] = "require_uppercase_characters";
178
+ AwsAttribute["RequireLowercaseCharacters"] = "require_lowercase_characters";
179
+ AwsAttribute["PasswordReusePrevention"] = "password_reuse_prevention";
180
+ AwsAttribute["MaxPasswordAge"] = "max_password_age";
181
+ // API Gateway
182
+ AwsAttribute["Authorization"] = "authorization";
183
+ AwsAttribute["XrayTracingEnabled"] = "xray_tracing_enabled";
184
+ })(AwsAttribute || (exports.AwsAttribute = AwsAttribute = {}));
185
+ // Known weak ELB TLS policies (permit TLS 1.0/1.1). Use with `denyValue`.
186
+ var TlsPolicy;
187
+ (function (TlsPolicy) {
188
+ TlsPolicy["Legacy2015"] = "ELBSecurityPolicy-2015-05";
189
+ TlsPolicy["Tls10"] = "ELBSecurityPolicy-TLS-1-0-2015-04";
190
+ TlsPolicy["Tls11"] = "ELBSecurityPolicy-TLS-1-1-2017-01";
191
+ })(TlsPolicy || (exports.TlsPolicy = TlsPolicy = {}));
192
+ // Listener protocols (for `denyValue` on plaintext).
193
+ var Protocol;
194
+ (function (Protocol) {
195
+ Protocol["Http"] = "HTTP";
196
+ Protocol["Https"] = "HTTPS";
197
+ Protocol["Tcp"] = "TCP";
198
+ Protocol["Tls"] = "TLS";
199
+ })(Protocol || (exports.Protocol = Protocol = {}));
200
+ // EKS control-plane log types (for `listMustInclude`).
201
+ var EksLogType;
202
+ (function (EksLogType) {
203
+ EksLogType["Api"] = "api";
204
+ EksLogType["Audit"] = "audit";
205
+ EksLogType["Authenticator"] = "authenticator";
206
+ EksLogType["ControllerManager"] = "controllerManager";
207
+ EksLogType["Scheduler"] = "scheduler";
208
+ })(EksLogType || (exports.EksLogType = EksLogType = {}));
209
+ // Closed value set for EC2 instance metadata tokens (IMDSv1 vs IMDSv2).
210
+ var HttpTokens;
211
+ (function (HttpTokens) {
212
+ HttpTokens["Optional"] = "optional";
213
+ HttpTokens["Required"] = "required";
214
+ })(HttpTokens || (exports.HttpTokens = HttpTokens = {}));
215
+ var Acl;
216
+ (function (Acl) {
217
+ Acl["Private"] = "private";
218
+ Acl["PublicRead"] = "public-read";
219
+ Acl["PublicReadWrite"] = "public-read-write";
220
+ })(Acl || (exports.Acl = Acl = {}));
221
+ var Environment;
222
+ (function (Environment) {
223
+ Environment["Development"] = "development";
224
+ Environment["Staging"] = "staging";
225
+ Environment["Production"] = "production";
226
+ })(Environment || (exports.Environment = Environment = {}));
227
+ // Org-defined approval groups/roles. Enum-backed like every other domain
228
+ // value so a typo'd approver is a compile error, not a misrouted approval.
229
+ var Approver;
230
+ (function (Approver) {
231
+ Approver["PlatformTeam"] = "platform-team";
232
+ Approver["SecurityArchitect"] = "security-architect";
233
+ Approver["FinOps"] = "finops";
234
+ Approver["SRE"] = "sre";
235
+ })(Approver || (exports.Approver = Approver = {}));
package/package.json ADDED
@@ -0,0 +1,74 @@
1
+ {
2
+ "name": "@dotzen/dotzen",
3
+ "version": "0.0.1",
4
+ "description": "Prose as Code — governance for AI-generated Terraform (AWS, Azure, GCP).",
5
+ "license": "MIT",
6
+ "keywords": [
7
+ "terraform",
8
+ "hcl",
9
+ "governance",
10
+ "policy-as-code",
11
+ "iac",
12
+ "security",
13
+ "cis",
14
+ "compliance",
15
+ "aws",
16
+ "azure",
17
+ "gcp"
18
+ ],
19
+ "repository": {
20
+ "type": "git",
21
+ "url": "git+https://gitlab.com/governance-tools/dotzen.git",
22
+ "directory": "packages/cli"
23
+ },
24
+ "homepage": "https://gitlab.com/governance-tools/dotzen#readme",
25
+ "bugs": {
26
+ "url": "https://gitlab.com/governance-tools/dotzen/-/issues"
27
+ },
28
+ "bin": {
29
+ "dotzen": "./bin/dotzen.js"
30
+ },
31
+ "main": "./dist/index.js",
32
+ "types": "./dist/index.d.ts",
33
+ "exports": {
34
+ ".": {
35
+ "types": "./dist/index.d.ts",
36
+ "default": "./dist/index.js"
37
+ }
38
+ },
39
+ "files": [
40
+ "dist",
41
+ "bin"
42
+ ],
43
+ "engines": {
44
+ "node": ">=18"
45
+ },
46
+ "publishConfig": {
47
+ "access": "public"
48
+ },
49
+ "scripts": {
50
+ "build": "tsc -p tsconfig.build.json",
51
+ "typecheck": "tsc --noEmit",
52
+ "test": "vitest run src",
53
+ "test:integration": "vitest run tests",
54
+ "coverage": "vitest run --coverage",
55
+ "lint": "eslint .",
56
+ "format:check": "prettier --check .",
57
+ "format": "prettier --write .",
58
+ "prepublishOnly": "npm run build"
59
+ },
60
+ "dependencies": {
61
+ "@cdktf/hcl2json": "^0.21.0",
62
+ "jiti": "^2.4.2"
63
+ },
64
+ "devDependencies": {
65
+ "@types/node": "^22.10.5",
66
+ "@vitest/coverage-v8": "^4.1.10",
67
+ "eslint": "^9.17.0",
68
+ "eslint-plugin-security": "^3.0.1",
69
+ "prettier": "^3.4.2",
70
+ "typescript": "^5.7.2",
71
+ "typescript-eslint": "^8.19.0",
72
+ "vitest": "^4.1.10"
73
+ }
74
+ }