diff --git a/.github/workflows/opa.yml b/.github/workflows/opa.yml index 2ebe0a4..40c5487 100644 --- a/.github/workflows/opa.yml +++ b/.github/workflows/opa.yml @@ -4,36 +4,25 @@ jobs: test: runs-on: ubuntu-latest steps: - - name: Checkout - uses: actions/checkout@v2.0.0 - - name: OPA Test - uses: petroprotsakh/opa-test-action@v2.1 + - name: Check out repository code + uses: actions/checkout@v3 + + - name: Setup OPA + uses: open-policy-agent/setup-opa@v2 with: - options: -v - tests: | - cost - external_data - aws/enforce_aws_resource.rego;aws/enforce_aws_resource_test.rego;aws/enforce_aws_resource_mock.json - aws/enforce_aws_iam_and_workspace.rego;aws/enforce_aws_iam_and_workspace_test.rego;aws/enforce_aws_iam_and_workspace_mock.json - aws/enforce_s3_buckets_encryption.rego;aws/enforce_s3_buckets_encryption_test.rego;aws/enforce_s3_buckets_encryption_mock.json - aws/enforce_kms_key_names.rego;aws/enforce_kms_key_names.test.rego;aws/enforce_kms_key_names.mock.json - aws/enforce_iam_instance_profiles.rego;aws/enforce_iam_instance_profiles.test.rego;aws/enforce_iam_instance_profiles.mock.json - aws/enforce_ebs_del_on_term.rego;aws/enforce_ebs_del_on_term.test.rego;aws/enforce_ebs_del_on_term.mock.json - aws/enforce_instance_subnet.rego;aws/enforce_instance_subnet.test.rego;aws/enforce_instance_subnet.mock.json - aws/enforce_lb_subnets.rego;aws/enforce_lb_subnets.test.rego;aws/enforce_lb_subnets.mock.json - aws/enforce_rds_subnets.rego;aws/enforce_rds_subnets.test.rego;aws/enforce_rds_subnets.mock.json - management/denied_provisioners.rego;management/denied_provisioners_test.rego;management/denied_provisioners_mock.json - management/enforce_ami_owners.rego;management/enforce_ami_owners_test.rego;management/enforce_ami_owners_mock.json - management/instance_types.rego;management/instance_types_test.rego;management/instance_types_mock.json - management/resource_tags.rego;management/resource_tags_test.rego;management/resource_tags_mock.json - management/whitelist_ami.rego;management/whitelist_ami_test.rego;management/whitelist_ami_mock.json - management/workspace_name.rego;management/workspace_name_test.rego;management/workspace_name_mock.json - management/workspace_destroy.rego;management/workspace_destroy_test.rego;management/workspace_destroy_mock.json - management/pull_requests.rego;management/pull_requests_test.rego;management/pull_requests_mock.json - management/workspace_tags.rego;management/workspace_tags_test.rego;management/workspace_tags_mock.json - management/workspace_environment_type.rego;management/workspace_environment_type_еуіе.rego;management/workspace_environment_type_mock.json - modules/pin_module_version.rego;modules/pin_module_version_test.rego;modules/pin_module_version_mock.json; - modules/required_modules.rego;modules/required_modules_test.rego;modules/required_modules_mock.json; - placement - providers - user + version: latest + + - name: Run OPA Tests + run: | + dirs=$(find . -type f -name '*.rego' -exec dirname {} \; | sort -u) + echo "Directories to be tested:" + for dir in $dirs; do + echo "$dir" + done + for dir in $dirs; do + echo "Running tests in $dir" + if ! opa test $dir/ -v --format pretty; then + echo "Tests failed in $dir" + exit 1 + fi + done diff --git a/aws/enforce_aws_iam_and_workspace/scalr-policy.hcl b/aws/enforce_aws_iam_and_workspace/scalr-policy.hcl new file mode 100644 index 0000000..152bb67 --- /dev/null +++ b/aws/enforce_aws_iam_and_workspace/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_aws_iam_and_workspace" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/scalr-policy.hcl b/aws/enforce_aws_resource/scalr-policy.hcl similarity index 100% rename from aws/scalr-policy.hcl rename to aws/enforce_aws_resource/scalr-policy.hcl diff --git a/aws/enforce_cidr/scalr-policy.hcl b/aws/enforce_cidr/scalr-policy.hcl new file mode 100644 index 0000000..724f9f6 --- /dev/null +++ b/aws/enforce_cidr/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_cidr" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term.rego b/aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term.rego similarity index 100% rename from aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term.rego rename to aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term.rego diff --git a/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_mock.json b/aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term_mock.json similarity index 100% rename from aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_mock.json rename to aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term_mock.json diff --git a/aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_test.rego b/aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term_test.rego similarity index 100% rename from aws/enforce_ebs_del_on_term_mock/enforce_ebs_del_on_term_test.rego rename to aws/enforce_ebs_del_on_term/enforce_ebs_del_on_term_test.rego diff --git a/aws/enforce_ebs_del_on_term/scalr-policy.hcl b/aws/enforce_ebs_del_on_term/scalr-policy.hcl new file mode 100644 index 0000000..5f99320 --- /dev/null +++ b/aws/enforce_ebs_del_on_term/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_ebs_del_on_term" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_iam_instance_profiles/scalr-policy.hcl b/aws/enforce_iam_instance_profiles/scalr-policy.hcl new file mode 100644 index 0000000..db20d56 --- /dev/null +++ b/aws/enforce_iam_instance_profiles/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_iam_instance_profiles" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_instance_subnet/scalr-policy.hcl b/aws/enforce_instance_subnet/scalr-policy.hcl new file mode 100644 index 0000000..8d13a0b --- /dev/null +++ b/aws/enforce_instance_subnet/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_instance_subnet" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_kms_key_names/scalr-policy.hcl b/aws/enforce_kms_key_names/scalr-policy.hcl new file mode 100644 index 0000000..e4eb446 --- /dev/null +++ b/aws/enforce_kms_key_names/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_kms_key_names" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_lb_subnets/scalr-policy.hcl b/aws/enforce_lb_subnets/scalr-policy.hcl new file mode 100644 index 0000000..20db842 --- /dev/null +++ b/aws/enforce_lb_subnets/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_lb_subnets" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_rds_subnets/scalr-policy.hcl b/aws/enforce_rds_subnets/scalr-policy.hcl new file mode 100644 index 0000000..fbb62ad --- /dev/null +++ b/aws/enforce_rds_subnets/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_rds_subnets" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_s3_buckets_encryption/scalr-policy.hcl b/aws/enforce_s3_buckets_encryption/scalr-policy.hcl new file mode 100644 index 0000000..77b5b62 --- /dev/null +++ b/aws/enforce_s3_buckets_encryption/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_s3_buckets_encryption" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_s3_private/scalr-policy.hcl b/aws/enforce_s3_private/scalr-policy.hcl new file mode 100644 index 0000000..d4eeff9 --- /dev/null +++ b/aws/enforce_s3_private/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_s3_private" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/aws/enforce_sec_group/scalr-policy.hcl b/aws/enforce_sec_group/scalr-policy.hcl new file mode 100644 index 0000000..b984235 --- /dev/null +++ b/aws/enforce_sec_group/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_sec_group" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/gcp/enforce_gcs_private/scalr-policy.hcl b/gcp/enforce_gcs_private/scalr-policy.hcl new file mode 100644 index 0000000..6d5fafd --- /dev/null +++ b/gcp/enforce_gcs_private/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_gcs_private" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/denied_provisioners/scalr-policy.hcl b/management/denied_provisioners/scalr-policy.hcl new file mode 100644 index 0000000..e6cae56 --- /dev/null +++ b/management/denied_provisioners/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "denied_provisioners" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/enforce_ami_owners/scalr-policy.hcl b/management/enforce_ami_owners/scalr-policy.hcl new file mode 100644 index 0000000..d35493b --- /dev/null +++ b/management/enforce_ami_owners/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_ami_owners" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/enforce_var_desc/scalr-policy.hcl b/management/enforce_var_desc/scalr-policy.hcl new file mode 100644 index 0000000..4e5bce7 --- /dev/null +++ b/management/enforce_var_desc/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "enforce_var_desc" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/instance_types/scalr-policy.hcl b/management/instance_types/scalr-policy.hcl new file mode 100644 index 0000000..d89ea45 --- /dev/null +++ b/management/instance_types/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "instance_types" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/pull_requests/scalr-policy.hcl b/management/pull_requests/scalr-policy.hcl new file mode 100644 index 0000000..ca0e1cf --- /dev/null +++ b/management/pull_requests/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "pull_requests" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/resource_tags_mock/scalr-policy.hcl b/management/resource_tags_mock/scalr-policy.hcl new file mode 100644 index 0000000..75457c1 --- /dev/null +++ b/management/resource_tags_mock/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "resource_tags_mock" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/scalr-policy.hcl b/management/scalr-policy.hcl deleted file mode 100644 index 4b580d4..0000000 --- a/management/scalr-policy.hcl +++ /dev/null @@ -1,42 +0,0 @@ -version = "v1" - - -policy "enforce_ami_owners" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "workspace_destroy" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "instance_types" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "resource_tags" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "whitelist_ami" { - enabled = true - enforcement_level = "hard-mandatory" -} - -policy "workspace_name" { - enabled = true - enforcement_level = "soft-mandatory" -} - -policy "workspace_tags" { - enabled = true - enforcement_level = "soft-mandatory" -} - -policy "denied_provisioners" { - enabled = true - enforcement_level = "hard-mandatory" -} diff --git a/management/whitelist_ami_mock/scalr-policy.hcl b/management/whitelist_ami_mock/scalr-policy.hcl new file mode 100644 index 0000000..13ac1ff --- /dev/null +++ b/management/whitelist_ami_mock/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "whitelist_ami_mock" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/workspace_destroy/scalr-policy.hcl b/management/workspace_destroy/scalr-policy.hcl new file mode 100644 index 0000000..6796782 --- /dev/null +++ b/management/workspace_destroy/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "workspace_destroy" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/workspace_environment_type/scalr-policy.hcl b/management/workspace_environment_type/scalr-policy.hcl new file mode 100644 index 0000000..1a59477 --- /dev/null +++ b/management/workspace_environment_type/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "workspace_environment_type" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/management/workspace_name/scalr-policy.hcl b/management/workspace_name/scalr-policy.hcl new file mode 100644 index 0000000..d59bd4d --- /dev/null +++ b/management/workspace_name/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "workspace_name" { + enabled = true + enforcement_level = "soft-mandatory" +} diff --git a/management/workspace_tags/scalr-policy.hcl b/management/workspace_tags/scalr-policy.hcl new file mode 100644 index 0000000..857c4db --- /dev/null +++ b/management/workspace_tags/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "workspace_tags" { + enabled = true + enforcement_level = "soft-mandatory" +} diff --git a/modules/scalr-policy.hcl b/modules/pin_module_version/scalr-policy.hcl similarity index 100% rename from modules/scalr-policy.hcl rename to modules/pin_module_version/scalr-policy.hcl diff --git a/modules/required_modules/scalr-policy.hcl b/modules/required_modules/scalr-policy.hcl new file mode 100644 index 0000000..5ab7bc2 --- /dev/null +++ b/modules/required_modules/scalr-policy.hcl @@ -0,0 +1,6 @@ +version = "v1" + +policy "required_modules" { + enabled = true + enforcement_level = "hard-mandatory" +} diff --git a/placement/scalr-policy.hcl b/placement/cloud_location/scalr-policy.hcl similarity index 100% rename from placement/scalr-policy.hcl rename to placement/cloud_location/scalr-policy.hcl diff --git a/providers/scalr-policy.hcl b/providers/blacklist_provider/scalr-policy.hcl similarity index 100% rename from providers/scalr-policy.hcl rename to providers/blacklist_provider/scalr-policy.hcl diff --git a/user/scalr-policy.hcl b/user/check_user/scalr-policy.hcl similarity index 79% rename from user/scalr-policy.hcl rename to user/check_user/scalr-policy.hcl index ef9e01d..0b16c01 100644 --- a/user/scalr-policy.hcl +++ b/user/check_user/scalr-policy.hcl @@ -1,6 +1,6 @@ version = "v1" -policy "user" { +policy "check_user" { enabled = true enforcement_level = "hard-mandatory" }