feat: add ecs policies to the catalog

Signed-off-by: Vishal Choudhary <vishal.choudhary@nirmata.com>

catalog/ecs/ecs-cluster-enable-logging.yaml

@@ -0,0 +1,21 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: ecs-cluster-enable-logging
+spec:
+  rules:
+    - name: ecs-cluster-enable-logging
+      match:
+        any:
+        - type: aws_ecs_cluster
+      context:
+      - name: forbidden_values
+        variable: ["NONE"]
+      assert:
+        all:
+        - message: "ECS Cluster should enable logging of ECS Exec"
+          check:
+            values:
+              ~.configuration: 
+                ~.execute_command_configuration:
+                  (contains($forbidden_values, @.logging)): false

catalog/ecs/ecs-cluster-required-container-insights.yaml

@@ -0,0 +1,20 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: required-container-insights
+spec:
+  rules:
+    - name: required-container-insights
+      match:
+        any:
+        - type: aws_ecs_cluster
+      assert:
+        all:
+        - message: "Container insights should be enabled on ECS cluster"
+          check:
+            values:
+              ~.setting: 
+                name: containerInsights
+                value: enabled
+
+

catalog/ecs/ecs-service-public-ip.yaml

@@ -0,0 +1,20 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: ecs-public-ip
+spec:
+  rules:
+    - name: ecs-public-ip
+      match:
+        any:
+        - type: aws_ecs_service
+      context:
+      - name: allowed-values
+        variable: [false]
+      assert:
+        all:
+        - message: "ECS services should not have public IP addresses assigned to them automatically"
+          check:
+            values:
+              ~.network_configuration:
+                (contains('$allowed-values', @.assign_public_ip)): false

catalog/ecs/ecs-service-required-latest-platform-fargate.yaml

@@ -0,0 +1,21 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: required-latest-platform-fargate
+spec:
+  rules:
+    - name: required-latest-platform
+      match:
+        any:
+        - type: aws_ecs_service
+          values:
+            launch_type: FARGATE
+      context:
+      - name: pv
+        variable: platform_version
+      assert:
+        all:
+        - message: "ECS Fargate services should run on the latest Fargate platform version"
+          check: 
+            values:
+              platform_version: 'LATEST'

catalog/ecs/ecs-task-definition-fs-read-only.yaml

@@ -0,0 +1,18 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: fs-read-only
+spec:
+  rules:
+    - name: require-fs-read-only
+      match:
+        any:
+        - type: aws_ecs_task_definition
+      assert:
+        any:
+        - message: ECS containers only have read-only access to root filesystems
+          check:
+            values:
+              ~.(json_parse(container_definitions)):
+                  readonlyRootFilesystem: true
+

test/commands/scan/tf-ecs-task-definition/policy.yaml

@@ -1,10 +1,10 @@
 apiVersion: json.kyverno.io/v1alpha1
 kind: ValidatingPolicy
 metadata:
-  name: required-s3-tags
+  name: fs-read-only
 spec:
   rules:
-    - name: require-team-tag
+    - name: require-fs-read-only
       match:
         any:
         - type: aws_ecs_task_definition