plan policy to warn on any resource changes

spacelift-io · Dec 29, 2023 · 1fd5928 · 1fd5928
1 parent e61a21f
commit 1fd5928
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -84,6 +84,7 @@ _Access policies have been deprecated. Please [read this](./access/README.md) fo
 - [Trusted engineers bypass review](./plan/trusted-engineers-bypass-review.rego)
 - [Terrascan violated policies](./plan/terrascan-violated-policies.rego)
 - [Tfsec high severity issues](./plan/tfsec-high-severity-issues.rego)
+- [Warn On any Resource Actions](./plan/warn-on-any-resource-actions.rego)
 - [Warn On Change To Sensitive Resources](./plan/warn-on-change-senstitive-resources.rego)
 
 ### Push Policy

diff --git a/plan/warm-on-any-resource-actions_test.rego b/plan/warm-on-any-resource-actions_test.rego
@@ -0,0 +1,22 @@
+package spacelift
+
+# Test: No warning for non-destructive actions
+test_no_warning_for_non_destructive {
+	warn_set := {msg | msg := warn[_]}
+	count(warn_set) == 0 with input as {"terraform": {"resource_changes": [{"address": "aws_instance.example", "change": {"actions": ["change"]}}]}}
+}
+
+# Test: Warning for a deleted resource
+test_warning_for_deleted_resource {
+	warn with input as {"terraform": {"resource_changes": [{"address": "aws_instance.example", "change": {"actions": ["delete"]}}]}} == {"Warning: Resource 'aws_instance.example' is being deleted"}
+}
+
+# Test: Warning for a recreated resource
+test_warning_for_recreated_resource {
+	warn with input as {"terraform": {"resource_changes": [{"address": "aws_instance.example", "change": {"actions": ["create"]}}]}} == {"Warning: Resource 'aws_instance.example' is being created"}
+}
+
+# Test: Warning for a recreated resource
+test_warning_for_recreated_resource {
+	warn with input as {"terraform": {"resource_changes": [{"address": "aws_instance.example", "update": {"actions": ["update"]}}]}} == {"Warning: Resource 'aws_instance.example' is being updated"}
+}
diff --git a/plan/warn-on-any-resource-actions.rego b/plan/warn-on-any-resource-actions.rego
@@ -0,0 +1,22 @@
+package spacelift
+
+# Helper rule to generate warning messages for resources being deleted, created or updated
+warn[msg] {
+	resource := input.terraform.resource_changes[_]
+	action := resource.change.actions[_]
+	is_destructive_action(action)
+	msg := sprintf("Warning: Resource '%s' is being %sd", [resource.address, action])
+}
+
+# Helper function to determine if an action is 'delete', 'create' or 'update'
+is_destructive_action(action) {
+	action == "delete"
+}
+
+is_destructive_action(action) {
+	action == "create"
+}
+
+is_destructive_action(action) {
+	action == "update"
+}