mandatory and acceptable labels for gcp

README.md

@@ -80,6 +80,8 @@ _Access policies have been deprecated. Please [read this](./access/README.md) fo
 - [Ensure resource creation before deletion](./plan/ensure-resource-creation-before-deletion.rego)
 - [Infracost Monthly Cost Restriction](./plan/infracost-monthly-cost-restriction.rego)
 - [Kics severity counter](./plan/kics-severity-counter.rego)
+- [Mandatory and Acceptable Labels for GCP resources](./plan/mandatory-and-acceptable-labels-gcp.rego)
+- [Mandatory and required labels for stacks](./plan/mandatory-and-acceptable-labels-stack.rego)
 - [Mandatory and required labels for stacks](./plan/mandatory-and-acceptable-labels-stack.rego)
 - [Require human review for drift detection reconciliation](./plan/require-human-review-for-drift-detection-reconciliation.rego)
 - [Require human review for unreachable Ansible hosts](./plan/require-human-review-for-unreachable-ansible-hosts.rego)

plan/mandatory-and-acceptable-labels-gcp.rego

@@ -0,0 +1,54 @@
+package spacelift
+
+import future.keywords.contains
+import future.keywords.if
+import future.keywords.in
+
+mandatory_labels := {"mandatory1", "mandatory2"}
+
+acceptable_labels := {"acceptable1", "acceptable2"}
+
+mandatory_resources := {
+	"google_redis_instance",
+	"google_spanner_instance",
+	"google_storage_bucket",
+}
+
+deny contains msg if {
+	some change in input.spacelift.run.changes
+	is_mandatory_resource(change.entity.type, mandatory_resources)
+	labels := change.entity.data.values.labels
+	missing_any_mandatory_label(labels, mandatory_labels)
+	msg := sprintf(
+		"Resource '%s' is missing mandatory labels: %v",
+		[change.entity.address, which_labels_missing(labels, mandatory_labels)],
+	)
+}
+
+deny contains msg if {
+	some change in input.spacelift.run.changes
+	is_mandatory_resource(change.entity.type, mandatory_resources)
+	labels := change.entity.data.values.labels
+	has_non_acceptable_labels(labels, mandatory_labels, acceptable_labels)
+	msg := sprintf("Resource '%s' has invalid labels.", [change.entity.address])
+}
+
+is_mandatory_resource(entity_type, resources) if {
+	entity_type in resources
+}
+
+missing_any_mandatory_label(labels, mandatory) if {
+	some label in mandatory
+	not labels[label]
+}
+
+has_non_acceptable_labels(labels, mandatory, acceptable) if {
+	some label in labels
+	not mandatory[label]
+	not acceptable[label]
+}
+
+which_labels_missing(labels, mandatory) := {label |
+	some label in mandatory
+	not labels[label]
+}

plan/mandatory-and-acceptable-labels-gcp_test.rego

@@ -0,0 +1,52 @@
+package spacelift_test
+
+import data.spacelift
+import future.keywords.contains
+import future.keywords.if
+import future.keywords.in
+
+# Test for missing mandatory labels
+test_deny_for_missing_mandatory_labels if {
+	deny_input := {"entity": {
+		"type": "google_storage_bucket",
+		"data": {"values": {"labels": {"mandatory1": "your_mandatory1_value"}}},
+		# Missing "mandatory2"
+
+	}}
+	spacelift.deny with input.spacelift.run.changes as deny_input
+}
+
+# Test for unacceptable labels
+test_deny_for_unacceptable_labels if {
+	deny_unacceptable_labels := {"entity": {
+		"type": "google_storage_bucket",
+		"data": {"values": {"labels": {
+			"mandatory1": "your_mandatory1_value",
+			"mandatory2": "your_mandatory2_value",
+			"unacceptable_label": "value", # Unacceptable label
+		}}},
+	}}
+	spacelift.deny with input.spacelift.run.changes as deny_unacceptable_labels
+}
+
+# Test for resource not in mandatory_resources
+test_no_deny_for_non_mandatory_resource if {
+	no_deny_resource := {"entity": {
+		"type": "non_mandatory_resource",
+		"data": {"values": {"labels": {}}},
+	}}
+	count(spacelift.deny) == 0 with input.spacelift.run.changes as no_deny_resource
+}
+
+# Test for correct labels
+test_no_deny_for_correct_labels if {
+	no_deny_input := {"entity": {
+		"type": "google_storage_bucket",
+		"data": {"values": {"labels": {
+			"mandatory1": "your_mandatory1_value",
+			"mandatory2": "your_mandatory2_value",
+			"acceptable1": "value",
+		}}},
+	}}
+	count(spacelift.deny) == 0 with input.spacelift.run.changes as no_deny_input
+}