For a list of the current resources and policies provided by Real-Time Enforcer, refer here.
You can exclude specific resources by adding a label to the resource and adding the label’s
pairing to the
config.yaml file. In the example below, any resource with the
forseti-enforcer : disable label
will not be remediated by Real-Time Enforcer.
Real-Time Enforcer engine expects a fairly simple interface to any resource you wish to evaluate policy on. It expects an object with the following functions defined:
# Returns the body of a given resource as a dictionary
# Takes the body of a resource, and attempts to update the resource
def update(self, body):
# Returns the resource type as a string
# Note: This should be a dotted-string that the engines will use to determine what policies are relevant