nicholasjackson/opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.
99
Quality
Pending
Does it follow best practices?
Impact
99%
1.19xAverage score across 31 eval scenarios
Pending
The risk profile of this skill
task.mdevals/scenario-14/
Terraform: Common Testing Pattern
Write a Rego policy that denies aws_s3_bucket resources being created without a bucket_prefix attribute set.
Also write a _test.rego file that tests the policy. The test file must be named with the _test.rego suffix, use the _test package suffix, prefix all test functions with test_, mock Terraform plan JSON input using with input as, and include both a passing case (bucket with bucket_prefix set) and a failing case (bucket without bucket_prefix).
Input
The policy receives a Terraform plan in the standard terraform show -json format:
{
"resource_changes": [
{
"type": "aws_s3_bucket",
"change": {
"actions": ["create"],
"after": {
"bucket_prefix": "my-prefix-"
}
}
}
]
}Expected behaviour
- Deny
aws_s3_bucketresources withcreateorupdateactions that are missingbucket_prefix - Allow
aws_s3_bucketresources that havebucket_prefixset - Allow resources of other types regardless of attributes
- The deny message should include the resource type
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31