iloveicedgreentea/blog_main.rego

## blog_main.rego
package main

import input as tfplan

# Restrict all resources to one project
required_project = "myproject"

# Ban ports
banned_ports = ["80", "22"]


# check if array contains element
array_contains(arr, elem) {
  # iterate over arr, assert it contains elem
	arr[_] = elem
}

# Deny if project does not match
deny[msg] {
	resource := tfplan.resource_changes[_]

  project_id := resource.change.after.project
  not project_id == required_project

	msg := sprintf("%q: Project %q is not allowed. Must be %q", [resource.address, project_id, required_project])
}

# Block protocols that aren't TCP
deny[msg] {
	resource := tfplan.resource_changes[_]

  allow := resource.change.after.allow[_]

  not allow.protocol == "tcp"

	msg := sprintf("%q: Protocol %q is not allowed. Must be tcp", [resource.address, allow.protocol])
}

# Block banned ports
deny[msg] {
	resource := tfplan.resource_changes[_]

  allow := resource.change.after.allow[_]
  port := allow.ports[_]

  array_contains(banned_ports, port)

	msg := sprintf("%q: Port %q is not allowed.", [resource.address, port])
}

# Require targeting a service account
deny[msg] {
	resource := tfplan.resource_changes[_]

  accounts := resource.change.after.target_service_accounts

	accounts == null

	msg := sprintf("%q: A service account must be used as a target.", [resource.address])
}

# block provisioners
deny[msg] {
	config := tfplan.configuration[_]
  # root_module := config.root_module[_]
	resources := config.resources[_]

  provisioners := resources.provisioners[_]
	# Check if provisioners is true
	provisioners

	msg := sprintf("%s: Provisioners are not allowed - Provisioner: %q", [resources.address, provisioners.type])
}
	package main

	import input as tfplan

	# Restrict all resources to one project
	required_project = "myproject"

	# Ban ports
	banned_ports = ["80", "22"]


	# check if array contains element
	array_contains(arr, elem) {
	# iterate over arr, assert it contains elem
	arr[_] = elem
	}

	# Deny if project does not match
	deny[msg] {
	resource := tfplan.resource_changes[_]

	project_id := resource.change.after.project
	not project_id == required_project

	msg := sprintf("%q: Project %q is not allowed. Must be %q", [resource.address, project_id, required_project])
	}

	# Block protocols that aren't TCP
	deny[msg] {
	resource := tfplan.resource_changes[_]

	allow := resource.change.after.allow[_]

	not allow.protocol == "tcp"

	msg := sprintf("%q: Protocol %q is not allowed. Must be tcp", [resource.address, allow.protocol])
	}

	# Block banned ports
	deny[msg] {
	resource := tfplan.resource_changes[_]

	allow := resource.change.after.allow[_]
	port := allow.ports[_]

	array_contains(banned_ports, port)

	msg := sprintf("%q: Port %q is not allowed.", [resource.address, port])
	}

	# Require targeting a service account
	deny[msg] {
	resource := tfplan.resource_changes[_]

	accounts := resource.change.after.target_service_accounts

	accounts == null

	msg := sprintf("%q: A service account must be used as a target.", [resource.address])
	}

	# block provisioners
	deny[msg] {
	config := tfplan.configuration[_]
	# root_module := config.root_module[_]
	resources := config.resources[_]

	provisioners := resources.provisioners[_]
	# Check if provisioners is true
	provisioners

	msg := sprintf("%s: Provisioners are not allowed - Provisioner: %q", [resources.address, provisioners.type])
	}