154 lines
3.5 KiB
Rego
154 lines
3.5 KiB
Rego
package main
|
|
|
|
mock_input_secure := {
|
|
"variables":
|
|
{
|
|
"pm_tls_insecure": {
|
|
"value": false
|
|
}
|
|
},
|
|
"planned_values": {
|
|
"root_module": {
|
|
"resources": [
|
|
{
|
|
"type": "proxmox_vm_qemu",
|
|
"name": "secure_vm",
|
|
"values": {
|
|
"cipassword": "",
|
|
"ciuser": "admin",
|
|
"agent": 1,
|
|
"network": [
|
|
{
|
|
"bridge": "vmbr2"
|
|
}
|
|
],
|
|
"skip_ipv6": true,
|
|
"memory": 2048,
|
|
"desc": "Production web server",
|
|
"scsihw": "virtio-scsi-pci",
|
|
"cpu": "host",
|
|
"backup": true,
|
|
"tags": "prod,web"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"configuration": {
|
|
"provider_config": {
|
|
"proxmox": {
|
|
"expressions": {
|
|
"pm_tls_insecure": {
|
|
"constant_value": false
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"terraform": {
|
|
"required_providers": {
|
|
"proxmox": {
|
|
"version_constraint": "=2.9.14"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
mock_input_insecure := {
|
|
"variables":
|
|
{
|
|
"pm_tls_insecure": {
|
|
"value": true
|
|
}
|
|
},
|
|
"planned_values": {
|
|
"root_module": {
|
|
"resources": [
|
|
{
|
|
"type": "proxmox_vm_qemu",
|
|
"name": "insecure_vm",
|
|
"values": {
|
|
"cipassword": "password123",
|
|
"ciuser": "root",
|
|
"agent": 0,
|
|
"network": [
|
|
{
|
|
"bridge": "vmbr0"
|
|
}
|
|
],
|
|
"skip_ipv6": false,
|
|
"memory": 256,
|
|
"desc": "",
|
|
"scsihw": "lsi",
|
|
"cpu": "",
|
|
"backup": false,
|
|
"tags": ""
|
|
}
|
|
}
|
|
]
|
|
}
|
|
},
|
|
"configuration": {
|
|
"provider_config": {
|
|
"proxmox": {
|
|
"expressions": {
|
|
"pm_tls_insecure": {
|
|
"constant_value": true
|
|
}
|
|
}
|
|
}
|
|
},
|
|
"terraform": {
|
|
"required_providers": {
|
|
"proxmox": {
|
|
"version_constraint": "~2.9.14"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
# Test secure configuration passes
|
|
test_secure_config if {
|
|
count(deny) == 0 with input as mock_input_secure
|
|
}
|
|
|
|
# Test password authentication
|
|
test_password_auth if {
|
|
deny["VM 'insecure_vm' uses password authentication. Use SSH keys only."] with input as mock_input_insecure
|
|
}
|
|
|
|
# Test qemu agent
|
|
test_qemu_agent if {
|
|
deny["VM 'insecure_vm' does not have qemu-agent enabled (agent = 1)."] with input as mock_input_insecure
|
|
}
|
|
|
|
# Test network bridge
|
|
test_network_bridge if {
|
|
deny["VM 'insecure_vm' uses insecure network bridge 'vmbr0'. Use 'vmbr2'."] with input as mock_input_insecure
|
|
}
|
|
|
|
# Test TLS verification
|
|
test_tls_verification if {
|
|
deny["TLS verification must be enabled (pm_tls_insecure = false)"] with input as mock_input_insecure
|
|
}
|
|
|
|
# Test provider version pinning
|
|
test_provider_version if {
|
|
deny["Provider version must be pinned with '=' constraint"] with input as mock_input_insecure
|
|
}
|
|
|
|
# Test minimum memory requirement
|
|
test_minimum_memory if {
|
|
deny["VM 'insecure_vm' has insufficient memory (256MB). Minimum required: 512MB."] with input as mock_input_insecure
|
|
}
|
|
|
|
# Test VM description requirement
|
|
test_vm_description if {
|
|
deny["VM 'insecure_vm' must have a description for documentation purposes."] with input as mock_input_insecure
|
|
}
|
|
|
|
# Test SCSI controller requirement
|
|
test_scsi_controller if {
|
|
deny["VM 'insecure_vm' uses default SCSI controller. Use virtio-scsi-pci for better performance."] with input as mock_input_insecure
|
|
} |