prepare for rego v1

policy/Azure-Proactive-Resiliency-Library-v2/azapi/containerservice/aks/microsoft_container_service_managedClusters_agentPoolProfiles_availabilityZones.rego

@@ -1,11 +1,13 @@
 package Azure_Proactive_Resiliency_Library_v2.Microsoft_ContainerService_managedClusters
 
-valid_zones(after) {
+import rego.v1
+
+valid_zones(after) if {
     pool := after.body.properties.agentPoolProfiles[_]
     count(pool.availabilityZones) >= 2
 }
 
-deny_configure_aks_default_node_pool_zones[reason] {
+deny_configure_aks_default_node_pool_zones contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azapi/cosmos-db/microsoft_documentdb_databaseAccounts_backupPolicy_type.rego

@@ -1,10 +1,12 @@
 package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_databaseAccounts
 
-valid_cosmosdb_account_backup_policy_type(after) {
+import rego.v1
+
+valid_cosmosdb_account_backup_policy_type(after) if {
     after.body.properties.backupPolicy.type == "Continuous"
 }
 
-deny_configure_cosmosdb_account_continuous_backup_mode[reason] {
+deny_configure_cosmosdb_account_continuous_backup_mode contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_backup_geo_redundant_backup.rego

@@ -1,10 +1,12 @@
 package Azure_Proactive_Resiliency_Library_v2.Microsoft_DBforMySQL_flexibleServers
 
-valid_geo_redundant_backup_enabled(after) {
+import rego.v1
+
+valid_geo_redundant_backup_enabled(after) if {
     after.body.properties.backup.geoRedundantBackup == "Enabled"
 }
 
-deny_mysql_flexible_server_geo_redundant_backup_enabled[reason] {
+deny_mysql_flexible_server_geo_redundant_backup_enabled contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azapi/mysql/microsoft_db_for_mysql_flexibleServers_high_availability_mode.rego

@@ -1,10 +1,12 @@
 package Azure_Proactive_Resiliency_Library_v2.Microsoft_DBforMySQL_flexibleServers
 
-valid_high_availability_mode(after) {
+import rego.v1
+
+valid_high_availability_mode(after) if {
     after.body.properties.highAvailability.mode == "ZoneRedundant"
 }
 
-deny_mysql_flexible_server_high_availability_zone_redundant[reason] {
+deny_mysql_flexible_server_high_availability_zone_redundant contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_sku_name.rego

@@ -1,14 +1,16 @@
 package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_applicationGateways
 
-valid_sku(resource) {
+import rego.v1
+
+valid_sku(resource) if {
     resource.change.after.body.properties.sku.name == "Standard_v2"
 }
 
-valid_sku(resource) {
+valid_sku(resource) if {
     resource.change.after.body.properties.sku.name == "WAF_v2"
 }
 
-deny_migrate_to_application_gateway_v2[reason] {
+deny_migrate_to_application_gateway_v2 contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_applicationGateways_zones.rego

@@ -1,11 +1,13 @@
 package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_applicationGateways
 
-valid_zones(after) {
+import rego.v1
+
+valid_zones(after) if {
     after.body.zones
     count(after.body.zones) >= 2
 }
 
-deny_deploy_application_gateway_in_a_zone_redundant_configuration[reason] {
+deny_deploy_application_gateway_in_a_zone_redundant_configuration contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_outbound_rules.rego

@@ -1,14 +1,16 @@
 package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_loadBalancers
 
-valid_outbound_rules(after) {
+import rego.v1
+
+valid_outbound_rules(after) if {
     count(after.body.properties.outboundRules) == 0
 }
 
-valid_outbound_rules(after) {
+valid_outbound_rules(after) if {
     not after.body.properties.outboundRules
 }
 
-deny_use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer[reason] {
+deny_use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azapi/network/microsoft_network_loadBalancers_sku.rego

@@ -1,11 +1,13 @@
 package Azure_Proactive_Resiliency_Library_v2.Microsoft_Network_loadBalancers
 
-valid_sku(after) {
+import rego.v1
+
+valid_sku(after) if {
     after.body.sku.name
     after.body.sku.name != "Basic"
 }
 
-deny_use_resilient_load_lalancer_sku[reason] {
+deny_use_resilient_load_lalancer_sku contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azurerm/containers/azurerm_kubernetes_cluster_default_node_pool_zones.rego

@@ -1,11 +1,13 @@
 package Azure_Proactive_Resiliency_Library_v2.azurerm_kubernetes_cluster
 
-valid_zones(after) {
+import rego.v1
+
+valid_zones(after) if {
     pool := after.default_node_pool[_]
     count(pool.zones) >= 2
 }
 
-deny_configure_aks_default_node_pool_zones[reason] {
+deny_configure_aks_default_node_pool_zones contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azurerm/cosmos/azurerm_cosmosdb_account_backup_type.rego

@@ -1,10 +1,10 @@
 package Azure_Proactive_Resiliency_Library_v2.azurerm_cosmosdb_account
 
-valid_cosmosdb_account_backup_policy_type(after) {
+valid_cosmosdb_account_backup_policy_type(after) if {
     after.backup[_].type == "Continuous"
 }
 
-deny_configure_cosmosdb_account_continuous_backup_mode[reason] {
+deny_configure_cosmosdb_account_continuous_backup_mode contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_outbound_rule.rego

@@ -1,6 +1,8 @@
 package Azure_Proactive_Resiliency_Library_v2.azurerm_lb
 
-deny_use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer[reason] {
+import rego.v1
+
+deny_use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azurerm/loadbalancer/azurerm_lb_sku.rego

@@ -1,10 +1,12 @@
 package Azure_Proactive_Resiliency_Library_v2.azurerm_lb
 
-valid_sku(resource) {
+import rego.v1
+
+valid_sku(resource) if {
     resource.change.after.sku != "Basic"
 }
 
-deny_use_resilient_load_lalancer_sku[reason] {
+deny_use_resilient_load_lalancer_sku contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_geo_redundant_backup_enabled.rego

@@ -1,10 +1,12 @@
 package Azure_Proactive_Resiliency_Library_v2.azurerm_mysql_flexible_server
 
-valid_geo_redundant_backup_enabled(resource) {
+import rego.v1
+
+valid_geo_redundant_backup_enabled(resource) if {
     resource.change.after.geo_redundant_backup_enabled == true
 }
 
-deny_mysql_flexible_server_geo_redundant_backup_enabled[reason] {
+deny_mysql_flexible_server_geo_redundant_backup_enabled contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azurerm/mysql/azurerm_mysql_flexible_server_high_availability_mode.rego

@@ -1,10 +1,12 @@
 package Azure_Proactive_Resiliency_Library_v2.azurerm_mysql_flexible_server
 
-valid_high_availability_mode(resource) {
+import rego.v1
+
+valid_high_availability_mode(resource) if {
     resource.change.after.high_availability[_].mode == "ZoneRedundant"
 }
 
-deny_mysql_flexible_server_high_availability_mode_zone_redundant[reason] {
+deny_mysql_flexible_server_high_availability_mode_zone_redundant contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_sku_name.rego

@@ -1,14 +1,16 @@
 package Azure_Proactive_Resiliency_Library_v2.azurerm_application_gateway
 
-valid_sku(resource) {
+import rego.v1
+
+valid_sku(resource) if {
     resource.change.after.sku[_].name == "Standard_v2"
 }
 
-valid_sku(resource) {
+valid_sku(resource) if {
     resource.change.after.sku[_].name == "WAF_v2"
 }
 
-deny_migrate_to_application_gateway_v2[reason] {
+deny_migrate_to_application_gateway_v2 contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azurerm/network/azurerm_application_gateway_zones.rego

@@ -1,11 +1,13 @@
 package Azure_Proactive_Resiliency_Library_v2.azurerm_application_gateway
 
-valid_zones(after) {
+import rego.v1
+
+valid_zones(after) if {
     after.zones
     count(after.zones) >= 2
 }
 
-deny_deploy_application_gateway_in_a_zone_redundant_configuration[reason] {
+deny_deploy_application_gateway_in_a_zone_redundant_configuration contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/Azure-Proactive-Resiliency-Library-v2/azurerm/postgres/azurerm_postgresql_flexible_server_high_availability_mode.rego

@@ -1,10 +1,12 @@
 package Azure_Proactive_Resiliency_Library_v2.azurerm_postgresql_flexible_server
 
-valid_high_availability_mode(resource) {
+import rego.v1
+
+valid_high_availability_mode(resource) if {
     resource.change.after.high_availability[_].mode == "ZoneRedundant"
 }
 
-deny_postgresql_flexible_server_high_availability_mode_zone_redundant[reason] {
+deny_postgresql_flexible_server_high_availability_mode_zone_redundant contains reason if {
     tfplan := data.utils.tfplan(input)
     resource := tfplan.resource_changes[_]
     resource.mode == "managed"

policy/common/avm.utils.rego

@@ -1,15 +1,17 @@
 package utils
 
-tfplan(d) = output {
+import rego.v1
+
+tfplan(d) = output if {
     d.plan.resource_changes
     output := d.plan
 }
 
-tfplan(d) = output {
+tfplan(d) = output if {
     not d.plan.resource_changes
     output := d
 }
 
-is_azure_type(resource, azure_type) {
+is_azure_type(resource, azure_type) if {
     regex.match(sprintf("^%s@", [azure_type]), resource.type)
 }

policy/common/common.utils.rego

@@ -1,9 +1,11 @@
 package utils
 
-is_create_or_update(change_actions) {
+import rego.v1
+
+is_create_or_update(change_actions) if {
 	change_actions[count(change_actions) - 1] == ["create", "update"][_]
 }
 
-is_resource_create_or_update(resource) {
+is_resource_create_or_update(resource) if {
 	is_create_or_update(resource.change.actions)
 }

readme.md

@@ -14,20 +14,31 @@ conftest test --all-namespaces -p <path-to-policies>/policy <path-to-tfplan>
 
 ### [Azure-Proactive-Resiliency-Library-v2](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/)
 
-#### `Microsoft.ContainerService/managedClusters`
+* `Microsoft.ContainerService/managedClusters`
+
 [`configure_aks_default_node_pool_zones`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/ContainerService/managedClusters/#deploy-aks-cluster-across-availability-zones)
-#### `Microsoft.DocumentDB/databaseAccounts`
+
+* `Microsoft.DocumentDB/databaseAccounts`
+
 [`configure_cosmosdb_account_continuous_backup_mode`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DocumentDB/databaseAccounts/#configure-continuous-backup-mode)
-#### `Microsoft.Network/applicationGateways`
+
+* `Microsoft.Network/applicationGateways`
+
 [`migrate_to_application_gateway_v2`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#migrate-to-application-gateway-v2)
 [`deploy_application_gateway_in_a_zone_redundant_configuration`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/applicationGateways/#deploy-application-gateway-in-a-zone-redundant-configuration)
-#### `Microsoft.Network/loadBalancers`
+
+* `Microsoft.Network/loadBalancers`
+
 [`use_nat_gateway_instead_of_outbound_rules_for_production_load_lalancer`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-nat-gateway-instead-of-outbound-rules-for-production-workloads)
 [`use_resilient_load_lalancer_sku`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/Network/loadBalancers/#use-standard-load-balancer-sku)
-#### `Microsoft.DBforMySQL/flexibleServers`
+
+* `Microsoft.DBforMySQL/flexibleServers`
+
 [`mysql_flexible_server_high_availability_mode_zone_redundant`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#enable-ha-with-zone-redundancy)
 [`mysql_flexible_server_geo_redundant_backup_enabled`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforMySQL/flexibleServers/#configure-geo-redundant-backup-storage)
-#### `Microsoft.DBforPostgreSQL/flexibleServers`
+
+* `Microsoft.DBforPostgreSQL/flexibleServers`
+
 [`postgresql_flexible_server_high_availability_mode_zone_redundant`](https://azure.github.io/Azure-Proactive-Resiliency-Library-v2/azure-resources/DBforPostgreSQL/flexibleServers/#enable-ha-with-zone-redundancy)
 
 ## Apply(skip) policies