github.com/swisspost/terratest@v0.0.0-20230214120104-7ec6de2e1ae0/examples/terraform-opa-example/policy/enforce_source.rego

github.com/swisspost/terratest@v0.0.0-20230214120104-7ec6de2e1ae0/examples/terraform-opa-example/policy/enforce_source.rego (about)

     1  # An example rego policy of how to enforce that all module blocks in terraform json representation source the module
     2  # from the gruntwork-io github repo on the json representation of the terraform source files. A module block in the json
     3  # representation looks like the
     4  # following:
     5  #
     6  # {
     7  #   "module": {
     8  #     "MODULE_LABEL": [{
     9  #       #BLOCK_CONTENT
    10  #     }]
    11  #   }
    12  # }
    13  package enforce_source
    14  
    15  
    16  # website::tag::1:: Only define the allow variable and set to true if the violation set is empty.
    17  allow = true {
    18      count(violation) == 0
    19  }
    20  
    21  # website::tag::1:: Add modules with module_label to the violation set if the source attribute does not start with a string indicating it came from gruntwork-io GitHub org.
    22  violation[module_label] {
    23      some module_label, i
    24      startswith(input.module[module_label][i].source, "git::git@github.com:gruntwork-io") == false
    25  }