conftest verify is unexpectedly passing

127 Views Asked by Gerald At 09 May 2023 at 13:19

Running conftest verify resulted in a pass even though the rule should have failed at db.storage_encrypted != true. What am I missing here?

# deny.rego
deny_unencrypted[msg] {
  db := input.resource.aws_db_instance[x]
  db.storage_encrypted != true # should fail here
  msg = sprintf("RDS `%v` has unencrypted storage", [x])
}

# deny_test.rego
test_unencrypted {
  cfg := parse_config("hcl2", `
    resource "aws_db_instance" "default" {
      storage_encrypted = true
    }
  `)

   deny_unencrypted with input as cfg
}

Original Q&A

There are 1 best solutions below

Devoops On 09 May 2023 at 14:41 BEST ANSWER

The deny_unencrypted rule creates a set, and even empty sets are "truthy", so this expression is going to be true regardless of input:

deny_unencrypted with input as cfg

What you probably want to do is something like:

count(deny_unencrypted) > 0 with input as cfg

# or 

count(deny_unencrypted) == 0 with input as cfg

# if you're looking to test that no violations happened

Or even take the expected message into account:

deny_unencrypted["RDS `default` has unencrypted storage"] with cfg as input

You'd need to set storage_encrypted = false in your mock data for that test to work though.

conftest verify is unexpectedly passing

There are 1 best solutions below

Related Questions in OPEN-POLICY-AGENT

Related Questions in CONFTEST

Trending Questions

Popular # Hahtags

Popular Questions