From 27c35798d232e4df2afc597134214ede11c9fc18 Mon Sep 17 00:00:00 2001 From: Viacheslav Lyzohub Date: Mon, 1 Jul 2024 15:49:02 +0300 Subject: [PATCH] SCALRCORE-31241: Policy example for workspace.environment_type --- README.md | 1 + management/workspace_environment_type.rego | 8 +++++++ .../workspace_environment_type_mock.json | 24 +++++++++++++++++++ .../workspace_environment_type_test.rego | 11 +++++++++ 4 files changed, 44 insertions(+) create mode 100644 management/workspace_environment_type.rego create mode 100644 management/workspace_environment_type_mock.json create mode 100644 management/workspace_environment_type_test.rego diff --git a/README.md b/README.md index cc93e5b..30069ac 100644 --- a/README.md +++ b/README.md @@ -61,6 +61,7 @@ Many policies contain arrays of values that are checked against resources. The a | [management/resource_tags.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/resource_tags.rego) | Checks required tags are configured for all clouds. | | [management/whitelist_ami.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/whitelist_ami.rego) | Checks AMI against allowed list or configured from data source. | | [management/workspace_name.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_name.rego) | Simple example of using `tfrun` data and validating a workspace name. | +| [management/workspace_environment.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_environment_type.rego) | Checks workspace environment type and enforces cost limits based on environment. | | [management/workspace_destroy.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_destroy.rego) | Checks workspace has an active state and denies its destroy, if active state is present. | | [management/workspace_tags.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/management/workspace_tags.rego) | Checks workspace is tagged with provider name. | | [modules/pin_module_version.rego](https://github.com/Scalr/sample-tf-opa-policies/blob/master/modules/pin_module_version.rego) | Enforces use of specific module versions. | diff --git a/management/workspace_environment_type.rego b/management/workspace_environment_type.rego new file mode 100644 index 0000000..b4365b3 --- /dev/null +++ b/management/workspace_environment_type.rego @@ -0,0 +1,8 @@ +package terraform + +import input.tfrun as tfrun + +deny["Monthly cost for dev workspace exceeds $100"] { + tfrun.workspace.environment_type == "development" + tfrun.cost_estimate.proposed_monthly_cost > 100 +} diff --git a/management/workspace_environment_type_mock.json b/management/workspace_environment_type_mock.json new file mode 100644 index 0000000..fc8bf5b --- /dev/null +++ b/management/workspace_environment_type_mock.json @@ -0,0 +1,24 @@ +{ + "mock": { + "valid_input": { + "tfrun": { + "workspace": { + "environment_type": "development" + }, + "cost_estimate": { + "proposed_monthly_cost": 50 + } + } + }, + "invalid_input": { + "tfrun": { + "workspace": { + "environment_type": "development" + }, + "cost_estimate": { + "proposed_monthly_cost": 150 + } + } + } + } +} diff --git a/management/workspace_environment_type_test.rego b/management/workspace_environment_type_test.rego new file mode 100644 index 0000000..168d804 --- /dev/null +++ b/management/workspace_environment_type_test.rego @@ -0,0 +1,11 @@ +package terraform + +test_dev_workspace_cost_allowed { + result = deny with input as data.mock.valid_input + count(result) == 0 +} + +test_dev_workspace_cost_denied { + result = deny with input as data.mock.invalid_input + count(result) > 0 +}