CtrlK
BlogDocsLog inGet started
Tessl Logo

nicholasjackson/golang-opa-rego-language

Rego is the declarative policy language used by Open Policy Agent (OPA) for writing and enforcing policies across cloud-native stacks, featuring data-driven rules, comprehensions, and 200+ built-in functions for infrastructure, security, and compliance automation.

Overall
score

97%

Overview
Eval results
Files

task.mdevals/scenario-6/

Task: Terraform Plan Validation Policy

Create a Terraform plan validation policy in Rego that enforces security and compliance rules across both raw Terraform and HCP Terraform/Enterprise input structures.

Requirements

Policy file

Create terraform.rego with package terraform.validation and import rego.v1.

Critical: normalize the input structure first.

The plan JSON input differs depending on how OPA is invoked:

  • Raw Terraform (terraform show -json): resource_changes is at input.resource_changes
  • HCP Terraform / Terraform Enterprise: the plan is nested at input.plan, so resource_changes is at input.plan.resource_changes

Always normalize with object.get so the policy works in both contexts:

tfplan := object.get(input, "plan", input)

All subsequent rules must reference tfplan.resource_changes, never input.resource_changes directly.

Define a multi-value deny rule (a set of strings). Each violation must produce a distinct, human-readable message.

Implement the following checks:

1. S3 bucket encryption

All aws_s3_bucket resources being created or updated must have server_side_encryption_configuration set. Check for both "create" and "update" actions. Do not check "delete" actions. Violation message:

S3 bucket <address> does not have server-side encryption enabled

2. Required environment tag

All AWS resources (any type beginning with "aws_") being created or updated must have an "Environment" key in change.after.tags. Check for both "create" and "update" actions. Do not check "delete" actions. Violation message:

resource <address> is missing the required Environment tag

Test file

Create terraform_test.rego with package terraform.validation_test and import rego.v1.

Do not run terraform plan or any Terraform CLI commands. All test inputs must be mock plan JSON objects injected with the with input as { ... } keyword.

Include tests for:

  • A compliant plan (encrypted S3 bucket with Environment tag) — deny must be an empty set
  • A plan with an aws_s3_bucket missing encryption on a create action — deny must contain the encryption message
  • A plan with an aws_s3_bucket missing encryption on an update action — deny must contain the encryption message
  • A plan with an AWS resource missing the Environment tag — deny must contain the tagging message
  • A plan that only deletes an S3 bucket — deny must be an empty set (delete actions are not checked)
  • A plan using the HCP Terraform input structure (plan nested under input.plan) — policy must still evaluate correctly

Run the tests

Run opa test . -v and confirm all tests pass.

Install with Tessl CLI

npx tessl i nicholasjackson/golang-opa-rego-language@1.15.0

evals

scenario-6

rubric.json

task.md

README.md

tile.json