add volume encryption policies
Partially implements: blueprint policy-library Partial-Bug: 1669948 Change-Id: I0ec9cd6b946d453c4dedf2b9f32c541a9ffe9787
This commit is contained in:
parent
596a42e317
commit
63127e7ad3
|
@ -0,0 +1,11 @@
|
|||
---
|
||||
name: VolumeEncryptionPauseServer
|
||||
description: "Pause unprotected servers with unencrypted volumes attached."
|
||||
depends-on:
|
||||
- VolumeEncryption
|
||||
rules:
|
||||
-
|
||||
rule: >
|
||||
execute[nova:servers.pause(server_id)] :-
|
||||
nova:servers(id=server_id,status='ACTIVE'),
|
||||
unprotected_servers_with_unencrypted_volume(server_id, _, _, _)
|
|
@ -0,0 +1,31 @@
|
|||
---
|
||||
name: VolumeEncryption
|
||||
description: "Warn/error on servers with unencrypted volumes attached."
|
||||
depends-on:
|
||||
- SecurityGroups
|
||||
rules:
|
||||
-
|
||||
rule: >
|
||||
servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name) :-
|
||||
nova:servers(id=server_id, name=server_name),
|
||||
cinder:attachments(volume_id=volume_id, server_id=server_id),
|
||||
cinder:volumes(id=volume_id, name=volume_name, encrypted=False)
|
||||
-
|
||||
comment: "Warn on servers with unencrypted volume."
|
||||
rule: >
|
||||
warning(server_id, server_name, volume_id, volume_name) :-
|
||||
servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)
|
||||
|
||||
-
|
||||
comment: "Servers with unencrypted volume, which is also not covered by
|
||||
a protected security group."
|
||||
rule: >
|
||||
unprotected_servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name) :-
|
||||
servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)
|
||||
SecurityGroups:unprotected_servers(server_id)
|
||||
-
|
||||
comment: "Error on servers with unencrypted volume, which is also not covered by
|
||||
a protected security group."
|
||||
rule: >
|
||||
error(server_id, server_name, volume_id, volume_name) :-
|
||||
unprotected_servers_with_unencrypted_volume(server_id, server_name, volume_id, volume_name)
|
Loading…
Reference in New Issue