package main

mock_input_secure := {
  "variables":
  {
      "pm_tls_insecure": {
          "value": false
      }
  },
  "planned_values": {
    "root_module": {
      "resources": [
        {
          "type": "proxmox_vm_qemu",
          "name": "secure_vm",
          "values": {
            "cipassword": "",
            "ciuser": "admin",
            "agent": 1,
            "network": [
              {
                "bridge": "vmbr2"
              }
            ],
            "skip_ipv6": true,
            "memory": 2048,
            "desc": "Production web server",
            "scsihw": "virtio-scsi-pci",
            "cpu": "host",
            "backup": true,
            "tags": "prod,web"
          }
        }
      ]
    }
  },
  "configuration": {
    "provider_config": {
      "proxmox": {
        "expressions": {
          "pm_tls_insecure": {
            "constant_value": false
          }
        }
      }
    },
    "terraform": {
      "required_providers": {
        "proxmox": {
          "version_constraint": "=2.9.14"
        }
      }
    }
  }
}

mock_input_insecure := {
  "variables":
  {
      "pm_tls_insecure": {
          "value": true
      }
  },
  "planned_values": {
    "root_module": {
      "resources": [
        {
          "type": "proxmox_vm_qemu",
          "name": "insecure_vm",
          "values": {
            "cipassword": "password123",
            "ciuser": "root",
            "agent": 0,
            "network": [
              {
                "bridge": "vmbr0"
              }
            ],
            "skip_ipv6": false,
            "memory": 256,
            "desc": "",
            "scsihw": "lsi",
            "cpu": "",
            "backup": false,
            "tags": ""
          }
        }
      ]
    }
  },
  "configuration": {
    "provider_config": {
      "proxmox": {
        "expressions": {
          "pm_tls_insecure": {
            "constant_value": true
          }
        }
      }
    },
    "terraform": {
      "required_providers": {
        "proxmox": {
          "version_constraint": "~2.9.14"
        }
      }
    }
  }
}

# Test secure configuration passes
test_secure_config if {
    count(deny) == 0 with input as mock_input_secure
}

# Test password authentication
test_password_auth if {
    deny["VM 'insecure_vm' uses password authentication. Use SSH keys only."] with input as mock_input_insecure
}

# Test qemu agent
test_qemu_agent if {
    deny["VM 'insecure_vm' does not have qemu-agent enabled (agent = 1)."] with input as mock_input_insecure
}

# Test network bridge
test_network_bridge if {
    deny["VM 'insecure_vm' uses insecure network bridge 'vmbr0'. Use 'vmbr2'."] with input as mock_input_insecure
}

# Test TLS verification
test_tls_verification if {
    deny["TLS verification must be enabled (pm_tls_insecure = false)"] with input as mock_input_insecure
}

# Test provider version pinning
test_provider_version if {
    deny["Provider version must be pinned with '=' constraint"] with input as mock_input_insecure
}

# Test minimum memory requirement
test_minimum_memory if {
    deny["VM 'insecure_vm' has insufficient memory (256MB). Minimum required: 512MB."] with input as mock_input_insecure
}

# Test VM description requirement
test_vm_description if {
    deny["VM 'insecure_vm' must have a description for documentation purposes."] with input as mock_input_insecure
}

# Test SCSI controller requirement
test_scsi_controller if {
    deny["VM 'insecure_vm' uses default SCSI controller. Use virtio-scsi-pci for better performance."] with input as mock_input_insecure
}