google.cloud.forseti.scanner.audit.resource_rules_engine module¶

Rules engine for Resources.

class ResourceRuleBook(rule_defs=None)[source]¶

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRuleBook

The RuleBook for Resources.

_abc_cache = <_weakrefset.WeakSet object>¶

_abc_negative_cache = <_weakrefset.WeakSet object>¶

_abc_negative_cache_version = 207¶

_abc_registry = <_weakrefset.WeakSet object>¶

add_rule(rule_def, rule_index)[source]¶

Add a rule to the rule book.

Parameters:	rule_def (dict) – A dictionary containing rule definition properties. rule_index (int) – The index of the rule from the rule definitions. Assigned automatically when the rule book is built.
Raises:	`InvalidRulesSchemaError` – if invalid rules definition.

add_rules(rule_defs)[source]¶

Add rules to the rule book.

Parameters:	rule_defs (dict) – rule definitions dictionary.

find_violations(resources)[source]¶

Find resource violations in the rule book.

Parameters:	resources (List[Resource]) – The resources to check for violations.
Yields:	RuleViolation – resource rule violations.

get_applicable_resource_types()[source]¶

Get the applicable resource types defined in this rule book.

The applcable resource types are a union of all resource types defined in each rule.

Returns:	applicable resource types.
Return type:	Set[string]

class ResourceRulesEngine(rules_file_path, snapshot_timestamp=None)[source]¶

Bases: google.cloud.forseti.scanner.audit.base_rules_engine.BaseRulesEngine

Rules engine for Resources.

add_rules(rule_defs)[source]¶

Add rules to the rule book.

Parameters:	rule_defs (dict) – rule definitions dictionary

build_rule_book(global_configs=None)[source]¶

Build ResourceRuleBook from the rules definition file.

Parameters:	global_configs (dict) – Global configurations.

find_violations(resources, force_rebuild=False)[source]¶

Determine whether the resources violate rules.

Parameters:	resources (List[Resource]) – resources to find violations for. force_rebuild (bool) – If True, rebuilds the rule book. This will reload the rules definition file and add the rules to the book.
Returns:	A generator of rule violations.
Return type:	generator

class ResourceTree(resource_type=None, resource_id=None, children=None)[source]¶

Bases: object

ResourceTree represents resources in a tree format.

_find_matching_child(tuples)[source]¶

Finds a matching child node.

Assumes that a child will either match an exact resource id, or a wildcard. The exact match child is given preference.

Parameters:	tuples (List[Tuple[string, string]]) – (type, id) pairs of resources. Together, they represent one full resource. e.g. organization/123/project/456/ should be represented as [(‘organization’, ‘123’), (‘project’, ‘456’)].
Returns:	Matching child node, or None if none matched.
Return type:	ResourceTree

classmethod _from_json(json_nodes)[source]¶

Build Resource Tree nodes.

Parameters:	json_nodes (List[dict]) – JSON representation of nodes.
Returns:	The resource tree representation of the json nodes.
Return type:	ResourceTree

classmethod from_json(json_nodes)[source]¶

Create a resource tree from the given JSON representation of nodes.

If there are multiple json nodes, the resulting tree will have a root node with no resource type or id and each json node as a child.

If there is only one json node, the root will have the resource id and type of the node.

Parameters:	json_nodes (List[dict]) – JSON representation of nodes.
Returns:	The resource tree representation of the json nodes.
Return type:	ResourceTree

get_nodes()[source]¶

Get all nodes in this resource tree.

Returns:	nodes in this tree.
Return type:	List[ResourceTree]

match(resource, resource_types)[source]¶

Match the given resource against this resource tree.

Parameters:	resource (Resource) – The resource to match. resource_types (List[string]) – Applicable resource types. Violations on types not in this list will not be reported.
Returns:	The final matching node, or None if there is no match.
Return type:	ResourceTree

match_tuples(tuples)[source]¶

Match the given tuples against this tree.

Parameters:	tuples (List[Tuple[string, string]]) – (type, id) pairs of resources. Together, they represent one full resource. e.g. organization/123/project/456/ should be represented as [(‘organization’, ‘123’), (‘project’, ‘456’)].
Returns:	The final matching node, or None if there is no match.
Return type:	ResourceTree

class Rule(name, index, resource_types, resource_tree)[source]¶

Bases: object

Rule properties from the rule definition file. Also finds violations.

find_violations(resources)[source]¶

Find violations for this rule against the given resource.

Parameters:	resources (List[Resource]) – resources to check for violations.
Yields:	RuleViolation – resource rule violation.

class RuleViolation(resource_id, resource_name, resource_type, full_name, rule_index, rule_name, violation_type, violation_data, resource_data)¶

Bases: tuple

__getnewargs__()¶: Return self as a plain tuple. Used by copy and pickle.

__getstate__()¶: Exclude the OrderedDict from pickling

__repr__()¶: Return a nicely formatted representation string

_asdict()¶: Return a new OrderedDict which maps field names to their values

_fields = ('resource_id', 'resource_name', 'resource_type', 'full_name', 'rule_index', 'rule_name', 'violation_type', 'violation_data', 'resource_data')¶

classmethod _make(iterable, new=<built-in method __new__ of type object>, len=<built-in function len>)¶: Make a new RuleViolation object from a sequence or iterable

_replace(**kwds)¶: Return a new RuleViolation object replacing specified fields with new values

full_name¶

resource_data¶

resource_id¶

resource_name¶

resource_type¶

rule_index¶

rule_name¶

violation_data¶

violation_type¶