google.cloud.forseti.scanner.audit.instance_network_interface_rules_engine module

Rules engine for NetworkInterface.

class InstanceNetworkInterfaceRuleBook(rule_defs=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for enforced networks resources.

_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 207
_abc_registry = <_weakrefset.WeakSet object>
add_rule(rule_def, rule_index)[source]

Add a rule to the rule book.

Add a rule to the rule book.

The rule supplied to this method is the dictionary parsed from the rules definition file.

For example, this rule…

# rules yaml:
rules:
  • name: all networks covered in whitelist project: ‘*’ network: ‘*’ is_external_network: True whitelist:

    master:
    • master-1
    network:
    • network-1
    • network-2
    default:
    • default-1

… gets parsed into: {

“rules”: [
{

“name”: “all networks covered in whitelist”, “project”: “*”, “network”: “*”, “is_external_network”: true, “whitelist”: {

“master”: [
“master-1”

], “network”: [

“network-1”, “network-2”

], “default”: [

“default-1”

]

}

}

]

}

Parameters:
  • rule_def (dict) – A dictionary containing rule definition properties.
  • rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
add_rules(rule_defs)[source]

Add rules to the rule book.

Parameters:rule_defs (dict) – rules definitions
get_resource_rules()[source]

Get all the resource rules.

Returns:resource_rules_map values
Return type:list
class InstanceNetworkInterfaceRulesEngine(rules_file_path, snapshot_timestamp=None)[source]

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for InstanceNetworkInterfaceRules.

add_rules(rules)[source]

Add rules to the rule book.

Parameters:rules (dicts) – rule definitions
build_rule_book(global_configs=None)[source]

Build InstanceNetworkInterfaceRuleBook from rules definition file.

Parameters:global_configs (dict) – Global Configs
find_policy_violations(instance_network_interface, force_rebuild=False)[source]

Determine whether the networks violates rules.

Parameters:
  • instance_network_interface (list) – list of instance_network_interface
  • force_rebuild (bool) – set to false to not force a rebuiid
Returns:

iterator of all violations

Return type:

list

class Rule(rule_name, rule_index, rules)[source]

Bases: object

The rules class for instance_network_interface.

class RuleViolation(resource_type, resource_id, full_name, rule_name, rule_index, violation_type, project, network, ip, resource_data)

Bases: tuple

__getnewargs__()

Return self as a plain tuple. Used by copy and pickle.

__getstate__()

Exclude the OrderedDict from pickling

__repr__()

Return a nicely formatted representation string

_asdict()

Return a new OrderedDict which maps field names to their values

_fields = ('resource_type', 'resource_id', 'full_name', 'rule_name', 'rule_index', 'violation_type', 'project', 'network', 'ip', 'resource_data')
classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)

Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)

Return a new RuleViolation object replacing specified fields with new values

full_name
ip
network
project
resource_data
resource_id
resource_type
rule_index
rule_name
violation_type
find_violations(instance_network_interface_list)[source]

Raise violation is the ip is not in the whitelist.

Parameters:instance_network_interface_list – list of InstanceNetworkInterface objects