Add unit tests for plan policies

- Ignore rule length style rule for test files

.regal/config.yaml

@@ -11,6 +11,11 @@ rules:
       level: ignore
     todo-comment:
       level: ignore
+    rule-length:
+      level: ignore
+      ignore:
+        files:
+          - "*_test.rego"
   testing:
     test-outside-test-package:
       level: ignore

plan/check-blast-radius_test.rego

@@ -0,0 +1,57 @@
+package spacelift
+
+# Test case for blast radius below threshold for tracked run.
+test_check_blast_radius_below_threshold_tracked_run {
+	inp := {
+		"spacelift": {"run": {"type": "TRACKED"}},
+		"terraform": {"resource_changes": [{
+			"address": "aws_s3_bucket.my_bucket",
+			"type": "aws_s3_bucket",
+			"change": {"actions": ["delete"]},
+		}]},
+	}
+	count(deny) == 0 with input as inp
+	count(warn) == 0 with input as inp
+}
+
+# Test case for blast radius below threshold for proposed run.
+test_check_blast_radius_below_threshold_proposed_run {
+	inp := {
+		"spacelift": {"run": {"type": "PROPOSED"}},
+		"terraform": {"resource_changes": [{
+			"address": "aws_s3_bucket.my_bucket",
+			"type": "aws_s3_bucket",
+			"change": {"actions": ["delete"]},
+		}]},
+	}
+	count(deny) == 0 with input as inp
+	count(warn) == 0 with input as inp
+}
+
+# Test case for blast radius threshold exceeded for tracked run.
+test_check_blast_radius_threshold_exceeded_tracked_run {
+	inp := {
+		"spacelift": {"run": {"type": "TRACKED"}},
+		"terraform": {"resource_changes": [{
+			"address": "aws_ecs_cluster.one",
+			"type": "aws_ecs_cluster",
+			"change": {"actions": ["delete"]},
+		}]},
+	}
+	warn["change blast radius too high (200/100)"] with input as inp
+	count(deny) == 0 with input as inp
+}
+
+# Test case for blast radius threshold exceeded for proposed run.
+test_check_blast_radius_threshold_exceeded_proposed_run {
+	inp := {
+		"spacelift": {"run": {"type": "PROPOSED"}},
+		"terraform": {"resource_changes": [{
+			"address": "aws_ecs_cluster.one",
+			"type": "aws_ecs_cluster",
+			"change": {"actions": ["delete"]},
+		}]},
+	}
+	deny["change blast radius too high (200/100)"] with input as inp
+	count(warn) == 0 with input as inp
+}

plan/checkov-failed-checks_test.rego

@@ -0,0 +1,21 @@
+package spacelift
+
+# Test for failed checkov checks.
+test_checkov_less_than_10_failed_checks {
+	inp := {"third_party_metadata": {"custom": {"checkov": {"results": {"failed_checks": [
+		{"check_id": "CKV_AWS_1"},
+		{"check_id": "CKV_AWS_2"},
+		{"check_id": "CKV_AWS_3"},
+		{"check_id": "CKV_AWS_4"},
+		{"check_id": "CKV_AWS_5"},
+		{"check_id": "CKV_AWS_6"},
+		{"check_id": "CKV_AWS_7"},
+		{"check_id": "CKV_AWS_8"},
+		{"check_id": "CKV_AWS_9"},
+	]}}}}}
+	warn["You have a couple of failed checks: 9"] with input as inp
+}
+
+test_checkov_no_failed_checks {
+	count(warn) == 0 with input as {}
+}

plan/deny-proposed-runs-warn-track-runs_test.rego

@@ -0,0 +1,29 @@
+package spacelift
+
+# Test case warning for a tracked run.
+test_warn_tracked_runs {
+	inp := {
+		"spacelift": {"run": {"type": "TRACKED"}},
+		"terraform": {"resource_changes": [{
+			"address": "aws_iam_user.user_1",
+			"type": "aws_iam_user",
+			"change": {"actions": ["create"]},
+		}]},
+	}
+	count(deny) == 0 with input as inp
+	warn["Do not create IAM users: (aws_iam_user.user_1)"] with input as inp
+}
+
+# Test case deny for a proposed run.
+test_deny_proposed_runs {
+	inp := {
+		"spacelift": {"run": {"type": "PROPOSED"}},
+		"terraform": {"resource_changes": [{
+			"address": "aws_iam_user.user_1",
+			"type": "aws_iam_user",
+			"change": {"actions": ["create"]},
+		}]},
+	}
+	count(warn) == 0 with input as inp
+	deny["Do not create IAM users: (aws_iam_user.user_1)"] with input as inp
+}

plan/dont-allow-resource-type_test.rego

@@ -0,0 +1,10 @@
+package spacelift
+
+# Test case for denying creation of resource type.
+test_deny_creation_of_resource_type {
+	deny["Static AWS credentials are evil (aws_iam_access_key.key_1)"] with input as {"terraform": {"resource_changes": [{
+		"address": "aws_iam_access_key.key_1",
+		"type": "aws_iam_access_key",
+		"change": {"actions": ["create"]},
+	}]}}
+}

plan/enforce-cloud-provider_test.rego

@@ -0,0 +1,21 @@
+package spacelift
+
+# Test case for denying creation of aws resources.
+test_deny_creation_of_aws_resource {
+	deny["We have moved to GCP, find an equivalent there (aws_iam_access_key.key_1)"] with input as {"terraform": {"resource_changes": [{
+		"address": "aws_iam_access_key.key_1",
+		"type": "aws_iam_access_key",
+		"change": {"actions": ["create"]},
+		"provider_name": "aws",
+	}]}}
+}
+
+# Test case for allowing deletion of aws resources.
+test_allow_deletion_of_aws_resource {
+	inp := {"terraform": {"resource_changes": [{
+		"address": "aws_iam_access_key.key_1",
+		"type": "aws_iam_access_key",
+		"change": {"actions": ["update"]},
+	}]}}
+	count(deny) == 0 with input as inp
+}

plan/enforce-module-use-policy_test.rego

@@ -0,0 +1,37 @@
+package spacelift
+
+# Test case for denying creation of controlled resource type.
+test_deny_creation_of_controlled_resource_type {
+	deny["Resource 'aws_s3_bucket.bucket_1' cannot be created directly. Module(s) 'terraform-aws-modules/s3-bucket/aws' must be used instead"] with input as {"terraform": {"resource_changes": [{
+		"address": "aws_s3_bucket.bucket_1",
+		"type": "aws_s3_bucket",
+		"change": {"actions": ["create"]},
+	}]}}
+}
+
+# Test case for update creation of controlled resource type.
+test_deny_update_of_controlled_resource_type {
+	deny["Resource 'aws_s3_bucket.bucket_1' cannot be created directly. Module(s) 'terraform-aws-modules/s3-bucket/aws' must be used instead"] with input as {"terraform": {"resource_changes": [{
+		"address": "aws_s3_bucket.bucket_1",
+		"type": "aws_s3_bucket",
+		"change": {"actions": ["update"]},
+	}]}}
+}
+
+# Test case for allowing deletion of controlled resource type.
+test_allow_deletion_of_controlled_resource_type {
+	count(deny) == 0 with input as {"terraform": {"resource_changes": [{
+		"address": "aws_s3_bucket.bucket_1",
+		"type": "aws_s3_bucket",
+		"change": {"actions": ["delete"]},
+	}]}}
+}
+
+# Test case for allowing creation of uncontrolled resource type.
+test_allow_creation_of_uncontrolled_resource_type {
+	count(deny) == 0 with input as {"terraform": {"resource_changes": [{
+		"address": "aws_ecs_cluster.one",
+		"type": "aws_ecs_cluster",
+		"change": {"actions": ["create"]},
+	}]}}
+}

plan/enforce-password-length_test.rego

@@ -0,0 +1,37 @@
+package spacelift
+
+# Test case for denying creation of a password with less than 16 characters.
+test_deny_creation_of_password_with_less_than_16_characters {
+	deny["We require that passwords have at least 16 characters (random_password.password_1)"] with input as {"terraform": {"resource_changes": [{
+		"address": "random_password.password_1",
+		"type": "random_password",
+		"change": {
+			"actions": ["create"],
+			"after": {"length": 1},
+		},
+	}]}}
+}
+
+# Test case for warning creation of a password between 16 and 20 characters.
+test_warn_creation_of_password_between_16_and_20_characters {
+	warn["We advise that passwords have at least 20 characters (random_password.password_1)"] with input as {"terraform": {"resource_changes": [{
+		"address": "random_password.password_1",
+		"type": "random_password",
+		"change": {
+			"actions": ["create"],
+			"after": {"length": 18},
+		},
+	}]}}
+}
+
+# Test case for allowing creation of a password longer than 20 characters.
+test_allow_creation_of_password_longer_than_20_characters {
+	count(warn) == 0 with input as {"terraform": {"resource_changes": [{
+		"address": "random_password.password_1",
+		"type": "random_password",
+		"change": {
+			"actions": ["create"],
+			"after": {"length": 21},
+		},
+	}]}}
+}

plan/enforce-tags-on-resources_test.rego

@@ -0,0 +1,44 @@
+package spacelift
+
+# Test case for denying creation of a resource with no enforced tags.
+test_deny_creation_of_resource_with_no_enforced_tags {
+	deny["resource \"random_password.password_1\" does not have all suggested tags (Name, env, owner)"] with input as {"terraform": {"resource_changes": [{
+		"address": "random_password.password_1",
+		"type": "random_password",
+		"change": {
+			"actions": ["create"],
+			"after": {"tags_all": [{"test": "test"}]},
+		},
+	}]}}
+}
+
+# Test case for allowing creation of a resource with enforced tags.
+test_allow_creation_of_resource_with_enforced_tags {
+	count(deny) == 0 with input as {"terraform": {"resource_changes": [{
+		"address": "random_password.password_1",
+		"type": "random_password",
+		"change": {
+			"actions": ["create"],
+			"after": {"tags_all": {
+				"Name": "name",
+				"env": "testing",
+				"owner": "spacelift.io",
+			}},
+		},
+	}]}}
+}
+
+# Test case for allowing creation of a resource with partial enforced tags.
+test_allow_creation_of_resource_with_partial_enforced_tags {
+	deny["resource \"random_password.password_1\" does not have all suggested tags (env)"] with input as {"terraform": {"resource_changes": [{
+		"address": "random_password.password_1",
+		"type": "random_password",
+		"change": {
+			"actions": ["create"],
+			"after": {"tags_all": {
+				"Name": "name",
+				"owner": "spacelift.io",
+			}},
+		},
+	}]}}
+}

plan/ensure-resource-creation-before-deletion_test.rego

@@ -0,0 +1,19 @@
+package spacelift
+
+# Test case for denying resources with a certain resource type that will be deleted before created.
+test_deny_non_create_before_destroy_lifecycle {
+	deny["Always create before deleting (aws_batch_compute_environment.test_1)"] with input as {"terraform": {"resource_changes": [{
+		"address": "aws_batch_compute_environment.test_1",
+		"type": "aws_batch_compute_environment",
+		"change": {"actions": ["delete", "create"]},
+	}]}}
+}
+
+# Test case for allowing resources with a certain resource type that will be created before deleted.
+test_allow_create_before_destroy_lifecycle {
+	count(deny) == 0 with input as {"terraform": {"resource_changes": [{
+		"address": "aws_batch_compute_environment.test_1",
+		"type": "aws_batch_compute_environment",
+		"change": {"actions": ["create", "delete"]},
+	}]}}
+}

plan/infracost-monthly-cost-restriction_test.rego

@@ -0,0 +1,21 @@
+package spacelift
+
+# Test case for denying when monthly estimated cost exceeds a certain threshold.
+test_deny_infracost_monthly_cost_exceeds_threshold {
+	deny["monthly cost greater than $100 ($101.00)"] with input as {"third_party_metadata": {"infracost": {"projects": [{"breakdown": {"totalMonthlyCost": 101.00}}]}}}
+}
+
+# Test case for not denying when monthly estimated cost is below a certain threshold.
+test_not_deny_infracost_monthly_cost_is_below_threshold {
+	count(deny) == 0 with input as {"third_party_metadata": {"infracost": {"projects": [{"breakdown": {"totalMonthlyCost": 99.00}}]}}}
+}
+
+# Test case for warning when monthly costs increased more than a certain percentage.
+test_warn_infracost_monthly_cost_increase_percentage_exceeds_threshold {
+	warn["monthly cost increase greater than 5% (395.05%)"] with input as {"third_party_metadata": {"infracost": {"projects": [{"breakdown": {"totalMonthlyCost": 5.00}, "pastBreakdown": {"totalMonthlyCost": 1.01}}]}}}
+}
+
+# Test case for not warning when monthly costs increased less than a certain percentage.
+test_not_warn_infracost_monthly_cost_increase_percentage_does_not_exceed_threshold {
+	count(warn) == 0 with input as {"third_party_metadata": {"infracost": {"projects": [{"breakdown": {"totalMonthlyCost": 40.10}, "pastBreakdown": {"totalMonthlyCost": 40.00}}]}}}
+}

plan/kics-severity-counter_test.rego

@@ -0,0 +1,21 @@
+package spacelift
+
+# Test case for warning with severity counters.
+test_warn_severity_counters {
+	warn["You have: 1 info issues, 2 low issues, 3 medium issues"] with input as {"third_party_metadata": {"custom": {"kics": {"severity_counters": {
+		"INFO": 1,
+		"LOW": 2,
+		"MEDIUM": 3,
+		"HIGH": 0,
+	}}}}}
+}
+
+# Test case for denying with high severity issues.
+test_deny_for_high_severity_issue {
+	deny["The number of violated policies 10 is higher than the threshold 0"] with input as {"third_party_metadata": {"custom": {"kics": {"severity_counters": {
+		"INFO": 1,
+		"LOW": 2,
+		"MEDIUM": 3,
+		"HIGH": 10,
+	}}}}}
+}

plan/require-human-review-for-drift-detection-reconciliation_test.rego

@@ -0,0 +1,17 @@
+package spacelift
+
+# Test case for drift reconciliation runs requiring manual approval
+test_warn_drift_reconciliation_runs_requires_manual_approval {
+	warn["Drift reconciliation requires manual approval"] with input as {"spacelift": {"run": {
+		"drift_detection": true,
+		"type": "TRACKED",
+	}}}
+}
+
+# Test case for non drift reconciliation requiring manual approval
+test_non_drift_reconciliation_runs_require_no_manual_approval {
+	count(warn) == 0 with input as {"spacelift": {"run": {
+		"drift_detection": false,
+		"type": "TRACKED",
+	}}}
+}

plan/require-human-review-for-unreachable-ansible-hosts_test.rego

@@ -0,0 +1,13 @@
+package spacelift
+
+# Test case for warning when some ansible hosts were unreachable.
+test_warn_ansible_host_are_unreachable {
+	warn["Some hosts were unreachable"] with input as {"ansible": {"dark": {"test": true}}}
+}
+
+#
+
+# Test case for no warning when all ansible hosts were reachable.
+test_no_warn_all_ansible_host_are_reachable {
+	count(warn) == 0 with input as {"ansible": {"dark": {}}}
+}