use functions instead of rules

rberlind · rberlind · commit ab7855b3518d · 2019-10-08T00:25:08.000-04:00
diff --git a/governance/second-generation/cloud-agnostic/require-all-resources-from-pmr.sentinel b/governance/second-generation/cloud-agnostic/require-all-resources-from-pmr.sentinel
@@ -6,35 +6,51 @@
 import "tfconfig"
 import "strings"
 
-##### Global Variables #####
-# Define the address of the TFE server
-address = "app.terraform.io"
+#####Functions#####
 
-# Define organization variable
-organization = "Cloud-Operations"
+#Prevent resources in root module
+prevent_resources_in_root_module = func() {
 
-##### Rules #####
-# Don't allow resources in root module
-no_resources_in_root_module = rule {
-   length(tfconfig.resources) is 0 or not
-   (print("Resources not allowed in root module") and
-    print("Your root module has", length(tfconfig.resources), "resources."))
+  validated = true
+
+  if length(tfconfig.resources) != 0 {
+    print("Resources are not allowed in the root module.")
+    print("Your root module has", length(tfconfig.resources), "type(s) of resources.")
+    validated = false
+  }
 
+  return validated
 }
 
 # Require all modules directly under root module to come from PMR
-require_modules_from_pmr = rule {
-  all tfconfig.modules as name, m {
-    strings.has_prefix(m.source, address + "/" + organization) or not
-    (print("All modules must from the private module registry",
-    address + "/" + organization) and
-   print("You included module", name, "with source", m.source))
+require_modules_from_pmr = func(address, organization) {
+
+  validated = true
+
+  for tfconfig.modules as name, m {
+    if not strings.has_prefix(m.source, address + "/" + organization) {
+      print("All non-root modules must come from the private module registry",
+      address + "/" + organization)
+      print("You included module,", name, ", with source,", m.source)
+      validated = false
+    }
   }
+
+  return validated
 }
 
+##### Global Variables #####
+# Define the address of the TFE server
+address = "app.terraform.io"
+
+# Define organization variable
+organization = "Cloud-Operations"
+
+##### Rules #####
+
 # Main rule that requires other rules to be true
+no_resources_in_root_module = prevent_resources_in_root_module()
+all_non_root_modules_from_pmr = require_modules_from_pmr(address, organization)
 main = rule {
-  print("modules", tfconfig.modules) and
-  no_resources_in_root_module and
-  require_modules_from_pmr
+  no_resources_in_root_module and all_non_root_modules_from_pmr
 }
diff --git a/governance/second-generation/cloud-agnostic/test/require-all-resources-from-pmr/mock-tfconfig-fail-0.12.sentinel b/governance/second-generation/cloud-agnostic/test/require-all-resources-from-pmr/mock-tfconfig-fail-0.12.sentinel
@@ -71,6 +71,21 @@ _modules = {
 					},
 				},
 			},
+			"aws_security_group_rule": {
+				"allow_all": {
+					"config": {
+						"cidr_blocks": [
+							"0.0.0.0/0",
+						],
+						"from_port":         0,
+						"protocol":          "tcp",
+						"security_group_id": "sg-0ecaf664fe45ff737",
+						"to_port":           65535,
+						"type":              "ingress",
+					},
+					"provisioners": null,
+				},
+			},
 		},
 		"variables": {},
 	},
