From 61849bbfe4ed76c1e0b2821b02bd805948124450 Mon Sep 17 00:00:00 2001 From: Derek Morgan <79756941+morethancertified@users.noreply.github.com> Date: Tue, 22 Oct 2024 16:02:31 +0000 Subject: [PATCH 1/2] testing opa --- .github/workflows/plan.yml | 2 +- policies/instance-policy.rego | 16 ++++++++ policies/plan.json | 69 +++++++++++++++++++++++++++++++++++ policies/plan.rego | 13 ------- terraform/terraform.tfvars | 2 +- 5 files changed, 87 insertions(+), 15 deletions(-) create mode 100644 policies/instance-policy.rego create mode 100644 policies/plan.json delete mode 100644 policies/plan.rego diff --git a/.github/workflows/plan.yml b/.github/workflows/plan.yml index 7fbc8f3..ab19672 100644 --- a/.github/workflows/plan.yml +++ b/.github/workflows/plan.yml @@ -64,5 +64,5 @@ jobs: - name: Run OPA Tests run: | - opaout=$(opa eval --data ../policies/plan.rego --input /tmp/plan.json "data.terraform.deny" | jq -r '.result[].expressions[].value[]') + opaout=$(opa eval --data ../policies/instance-policy.rego --input /tmp/plan.json "data.terraform.deny" | jq -r '.result[].expressions[].value[]') [ -z "$opaout" ] && exit 0 || echo "$opaout" && gh pr comment ${{ github.event.pull_request.number }} --body "### $opaout" && exit 1 diff --git a/policies/instance-policy.rego b/policies/instance-policy.rego new file mode 100644 index 0000000..9fd0eb1 --- /dev/null +++ b/policies/instance-policy.rego @@ -0,0 +1,16 @@ +package terraform + +import rego.v1 + +allowed_instance_types := ["t3.micro", "t3.small"] + +deny contains msg if { + some resource in input.resource_changes + resource.type == "aws_instance" + instance_type := resource.change.after.instance_type + not instance_type in allowed_instance_types + msg := sprintf( + "instance type for '%s' is '%s', but must be '%s'", + [resource.address, instance_type, allowed_instance_types], + ) +} \ No newline at end of file diff --git a/policies/plan.json b/policies/plan.json new file mode 100644 index 0000000..867f31b --- /dev/null +++ b/policies/plan.json @@ -0,0 +1,69 @@ +{ + "format_version": "1.2", + "terraform_version": "1.9.8", + "resource_changes": [ + { + "address": "aws_instance.grafana_server", + "mode": "managed", + "type": "aws_instance", + "name": "grafana_server", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "after": { + "instance_type": "t3.micro" + } + } + }, + { + "address": "aws_internet_gateway.gitops_igw", + "mode": "managed", + "type": "aws_internet_gateway", + "name": "gitops_igw", + "provider_name": "registry.terraform.io/hashicorp/aws", + "change": { + "actions": [ + "no-op" + ], + "before": { + "arn": "arn:aws:ec2:us-east-1:034858642295:internet-gateway/igw-0ae0e0dee11fe2dac", + "id": "igw-0ae0e0dee11fe2dac", + "owner_id": "034858642295", + "tags": { + "Name": "gitops-igw" + }, + "tags_all": { + "Name": "gitops-igw" + }, + "timeouts": null, + "vpc_id": "vpc-0871ed203c7e35ead" + }, + "after": { + "arn": "arn:aws:ec2:us-east-1:034858642295:internet-gateway/igw-0ae0e0dee11fe2dac", + "id": "igw-0ae0e0dee11fe2dac", + "owner_id": "034858642295", + "tags": { + "Name": "gitops-igw" + }, + "tags_all": { + "Name": "gitops-igw" + }, + "timeouts": null, + "vpc_id": "vpc-0871ed203c7e35ead" + }, + "after_unknown": {}, + "before_sensitive": { + "tags": {}, + "tags_all": {} + }, + "after_sensitive": { + "tags": {}, + "tags_all": {} + } + } + } + ], + "timestamp": "2024-10-21T20:04:15Z", + "applyable": false, + "complete": true, + "errored": false +} \ No newline at end of file diff --git a/policies/plan.rego b/policies/plan.rego deleted file mode 100644 index 21f17b5..0000000 --- a/policies/plan.rego +++ /dev/null @@ -1,13 +0,0 @@ -package terraform - -import future.keywords.in - -allowed_instance_types := {"t3.micro", "t3.small"} - -deny[msg] { - some resource in input.resource_changes - resource.type == "aws_instance" - instance_type := resource.change.after.instance_type - not instance_type in allowed_instance_types - msg := sprintf("AWS instance type '%s' is not allowed. Only 't3.micro' or 't3.small' are permitted.", [instance_type]) -} \ No newline at end of file diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars index 2ff57ad..95f46bb 100644 --- a/terraform/terraform.tfvars +++ b/terraform/terraform.tfvars @@ -1,2 +1,2 @@ region = "us-east-1" -instance_type = "t3.micro" \ No newline at end of file +instance_type = "t3.large" \ No newline at end of file From d52c3bad78817b1f96f7944123ae89c16d57ebd9 Mon Sep 17 00:00:00 2001 From: Derek Morgan <79756941+morethancertified@users.noreply.github.com> Date: Tue, 22 Oct 2024 16:04:18 +0000 Subject: [PATCH 2/2] updated instance type --- terraform/terraform.tfvars | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/terraform/terraform.tfvars b/terraform/terraform.tfvars index 95f46bb..2ff57ad 100644 --- a/terraform/terraform.tfvars +++ b/terraform/terraform.tfvars @@ -1,2 +1,2 @@ region = "us-east-1" -instance_type = "t3.large" \ No newline at end of file +instance_type = "t3.micro" \ No newline at end of file