[Add] Updated conftest to latest version, policies updated, precommit hook also updated
This commit is contained in:
@@ -7,7 +7,7 @@ import input
|
||||
vms := [r | r := input.planned_values.root_module.resources[_]; r.type == "proxmox_vm_qemu"]
|
||||
|
||||
# Helper function to check if a value is empty or undefined
|
||||
is_empty(value) {
|
||||
is_empty(value) if {
|
||||
value == ""
|
||||
} {
|
||||
value == null
|
||||
@@ -19,28 +19,28 @@ is_empty(value) {
|
||||
min_memory = 512
|
||||
|
||||
# Deny if VM allows password authentication
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
some vm in vms
|
||||
not is_empty(vm.values.cipassword)
|
||||
msg := sprintf("VM '%s' uses password authentication. Use SSH keys only.", [vm.name])
|
||||
}
|
||||
|
||||
# Deny if VM allows root login
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
some vm in vms
|
||||
vm.values.ciuser == "root"
|
||||
msg := sprintf("VM '%s' allows root login. Use a non-root user.", [vm.name])
|
||||
}
|
||||
|
||||
# Deny if qemu-agent is not enabled
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
some vm in vms
|
||||
vm.values.agent != 1
|
||||
msg := sprintf("VM '%s' does not have qemu-agent enabled (agent = 1).", [vm.name])
|
||||
}
|
||||
|
||||
# Deny if VM uses insecure network bridge
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
some vm in vms
|
||||
net := vm.values.network[_]
|
||||
net.bridge != "vmbr2"
|
||||
@@ -48,28 +48,28 @@ deny[msg] {
|
||||
}
|
||||
|
||||
# Deny if IPv6 is not disabled
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
some vm in vms
|
||||
not vm.values.skip_ipv6
|
||||
msg := sprintf("VM '%s' does not have IPv6 disabled (skip_ipv6 = true).", [vm.name])
|
||||
}
|
||||
|
||||
# Deny if TLS verification is disabled
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
tls_enabled := input.variables.pm_tls_insecure.value
|
||||
tls_enabled == true
|
||||
msg := "TLS verification must be enabled (pm_tls_insecure = false)"
|
||||
}
|
||||
|
||||
# Deny if provider version is not pinned
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
provider := input.configuration.terraform.required_providers.proxmox
|
||||
not startswith(provider.version_constraint, "=")
|
||||
msg := "Provider version must be pinned with '=' constraint"
|
||||
}
|
||||
|
||||
# Deny if VM memory is below minimum requirement
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
some vm in vms
|
||||
memory := to_number(vm.values.memory)
|
||||
memory < min_memory
|
||||
@@ -77,20 +77,20 @@ deny[msg] {
|
||||
}
|
||||
|
||||
# Deny if VM does not have a description
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
some vm in vms
|
||||
is_empty(vm.values.desc)
|
||||
msg := sprintf("VM '%s' must have a description for documentation purposes.", [vm.name])
|
||||
}
|
||||
|
||||
# Deny if VM uses default SCSI controller
|
||||
deny[msg] {
|
||||
deny contains msg if {
|
||||
some vm in vms
|
||||
vm.values.scsihw == "lsi"
|
||||
msg := sprintf("VM '%s' uses default SCSI controller. Use virtio-scsi-pci for better performance.", [vm.name])
|
||||
}
|
||||
|
||||
# Test rule to verify policy is loaded
|
||||
test_policy_loaded {
|
||||
test_policy_loaded if {
|
||||
true
|
||||
}
|
||||
Reference in New Issue
Block a user