google.cloud.forseti.scanner.scanners.config_validator_scanner module

Config Validator Scanner.

class ConfigValidatorScanner(global_configs, scanner_configs, service_config, model_name, snapshot_timestamp, rules)[source]

Bases: google.cloud.forseti.scanner.scanners.base_scanner.BaseScanner

Config Validator Scanner.

VIOLATION_TYPE = 'CONFIG_VALIDATOR_VIOLATION'
_abc_cache = <_weakrefset.WeakSet object>
_abc_negative_cache = <_weakrefset.WeakSet object>
_abc_negative_cache_version = 214
_abc_registry = <_weakrefset.WeakSet object>
_flatten_violations(violations)[source]

Flatten Config Validator violations into a dict for each violation.

Parameters:

violations (list) – The Config Validator violations to flatten.

Yields:

dict

Iterator of Config Validator violations

as a dict per violation.

_output_results(all_violations)[source]

Output results.

Parameters:all_violations (List[RuleViolation]) – A list of flattened Config Validator violations.
_retrieve(iam_policy=False)[source]

Retrieves the data for scanner.

If iam_policy is not set, it will retrieve all the resources except iam policies.

Parameters:iam_policy (bool) – Retrieve iam policies only if set to true.
Yields:Asset – Config Validator Asset.
Raises:ValueError – if resources have an unexpected type.
_retrieve_flattened_violations(iam_policy=False)[source]

Retrieve flattened violations by flattening the config validator violations returned by the config validator client.

If iam_policy is not set, it will retrieve violations from all resources except iam policies.

Parameters:iam_policy (bool) – Retrieve flattened IAM policy violations.
Yields:list – A list of flattened violations.
run()[source]

Runs the Config Validator Scanner.

Note: Resources and iam policies audit are separated into 2 steps. That’s mainly because there is no good way of identifying from config validator validation whether a violation is an iam policy violation or a resource violation, the resource name for both will be the same and it will be hard for Forseti to retrieve the right resource_data for the corresponding violation types.