For a list of the current resources and policies provided by Real-Time Enforcer, refer here.
You can exclude specific resources by adding a label to the resource and adding the label’s
pairing to the
config.yaml file. In the example below, any resource with the
forseti-enforcer : disable label
will not be remediated by Real-Time Enforcer.
config: exclusions: labels: forseti-enforcer: disable
Real-Time Enforcer engine expects a fairly simple interface to any resource you wish to evaluate policy on. It expects an object with the following functions defined:
class MyResource: # Returns the body of a given resource as a dictionary def get(self): pass # Takes the body of a resource, and attempts to update the resource def update(self, body): pass # Returns the resource type as a string # Note: This should be a dotted-string that the engines will use to determine what policies are relevant type(self): pass