From 63127e7ad3accbd2daba3a9ce7113d98133d5ce4 Mon Sep 17 00:00:00 2001
From: Eric Kao <ekcs.openstack@gmail.com>
Date: Tue, 18 Jul 2017 23:12:32 -0700
Subject: [PATCH] add volume encryption policies

Partially implements: blueprint policy-library
Partial-Bug: 1669948

Change-Id: I0ec9cd6b946d453c4dedf2b9f32c541a9ffe9787
---
 .../pause_servers_unencrypted_volume.yaml     | 11 +++++++
 .../servers_unencrypted_volume.yaml           | 31 +++++++++++++++++++
 2 files changed, 42 insertions(+)
 create mode 100644 library/volume_encryption/pause_servers_unencrypted_volume.yaml
 create mode 100644 library/volume_encryption/servers_unencrypted_volume.yaml

diff --git a/library/volume_encryption/pause_servers_unencrypted_volume.yaml b/library/volume_encryption/pause_servers_unencrypted_volume.yaml
new file mode 100644
index 000000000..96a8c8590
--- /dev/null
+++ b/library/volume_encryption/pause_servers_unencrypted_volume.yaml
@@ -0,0 +1,11 @@
+---
+name: VolumeEncryptionPauseServer
+description: "Pause unprotected servers with unencrypted volumes attached."
+depends-on:
+  - VolumeEncryption
+rules:
+  -
+    rule: >
+      execute[nova:servers.pause(server_id)] :-
+        nova:servers(id=server_id,status='ACTIVE'),
+        unprotected_servers_with_unencrypted_volume(server_id, _, _, _)
diff --git a/library/volume_encryption/servers_unencrypted_volume.yaml b/library/volume_encryption/servers_unencrypted_volume.yaml
new file mode 100644
index 000000000..91fe4cbb8
--- /dev/null
+++ b/library/volume_encryption/servers_unencrypted_volume.yaml
@@ -0,0 +1,31 @@
+---
+name: VolumeEncryption
+description: "Warn/error on servers with unencrypted volumes attached."
+depends-on:
+  - SecurityGroups
+rules:
+  -
+    rule: >
+      servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name) :-
+        nova:servers(id=server_id, name=server_name),
+        cinder:attachments(volume_id=volume_id, server_id=server_id),
+        cinder:volumes(id=volume_id, name=volume_name, encrypted=False)
+  -
+    comment: "Warn on servers with unencrypted volume."
+    rule: >
+      warning(server_id, server_name, volume_id, volume_name) :-
+        servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)
+
+  -
+    comment: "Servers with unencrypted volume, which is also not covered by
+      a protected security group."
+    rule: >
+      unprotected_servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name) :-
+        servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)
+        SecurityGroups:unprotected_servers(server_id)
+  -
+    comment: "Error on servers with unencrypted volume, which is also not covered by
+      a protected security group."
+    rule: >
+      error(server_id, server_name, volume_id, volume_name) :-
+        unprotected_servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)