vadzik/sac_project
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[Add] Updated conftest to latest version, policies updated, precommit hook also updated

Browse Source
This commit is contained in:
Maxim Romanko
2025-05-23 22:21:21 +03:00
parent 8a0ae2e8fb
commit 5f39f381c1
28 changed files with 838 additions and 126 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
terraform/policy/policy_test.rego
View File

@@ -109,47 +109,46 @@ mock_input_insecure := {
}
# Test secure configuration passes
test_secure_config {
input := mock_input_secure
count(deny) == 0
test_secure_config if {
count(deny) == 0 with input as mock_input_secure
}
# Test password authentication
test_password_auth {
test_password_auth if {
deny["VM 'insecure_vm' uses password authentication. Use SSH keys only."] with input as mock_input_insecure
}
# Test qemu agent
test_qemu_agent {
test_qemu_agent if {
deny["VM 'insecure_vm' does not have qemu-agent enabled (agent = 1)."] with input as mock_input_insecure
}
# Test network bridge
test_network_bridge {
test_network_bridge if {
deny["VM 'insecure_vm' uses insecure network bridge 'vmbr0'. Use 'vmbr2'."] with input as mock_input_insecure
}
# Test TLS verification
test_tls_verification {
test_tls_verification if {
deny["TLS verification must be enabled (pm_tls_insecure = false)"] with input as mock_input_insecure
}
# Test provider version pinning
test_provider_version {
test_provider_version if {
deny["Provider version must be pinned with '=' constraint"] with input as mock_input_insecure
}
# Test minimum memory requirement
test_minimum_memory {
test_minimum_memory if {
deny["VM 'insecure_vm' has insufficient memory (256MB). Minimum required: 512MB."] with input as mock_input_insecure
}
# Test VM description requirement
test_vm_description {
test_vm_description if {
deny["VM 'insecure_vm' must have a description for documentation purposes."] with input as mock_input_insecure
}
# Test SCSI controller requirement
test_scsi_controller {
test_scsi_controller if {
deny["VM 'insecure_vm' uses default SCSI controller. Use virtio-scsi-pci for better performance."] with input as mock_input_insecure
}