Skip to content

Commit

Permalink
fix issue that block opa reading resources defined in child modules
Browse files Browse the repository at this point in the history
  • Loading branch information
@lonegunmanb
lonegunmanb committed Feb 20, 2025
1 parent b404505 commit 7cb7bd4
Show file tree
Hide file tree
Showing 2 changed files with 139 additions and 13 deletions.
38 changes: 25 additions & 13 deletions policy/common/common.utils.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,25 +35,37 @@ _resource(_input) := output if {
}

_resource(_input) := output if {
_input.values.root_module.resources == _input.values.root_module.resources
output := {
body |
r := _input.values.root_module.resources[_]
body := {
"address": r.address,
"values": r.values,
"mode": r.mode,
"type": r.type,
}
}
_input.values.root_module == _input.values.root_module
root_resources := [
body |
r := _input.values.root_module.resources[_]
body := {
"address": r.address,
"values": r.values,
"mode": r.mode,
"type": r.type,
}
]
child_resources := [
body |
cm := _input.values.root_module.child_modules[_]
r := cm.resources[_]
body := {
"address": r.address,
"values": r.values,
"mode": r.mode,
"type": r.type,
}
]
output := array.concat(root_resources, child_resources)
}

resource(_input, resource_type) := {
resource(_input, resource_type) := [
resource |
some resource in _resource(_input)
resource.mode == "managed"
resource.type == resource_type
}
]

is_create_or_update(change_actions) if {
change_actions[count(change_actions) - 1] == ["create", "update"][_]
Expand Down
114 changes: 114 additions & 0 deletions policy/common/common.utils_test.rego
View file
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,120 @@ test_resource_values_root_module_resources if {
resource.type == "azurerm_cosmosdb_account"
}

test_resource_values_child_module_resources if {
_input := {
"values": {
"root_module": {
"resources": [
{
"address": "azurerm_cosmosdb_account.example",
"values": {
"backup": [
{
"type": "Continuous"
}
]
},
"mode": "managed",
"type": "azurerm_cosmosdb_account"
}
],
"child_modules": [
{
"address": "module.sub",
"resources": [
{
"address": "module.sub.null_resource.res",
"mode": "managed",
"type": "null_resource",
"values": {
"id": "2822366925496045444",
"triggers": null
},
}
]
},
{
"address": "module.sub2",
"resources": [
{
"address": "module.sub2.null_resource.res",
"mode": "managed",
"type": "null_resource",
"values": {
"id": "2822366925496045445",
"triggers": null
},
}
]
},
]
}
}
}
cosmosdb_resources := utils.resource(_input, "azurerm_cosmosdb_account")
count(cosmosdb_resources) == 1
cosmosdb := cosmosdb_resources[_]
cosmosdb.address == "azurerm_cosmosdb_account.example"
cosmosdb.values.backup[0].type == "Continuous"
cosmosdb.mode == "managed"
cosmosdb.type == "azurerm_cosmosdb_account"

null_resources := utils.resource(_input, "null_resource")
count(null_resources) == 2
null_resource := null_resources[1]
null_resource.address == "module.sub2.null_resource.res"
null_resource.values.id == "2822366925496045445"
null_resource.mode == "managed"
null_resource.type == "null_resource"
}

test_resource_values_child_module_resources_only if {
_input := {
"values": {
"root_module": {
"child_modules": [
{
"address": "module.sub",
"resources": [
{
"address": "module.sub.null_resource.res",
"mode": "managed",
"type": "null_resource",
"values": {
"id": "2822366925496045444",
"triggers": null
},
}
]
},
{
"address": "module.sub2",
"resources": [
{
"address": "module.sub2.null_resource.res",
"mode": "managed",
"type": "null_resource",
"values": {
"id": "2822366925496045445",
"triggers": null
},
}
]
},
]
}
}
}
null_resources := utils.resource(_input, "null_resource")
count(null_resources) == 2
null_resource := null_resources[1]
null_resource.address == "module.sub2.null_resource.res"
null_resource.values.id == "2822366925496045445"
null_resource.mode == "managed"
null_resource.type == "null_resource"
}

test_is_create_or_update if {
data.utils.is_create_or_update(["create"])
data.utils.is_create_or_update(["update", "create"])
Expand Down

0 comments on commit 7cb7bd4

Please sign in to comment.