Terraform rules working

2025-05-16 14:00:50 +03:00
commit f4d28d47a9
13 changed files with 857 additions and 0 deletions
--- a/terraform/policy/policy_test.rego
+++ b/terraform/policy/policy_test.rego
@@ -0,0 +1,184 @@
+package main
+
+# Test data
+mock_secure_vm := {
+    "type": "proxmox_vm_qemu",
+    "name": "secure_vm",
+    "values": {
+        "cipassword": "",
+        "ciuser": "admin",
+        "agent": 1,
+        "network": [{
+            "bridge": "vmbr2"
+        }],
+        "skip_ipv6": true,
+        "memory": 2048,
+        "desc": "Production web server",
+        "scsihw": "virtio-scsi-pci",
+        "cpu": "host",
+        "backup": true,
+        "tags": "prod,web"
+    }
+}
+
+mock_insecure_vm := {
+    "type": "proxmox_vm_qemu",
+    "name": "insecure_vm",
+    "values": {
+        "cipassword": "password123",
+        "ciuser": "root",
+        "agent": 0,
+        "network": [{
+            "bridge": "vmbr0"
+        }],
+        "skip_ipv6": false,
+        "memory": 256,
+        "desc": "",
+        "scsihw": "lsi",
+        "cpu": "",
+        "backup": false,
+        "tags": ""
+    }
+}
+
+mock_input_secure := {
+    "planned_values": {
+        "root_module": {
+            "resources": [mock_secure_vm]
+        }
+    },
+    "configuration": {
+        "provider_config": {
+            "proxmox": {
+                "expressions": {
+                    "pm_tls_insecure": {
+                        "constant_value": false
+                    }
+                }
+            }
+        },
+        "terraform": {
+            "required_providers": {
+                "proxmox": {
+                    "version_constraint": "=2.9.14"
+                }
+            }
+        }
+    }
+}
+
+mock_input_insecure := {
+    "planned_values": {
+        "root_module": {
+            "resources": [mock_insecure_vm]
+        }
+    },
+    "configuration": {
+        "provider_config": {
+            "proxmox": {
+                "expressions": {
+                    "pm_tls_insecure": {
+                        "constant_value": true
+                    }
+                }
+            }
+        },
+        "terraform": {
+            "required_providers": {
+                "proxmox": {
+                    "version_constraint": "~2.9.14"
+                }
+            }
+        }
+    }
+}
+
+# Test secure configuration passes
+test_secure_config {
+    input := mock_input_secure
+    count(deny) == 0
+}
+
+# Test password authentication
+test_password_auth {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["VM 'insecure_vm' uses password authentication. Use SSH keys only."]
+}
+# Deny if VM does not have proper tags for identification
+deny[msg] {
+    vm := get_vms[_]
+    is_empty(vm.values.tags)
+    msg := sprintf("VM '%s' must have tags for proper identification and management.", [vm.name])
+}
+# Test qemu agent
+test_qemu_agent {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["VM 'insecure_vm' does not have qemu-agent enabled (agent = 1)."]
+}
+
+# Test network bridge
+test_network_bridge {# Deny if VM does not have proper tags for identification
+deny[msg] {
+    vm := get_vms[_]
+    is_empty(vm.values.tags)
+    msg := sprintf("VM '%s' must have tags for proper identification and management.", [vm.name])
+}abled (skip_ipv6 = true)."]
+}
+
+# Test TLS verification
+test_tls_verification {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["TLS verification must be enabled (pm_tls_insecure = false)"]
+}
+
+# Test provider version pinning
+test_provider_version {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["Provider version must be pinned with '=' constraint"]
+}
+
+# Test minimum memory requirement
+test_minimum_memory {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["VM 'insecure_vm' has insufficient memory (256MB). Minimum required: 512MB."]
+}
+
+# Test VM description requirement
+test_vm_description {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["VM 'insecure_vm' must have a description for documentation purposes."]
+}
+
+# Test SCSI controller requirement
+test_scsi_controller {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["VM 'insecure_vm' uses default SCSI controller. Use virtio-scsi-pci for better performance."]
+}
+
+# Test CPU type requirement
+test_cpu_type {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["VM 'insecure_vm' must have CPU type explicitly set for consistent performance."]
+}
+
+# Test backup requirement
+test_backup_enabled {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["VM 'insecure_vm' must have backup enabled for disaster recovery."]
+}
+
+# Test tags requirement
+test_tags_required {
+    input := mock_input_insecure
+    deny_msgs := {msg | msg := deny[_]}
+    deny_msgs["VM 'insecure_vm' must have tags for proper identification and management."]
+}