Terraform rules working

2025-05-16 14:00:50 +03:00
commit f4d28d47a9
13 changed files with 857 additions and 0 deletions
--- a/terraform/policy/main.rego
+++ b/terraform/policy/main.rego
@@ -0,0 +1,99 @@
+package main
+
+# Import the raw input instead of using tfplan alias
+import input
+
+# Helper function to get VM resources
+get_vms = vms {
+    planned_values := input.planned_values
+    vms := [r | r := planned_values.root_module.resources[_]; r.type == "proxmox_vm_qemu"]
+}
+
+# Helper function to check if a value is empty or undefined
+is_empty(value) {
+    value == ""
+} {
+    value == null
+} {
+    not value
+}
+
+# Helper function to check minimum memory requirements (in MB)
+min_memory = 512
+
+# Deny if VM allows password authentication
+deny[msg] {
+    vm := get_vms[_]
+    not is_empty(vm.values.cipassword)
+    msg := sprintf("VM '%s' uses password authentication. Use SSH keys only.", [vm.name])
+}
+
+# Deny if VM allows root login
+deny[msg] {
+    vm := get_vms[_]
+    vm.values.ciuser == "root"
+    msg := sprintf("VM '%s' allows root login. Use a non-root user.", [vm.name])
+}
+
+# Deny if qemu-agent is not enabled
+deny[msg] {
+    vm := get_vms[_]
+    vm.values.agent != 1
+    msg := sprintf("VM '%s' does not have qemu-agent enabled (agent = 1).", [vm.name])
+}
+
+# Deny if VM uses insecure network bridge
+deny[msg] {
+    vm := get_vms[_]
+    net := vm.values.network[_]
+    net.bridge != "vmbr2"
+    msg := sprintf("VM '%s' uses insecure network bridge '%s'. Use 'vmbr2'.", [vm.name, net.bridge])
+}
+
+# Deny if IPv6 is not disabled
+deny[msg] {
+    vm := get_vms[_]
+    not vm.values.skip_ipv6
+    msg := sprintf("VM '%s' does not have IPv6 disabled (skip_ipv6 = true).", [vm.name])
+}
+
+# Deny if TLS verification is disabled
+deny[msg] {
+    provider := input.configuration.provider_config.proxmox
+    provider.expressions.pm_tls_insecure.constant_value == true
+    msg := "TLS verification must be enabled (pm_tls_insecure = false)"
+}
+
+# Deny if provider version is not pinned
+deny[msg] {
+    provider := input.configuration.terraform.required_providers.proxmox
+    not startswith(provider.version_constraint, "=")
+    msg := "Provider version must be pinned with '=' constraint"
+}
+
+# Deny if VM memory is below minimum requirement
+deny[msg] {
+    vm := get_vms[_]
+    memory := to_number(vm.values.memory)
+    memory < min_memory
+    msg := sprintf("VM '%s' has insufficient memory (%dMB). Minimum required: %dMB.", [vm.name, memory, min_memory])
+}
+
+# Deny if VM does not have a description
+deny[msg] {
+    vm := get_vms[_]
+    is_empty(vm.values.desc)
+    msg := sprintf("VM '%s' must have a description for documentation purposes.", [vm.name])
+}
+
+# Deny if VM uses default SCSI controller
+deny[msg] {
+    vm := get_vms[_]
+    vm.values.scsihw == "lsi"
+    msg := sprintf("VM '%s' uses default SCSI controller. Use virtio-scsi-pci for better performance.", [vm.name])
+}
+
+# Test rule to verify policy is loaded
+test_policy_loaded {
+    true
+}