Announcing First Release of CloudQuery Policies
We are excited to announce the release of the CloudQuery Policies!
CloudQuery brings the power of SQL to your cloud infrastructure, providing easy monitoring, governance and security.
The new CloudQuery Policies feature brings policy-as-code to the CloudQuery ecosystem. CQ Policies enable users to codify, version and run security, governance, cost and compliance rules, using SQL as the query layer and HCL as the logical layer.
cloudquery policy download --help
)cloudquery policy run my-policy --sub-path=my-sub-policy
).You can see all of the available policy packs, as well as their documentation and detailed specification of all checks, on hub.cloudquery.io/policies.
For detailed documentation please check-out our docs and our example repository containing the AWS CIS Policy.
At the basic level, each policy contains the minimum version of cq-provider that it requires, and a list of SQL queries with their respective description.
policy "test-policy" {
description = "This is a test policy"
configuration {
provider "aws" {
version = ">= 1.0"
}
}
query "top-level-query" {
description = "Top Level Query"
query = "SELECT * FROM test_policy_table WHERE name LIKE 'peter'"
}
}
Sometimes there is the need to join between multiple tables. Instead of creating complex queries multiple times, views gives you the ability to define the view once and then reference the created view in other queries in your policies.
policy "test-policy" {
description = "This is a test policy"
configuration {
provider "aws" {
version = ">= 1.0"
}
}
view "myview" {
description = "My awesome view"
query "complex-query" {
query = "SELECT * FROM test_policy_table WHERE name LIKE 'john'"
}
}
query "top-level-query" {
description = "Top Level Query"
query = "SELECT * FROM myview"
}
}
It is possible to nest policies inside policies to build a policy hierarchy that will give you the ability to reference and execute only a subset of the main policy file.
policy "test-policy" {
description = "Test Policy"
configuration {
provider "aws" {
version = ">= 1.0"
}
}
view "testview" {
description = "Test View"
query "testviewquery" {
query = "SELECT * FROM test_policy_table WHERE name LIKE 'john'"
}
}
query "top-level-query" {
description = "Top Level Query"
query = "SELECT * FROM test_policy_table WHERE name LIKE 'peter'"
}
policy "sub-policy-1" {
description = "Sub Policy 1"
query "sub-level-query" {
query = "SELECT * from testview"
expect_output = true
}
policy "sub-sub-policy-1" {
description = "Sub Sub Policy 1"
query "sub-sub-level-query" {
query = "SELECT * from test_policy_table WHERE name LIKE 'peter'"
}
}
}
policy "sub-policy-2" {
description = "Sub Policy 2"
query "sub-level-query" {
query = "SELECT * from test_policy_table WHERE name LIKE 'peter'"
}
}
}
We extended the CloudQuery CLI to support downloading and running policies directly from GitHub. For a full set of commands see the docs.
Download a policy repository:
cloudquery policy download cq-policy-core
Run specific policy (latest version):
cloudquery policy run cq-policy-core aws/cis-v1.20
Run specific policy version:
cloudquery policy run cq-policy-core aws/cis-v1.20@v0.0.1
You can also run a specific query inside a policy:
cloudquery policy run cq-policy-core aws/cis-v1.20 --sub-path="aws-cis-section-1/1.1"
We are always eager to hear feedback so feel free to file feature-requests/bugs/issues at github.com/cloudquery/cloudquery.
Also, we have more exciting features coming up to enhance the new policy feature so subscribe to our twitter and/or mailing list.
Subscribe for monthly updates
Open-source, product updates, blog-posts, news and more