Policy Library¶
Congress bundles a library of useful policies to help users get started.
For example, the library/volume_encryption/servers_unencrypted_volume.yaml
identifies and warns on servers with unencrypted volumes attached.
---
name: VolumeEncryption
description: "Warn/error on servers with unencrypted volumes attached."
depends-on:
- SecurityGroups
rules:
-
rule: >
servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name) :-
nova:servers(id=server_id, name=server_name),
cinder:attachments(volume_id=volume_id, server_id=server_id),
cinder:volumes(id=volume_id, name=volume_name, encrypted=False)
-
comment: "Warn on servers with unencrypted volume."
rule: >
warning(server_id, server_name, volume_id, volume_name) :-
servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)
-
comment: "Servers with unencrypted volume, which is also not covered by
a protected security group."
rule: >
unprotected_servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name) :-
servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name),
SecurityGroups:unprotected_servers(server_id)
-
comment: "Error on servers with unencrypted volume, which is also not covered by
a protected security group."
rule: >
error(server_id, server_name, volume_id, volume_name) :-
unprotected_servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)
The latest collection library policies can be found here: https://github.com/openstack/congress/tree/master/library
To import a library policy YAML file into Congress, use the following CLI command (python-congressclient version 1.8.0 or higher https://pypi.org/project/python-congressclient/).
$ openstack congress policy create-from-file <path-to-policy-yaml>