Skip to content


Sample rules

A few rules that use objects from this package:

from typing import List, Dict, Optional

from cloudrail.knowledge.context.gcp.gcp_environment_context import GcpEnvironmentContext
from cloudrail.knowledge.context.gcp.resources.dns.gcp_dns_managed_zone import GcpDnsManagedZone, DnsDefKeyAlgorithm, GcpDnsManagedZoneDnsSecCfgDefKeySpecs
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.gcp.gcp_base_rule import GcpBaseRule
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType

class CloudDnsNoRsasha1UsedRule(GcpBaseRule):
    def get_id(self) -> str:
        return 'non_car_cloud_dns_ensure_rsasha1_disabled'

    def execute(self, env_context: GcpEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []
        for cloud_dns in env_context.dns_managed_zones:
            if affected_dns_keys := self._get_affected_keys(cloud_dns):
                        f"The {cloud_dns.get_type()} `{cloud_dns.get_friendly_name()}` has rsasha1 enabled for key(s) "
                        f"{', '.join(key.key_type.value for key in affected_dns_keys)}",
        return issues

    def should_run_rule(self, environment_context: GcpEnvironmentContext) -> bool:
        return bool(environment_context.dns_managed_zones)

    def _get_affected_keys(cloud_dns: GcpDnsManagedZone) -> Optional[List[GcpDnsManagedZoneDnsSecCfgDefKeySpecs]]:
        if cloud_dns.dnssec_config and cloud_dns.dnssec_config.state == 'on':
            return [default_key for default_key in cloud_dns.dnssec_config.default_key_specs
                    if default_key.algorithm == DnsDefKeyAlgorithm.RSASHA1]
        return None

DnsDefKeyAlgorithm (str, Enum)

An enumeration.

DnsDefKeyType (str, Enum)

An enumeration.

GcpDnsManagedZone (GcpResource)


Name Type Description
name str

(Required) User assigned name for this resource. Must be unique within the project.

dns_name str

(Required) The DNS name of this managed zone.

description Optional[str]

(Optional) A textual description field.

dnssec_config Optional[GcpDnsManagedZoneDnsSecCfg]

(Optional) DNSSEC configuration parameters.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

GcpDnsManagedZoneDnsSecCfg dataclass


Name Type Description
kind str

(Optional) Identifies the kind of resource.

non_existence Optional[str]

(Optional) Specifies the mechanism used to provide authenticated denial-of-existence responses. Possible values are nsec and nsec3.

state str

(Optional) Specifies whether DNSSEC is enabled, and what mode it is in. Possible values are off, on, and transfer.

default_key_specs List[cloudrail.knowledge.context.gcp.resources.dns.gcp_dns_managed_zone.GcpDnsManagedZoneDnsSecCfgDefKeySpecs]

(Optional) Specifies parameters that will be used for generating initial DnsKeys for this ManagedZone.

GcpDnsManagedZoneDnsSecCfgDefKeySpecs dataclass


Name Type Description
algorithm DnsDefKeyAlgorithm

(Optional) String mnemonic specifying the DNSSEC algorithm of this key Possible values are ecdsap256sha256, ecdsap384sha384, rsasha1, rsasha256, and rsasha512.

key_length int

(Optional) Length of the keys in bits.

key_type DnsDefKeyType

(Optional) (Optional) Specifies whether this is a key signing key (KSK) or a zone signing key (ZSK).

kind str

(Optional) Identifies the kind of resource.