Merge pull request hashicorp#158 from hashicorp/add-prevent-resource-destruction-policy

add prevent destruction policy and function

Author: rberlind

governance/second-generation/cloud-agnostic/prevent-destruction-of-blacklisted-resources.sentinel

@@ -0,0 +1,75 @@
+# This policy prevents any destruction of resources of blacklisted types.
+
+##### Imports #####
+
+import "tfplan"
+import "strings"
+
+##### Functions #####
+
+# Find all resources of a specific type from all modules using the tfplan import
+find_resources_from_plan = func(type) {
+
+  resources = {}
+
+  # Iterate over all modules in the tfplan import
+  for tfplan.module_paths as path {
+    # Iterate over the named resources of desired type in the module
+    for tfplan.module(path).resources[type] else {} as name, instances {
+      # Iterate over resource instances
+      for instances as index, r {
+
+        # Get the address of the instance
+        if length(path) == 0 {
+          # root module
+          address = type + "." + name + "[" + string(index) + "]"
+        } else {
+          # non-root module
+          address = "module." + strings.join(path, ".module.") + "." +
+                    type + "." + name + "[" + string(index) + "]"
+        }
+
+        # Add the instance to resources map, setting the key to the address
+        resources[address] = r
+      }
+    }
+  }
+
+  return resources
+}
+
+# Validate that resources of blacklisted types are not being destroyed
+validate_destroyed_resources = func(blacklist) {
+
+  valid = true
+
+  for blacklist as type {
+    found_resources = find_resources_from_plan(type)
+    for found_resources as address, r {
+      if r.destroy and not r.requires_new {
+        print("You are trying to destroy a resource", address,
+              "of blacklisted type", type)
+        valid = false
+      }
+    }
+  }
+
+  return valid
+}
+
+##### Lists #####
+
+# List of blacklisted resources
+blacklist = [
+  "aws_vpc",
+  "azurerm_virtual_network",
+  "google_compute_network",
+]
+
+##### Rules #####
+
+# Main rule
+destroy_validated = validate_destroyed_resources(blacklist)
+main = rule {
+  destroy_validated
+}

governance/second-generation/cloud-agnostic/test/prevent-destruction-of-blacklisted-resources/fail-0.11.json

@@ -0,0 +1,8 @@
+{
+  "mock": {
+    "tfplan": "mock-tfplan-fail-0.11.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/cloud-agnostic/test/prevent-destruction-of-blacklisted-resources/fail-0.12.json

@@ -0,0 +1,8 @@
+{
+  "mock": {
+    "tfplan": "mock-tfplan-fail-0.12.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/cloud-agnostic/test/prevent-destruction-of-blacklisted-resources/mock-tfplan-fail-0.11.sentinel

@@ -0,0 +1,89 @@
+import "strings"
+import "types"
+
+_modules = {
+	"root": {
+		"data": {},
+		"path": [],
+		"resources": {
+			"azurerm_network_interface": {
+				"main": {
+					0: {
+						"destroy":      true,
+						"diff":         {},
+						"requires_new": false,
+					},
+				},
+			},
+			"azurerm_resource_group": {
+				"main": {
+					0: {
+						"destroy":      true,
+						"diff":         {},
+						"requires_new": false,
+					},
+				},
+			},
+			"azurerm_subnet": {
+				"internal": {
+					0: {
+						"destroy":      true,
+						"diff":         {},
+						"requires_new": false,
+					},
+				},
+			},
+			"azurerm_virtual_machine": {
+				"demo": {
+					0: {
+						"destroy":      true,
+						"diff":         {},
+						"requires_new": false,
+					},
+				},
+			},
+			"azurerm_virtual_network": {
+				"main": {
+					0: {
+						"destroy":      true,
+						"diff":         {},
+						"requires_new": false,
+					},
+				},
+			},
+		},
+	},
+}
+
+module_paths = [
+	[],
+]
+
+terraform_version = "0.11.14"
+
+variables = {
+	"prefix":  "azure-demo",
+	"vm_size": "Standard_A1",
+}
+
+module = func(path) {
+	if types.type_of(path) is not "list" {
+		error("expected list, got", types.type_of(path))
+	}
+
+	if length(path) < 1 {
+		return _modules.root
+	}
+
+	addr = []
+	for path as p {
+		append(addr, "module")
+		append(addr, p)
+	}
+
+	return _modules[strings.join(addr, ".")]
+}
+
+data = _modules.root.data
+path = _modules.root.path
+resources = _modules.root.resources