So this has taken me 24+ hours to figure out. All docs, references to using OPA
with Terraform are about testing the plan. I want some static analysis on raw
.tf
files. An OPA based linter if you will.
First thing I ran into was iterating over an object, then being able to use
it's key. In Python I'd do: for k,v in dict
. In Rego, we do hash[key], then
just go and use key
wherever. ¯\_(ツ)_/¯ Maybe this will make more sense
the more I use Rego.
Second thing, I think I was being caught out by was: "Universal Quantification".
So in my policy where I have not key == computed
, I had used key != computed
which, maybe this will make sense in the future, but right now. Mind blown.
Anyway, the thing you've been waiting for. Some examples.
So if we take our main.tf
and module.rego
and run them like so with the handy
tool called conftest
.
$ conftest test main.tf -p policy/module.rego
FAIL - main.tf - main - Module name: foo_app_uk_prod, does not match computed configuration: foo_app_uk_stage
1 test, 0 passed, 0 warnings, 1 failure, 0 exceptions
We can see that we have one failure. This policy/linter is trying to ensure the module name matches the configuration passed to it.
Looks like we've messed up when copy and pasting. Our app config, let's update
line 7 to say prod
and run conftest
again:
$ conftest test main.tf -p policy/module.rego
1 test, 1 passed, 0 warnings, 0 failures, 0 exceptions
Much better.