This cookiecutter generates the shell of a c7n-left policy.
Install Cookiecutter and run:
cookiecutter -fso <policy root directory> gh:ajkerrigan/cookiecutter-c7n-left
Note: Why -fso
?
-f / --overwrite-if-exists
: lets us add to existing directories-s / --skip-if-file-exists
: ...but doesn't let us overwrite files-o / --output-dir
: tells the cookiecutter where to place policy-related files
This cookiecutter prompts for a few key fields:
- Provider
- Service
- Resource type
- Policy short name
- Policy full name
For a policy enforcing HTTPS in a CloudFront distribution, the responses might look like this:
- Provider: aws
- Service: cloudfront
- Resource type: cloudfront (defaults to )
- Policy short name: enforce-https
- Policy full name: aws-cloudfront-enforce-https (defaults to --)
Which would generate a file tree like the following under <policy_root_directory>:
/<policy root directory>/
├── aws
│ ├── cloudfront.yaml
│ └── tests
│ ├── aws-cloudfront-enforce-https
│ │ ├── left.plan.yaml
│ │ ├── match1.tf
│ │ └── nonmatch1.tf
This produces only the skeleton of a policy. From there the next steps are:
- Define Terraform snippets for matching and non-matching resources
- Inside
.tf
files under<provider>/tests/<policy>
- Inside
- Define policies in
<provider>/<service>.yaml
- Define expected matches inside
<provider>/tests/<policy>/left.plan.yaml
- This cookiecutter seeds
left.plan.yaml
with an empty list. - With no expectations in
left.plan.yaml
, the output ofc7n-left test <provider>
should include all policy matches against your Terraform snippets. That output can be used to populateleft.plan.yaml
.
- This cookiecutter seeds