Merge pull request hashicorp#155 from hashicorp/add-all-resources-in-pmr-policy

add require-all-resources-from-pmr

Author: rberlind

governance/second-generation/cloud-agnostic/require-all-resources-from-pmr.sentinel

@@ -0,0 +1,56 @@
+# This policy validates that all modules loaded directly by the
+# root module are in the Private Module Registry (PMR) of a TFC
+# server and that no resources are created in the root module
+
+#####Imports#####
+import "tfconfig"
+import "strings"
+
+#####Functions#####
+
+#Prevent resources in root module
+prevent_resources_in_root_module = func() {
+
+  validated = true
+
+  if length(tfconfig.resources) != 0 {
+    print("Resources are not allowed in the root module.")
+    print("Your root module has", length(tfconfig.resources), "type(s) of resources.")
+    validated = false
+  }
+
+  return validated
+}
+
+# Require all modules directly under root module to come from PMR
+require_modules_from_pmr = func(address, organization) {
+
+  validated = true
+
+  for tfconfig.modules as name, m {
+    if not strings.has_prefix(m.source, address + "/" + organization) {
+      print("All non-root modules must come from the private module registry",
+      address + "/" + organization)
+      print("You included module,", name, ", with source,", m.source)
+      validated = false
+    }
+  }
+
+  return validated
+}
+
+##### Global Variables #####
+# Define the address of the TFE server
+address = "app.terraform.io"
+
+# Define organization variable
+organization = "Cloud-Operations"
+
+##### Rules #####
+
+# Main rule that requires other rules to be true
+no_resources_in_root_module = prevent_resources_in_root_module()
+all_non_root_modules_from_pmr = require_modules_from_pmr(address, organization)
+main = rule {
+  no_resources_in_root_module and all_non_root_modules_from_pmr
+}

governance/second-generation/cloud-agnostic/test/require-all-resources-from-pmr/fail-0.11.json

@@ -0,0 +1,8 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-0.11.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/cloud-agnostic/test/require-all-resources-from-pmr/fail-0.12.json

@@ -0,0 +1,8 @@
+{
+  "mock": {
+    "tfconfig": "mock-tfconfig-fail-0.12.sentinel"
+  },
+  "test": {
+    "main": false
+  }
+}

governance/second-generation/cloud-agnostic/test/require-all-resources-from-pmr/mock-tfconfig-fail-0.11.sentinel

@@ -0,0 +1,205 @@
+import "strings"
+import "types"
+
+_modules = {
+	"root": {
+		"data": {},
+		"modules": {
+			"first": {
+				"config":  {},
+				"source":  "./module",
+				"version": "",
+			},
+		},
+		"outputs":   {},
+		"providers": {
+			"aws": {
+				"alias": {
+					"": {
+						"config": {
+							"region": "us-east-2",
+						},
+						"version": "",
+					},
+					"root-east": {
+						"config": {
+							"region": "us-east-1",
+						},
+						"version": "",
+					},
+					"root-west": {
+						"config": {
+							"region": "us-west-1",
+						},
+						"version": "",
+					},
+				},
+				"config": {
+					"region": "us-east-2",
+				},
+				"version": "",
+			},
+		},
+		"resources": {
+			"aws_instance": {
+				"web": {
+					"config": {
+						"ami":           "ami-2e1ef954",
+						"instance_type": "t2.micro",
+						"tags": [
+							{
+								"Name": "root module instance",
+							},
+						],
+					},
+					"provisioners": null,
+				},
+			},
+		},
+		"variables": {},
+	},
+
+	"module.first": {
+		"data": {},
+		"modules": {
+			"second": {
+				"config":  {},
+				"source":  "./module",
+				"version": "",
+			},
+		},
+		"outputs":   {},
+		"providers": {
+			"aws": {
+				"alias": {
+					"": {
+						"config": {
+							"region": "us-east-2",
+						},
+						"version": "",
+					},
+					"first-east": {
+						"config": {
+							"region": "us-east-1",
+						},
+						"version": "",
+					},
+					"first-west": {
+						"config": {
+							"region": "us-west-1",
+						},
+						"version": "",
+					},
+				},
+				"config": {
+					"region": "us-east-2",
+				},
+				"version": "",
+			},
+		},
+		"resources": {
+			"aws_instance": {
+				"web": {
+					"config": {
+						"ami":           "ami-2e1ef954",
+						"instance_type": "t2.micro",
+						"tags": [
+							{
+								"Name": "first module instance",
+							},
+						],
+					},
+					"provisioners": null,
+				},
+			},
+		},
+		"variables": {},
+	},
+
+	"module.first.module.second": {
+		"data":      {},
+		"modules":   {},
+		"outputs":   {},
+		"providers": {
+			"aws": {
+				"alias": {
+					"": {
+						"config": {
+							"region": "us-east-2",
+						},
+						"version": "",
+					},
+					"second-east": {
+						"config": {
+							"region": "us-east-1",
+						},
+						"version": "",
+					},
+					"second-west": {
+						"config": {
+							"region": "us-west-1",
+						},
+						"version": "",
+					},
+				},
+				"config": {
+					"region": "us-east-2",
+				},
+				"version": "",
+			},
+		},
+		"resources": {
+			"aws_instance": {
+				"web": {
+					"config": {
+						"ami":           "ami-2e1ef954",
+						"instance_type": "t2.micro",
+						"tags": [
+							{
+								"Name": "second module instance",
+							},
+						],
+					},
+					"provisioners": null,
+				},
+			},
+		},
+		"variables": {},
+	},
+}
+
+module_paths = [
+	[],
+	[
+		"first",
+	],
+	[
+		"first",
+		"second",
+	],
+]
+
+module = func(path) {
+	if types.type_of(path) is not "list" {
+		error("expected list, got", types.type_of(path))
+	}
+
+	if length(path) < 1 {
+		return _modules.root
+	}
+
+	addr = []
+	for path as p {
+		append(addr, "module")
+		append(addr, p)
+	}
+
+	return _modules[strings.join(addr, ".")]
+}
+
+data = _modules.root.data
+modules = _modules.root.modules
+providers = _modules.root.providers
+resources = _modules.root.resources
+variables = _modules.root.variables
+outputs = _modules.root.outputs