Merge pull request #8 from pingidentity/PDI-2053-example-opa-policies

Add policy example

Author: PingDavidR

.gitignore

@@ -1,3 +1,4 @@
+# Miscellaneous local files
 terraform.tfvars
 *.bak
 *.local
@@ -8,6 +9,7 @@ generated
 imports.tf
 generated-platform.tf
 global.js
+**/.DS_Store
 
 # Local .terraform directories
 **/.terraform/*
@@ -22,13 +24,18 @@ global.js
 crash.log
 crash.*.log
 
-# Exclude all .tfvars files, which are likely to contain sentitive data, such as
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
 # password, private keys, and other secrets. These should not be part of version
 # control as they are data points which are potentially sensitive and subject
 # to change depending on the environment.
 #
 *.tfvars
 
+# Ignore plan files and the json plan output
+# Used by OPA policies
+**/plan.tfplan
+**/plan.json
+
 # Ignore override files as they are usually used to override resources locally and so
 # are not checked in
 override.tf

README.md

@@ -29,9 +29,11 @@ To be successful in recreating the use cases supported by this pipeline, there a
 
 - Completion of all pre-requisites and configuration steps leading to [Feature Development](https://github.com/pingidentity/pipeline-example-platform?tab=readme-ov-file#feature-development) from the example-pipeline-platform repository
 - [Docker](https://docs.docker.com/engine/install/) - used to deploy the UI for a sample interface
-- [tflint](https://github.com/terraform-linters/tflint) - for Terraform linting
-- [dvlint](https://github.com/pingidentity/dvlint) - for Davinci flow linting
-- [trivy](https://github.com/aquasecurity/trivy) - for security scanning
+- [terraform](https://developer.hashicorp.com/terraform/install) - HashiCorp Terraform (version 1.9.8 was used in this guide)
+- [opa](https://www.openpolicyagent.org/docs/latest/#running-opa) - Open Policy Agent (version 0.70.0 was used in this guide)
+- [tflint](https://github.com/terraform-linters/tflint) - for Terraform linting (version 0.53.0 was used in this guide)
+- [dvlint](https://github.com/pingidentity/dvlint) - for Davinci flow linting (version 1.0.3 was used in this guide)
+- [trivy](https://github.com/aquasecurity/trivy) - for security scanning (version 0.56.2 was used in this guide)
 
 > [!TIP]
 > The last three tools are used by the pipeline in Github, and the pipeline will fail if these tests and configuration checks do not pass. Installing these tools locally and running `make devcheck` before committing changes should ensure that the pipeline will pass when changes are pushed.
@@ -237,7 +239,7 @@ Terraform will perform the following actions:
       ~ flow_export_json        = (sensitive value)
       ~ flow_json               = (sensitive value)
       id                      = "a6d551f1d7aa2612f2bf6c371b0026e1"
-        name                    = "PingOne DaVinci Registration Example"
+        name                    = "AppTeam PingOne DaVinci Registration Example"
         # (4 unchanged attributes hidden)
 
         # (3 unchanged blocks hidden)

opa/policies/davinci_flow.rego

@@ -0,0 +1,33 @@
+package terraform.davinci
+
+import data.terraform.flow_checks as flow_checks
+import rego.v1
+
+# Retrieve all relevant flows with the "create" action
+relevant_flows := flow_checks.get_relevant_flows("create")
+
+# Check if `deploy` is true for all relevant flows
+deploy_true if {
+    print("Checking if deploy is true for all relevant flows:", relevant_flows)
+    flow_checks.deploy_is_true_for_all(relevant_flows)
+}
+
+# Check if all flow names start with "AppTeam"
+name_starts_with_AppTeam if {
+    print("Checking if all relevant flows start with 'AppTeam':", relevant_flows)
+    flow_checks.name_starts_with_prefix(relevant_flows, "AppTeam")
+}
+
+# Deny if `deploy` is not true for all flows
+deny[msg] if {
+    not deploy_true
+    msg := "All 'davinci_flow' resources must have 'deploy' set to true."
+    print("Deny triggered for deploy:", msg)  # Debugging output
+}
+
+# Deny if any flow name does not start with "AppTeam"
+deny[msg] if {
+    not name_starts_with_AppTeam
+    msg := "All 'davinci_flow' resources must have names starting with 'AppTeam'."
+    print("Deny triggered for name prefix:", msg)  # Debugging output
+}

opa/policies/davinci_flow_test.rego

@@ -0,0 +1,66 @@
+package terraform.davinci
+
+import data.terraform.davinci
+import rego.v1
+
+# Mock data for testing the `deny` rules
+input_all_pass := {
+    "resource_changes": [
+        {
+            "type": "davinci_flow",
+            "change": {
+                "actions": ["create"],
+                "after": {
+                    "deploy": true,
+                    "name": "AppTeam Registration Flow"
+                }
+            }
+        }
+    ]
+}
+
+input_deploy_fail := {
+    "resource_changes": [
+        {
+            "type": "davinci_flow",
+            "change": {
+                "actions": ["create"],
+                "after": {
+                    "deploy": false,
+                    "name": "AppTeam Registration Flow"
+                }
+            }
+        }
+    ]
+}
+
+input_name_prefix_fail := {
+    "resource_changes": [
+        {
+            "type": "davinci_flow",
+            "change": {
+                "actions": ["create"],
+                "after": {
+                    "deploy": true,
+                    "name": "NonAppTeam Registration Flow"  # Should fail because name does not start with "AppTeam"
+                }
+            }
+        }
+    ]
+}
+
+# Test where all conditions pass
+test_all_conditions_pass if {
+    davinci.deny with input as input_all_pass  # Expect no deny messages
+}
+
+
+# Test where `deploy` fails
+test_deploy_fail if {
+    davinci.deny with input as input_deploy_fail  # Expect a deny message because deploy is false
+}
+
+# # Test where name prefix fails
+test_name_prefix_fail if {
+    davinci.deny with input as input_name_prefix_fail  # Expect a deny message because name does not start with "AppTeam"
+}

opa/policies/flow_checks.rego

@@ -0,0 +1,40 @@
+package terraform.flow_checks
+
+import data.terraform.library
+import rego.v1
+
+# Retrieve `davinci_flow` resources with a specific action (e.g., "create")
+get_relevant_flows(action) = flows if {
+    flows := [flow |
+        flow := library.get_resources_by_type_and_action("davinci_flow", action)[_];
+        is_object(flow.change.after)  # Ensure `after` is an object
+    ]
+    # print("Relevant flows retrieved with action:", action, "flows:", flows)  # Debugging output
+}
+
+# Check if `deploy` is true for all flows in the input list
+deploy_is_true_for_all(flows) if {
+    print("Checking deploy field for each relevant flow.")
+    all_true := [flow |
+        flow := flows[_];
+        deploy_value := object.get(flow.change.after, "deploy", false)
+        # print("Flow deploy value:", deploy_value)  # Print the actual deploy value for each flow
+        # print("Deploy value is boolean?", is_boolean(deploy_value))  # Debugging output
+        deploy_value == true
+    ]
+    # print("Flows with deploy set to true:", all_true)  # Debugging output
+    # print("Count of flows with deploy true:", count(all_true))
+    # print("Total number of flows:", count(flows))
+    count(all_true) == count(flows)
+    # print("Does count(all_true) == count(flows)?", count(all_true) == count(flows))  # Debugging output
+}
+
+# Check if all flow names start with a given prefix
+name_starts_with_prefix(flows, prefix) if {
+    all_prefixed := [flow |
+        flow := flows[_];
+        startswith(flow.change.after.name, prefix)
+    ]
+    # print("Flows with names starting with prefix:", prefix, "flows:", all_prefixed)  # Debugging output
+    count(all_prefixed) == count(flows)
+}

opa/policies/library.rego

@@ -0,0 +1,31 @@
+package terraform.library
+
+import rego.v1
+
+# Importing resources from input for readability
+import input.resource_changes as resources
+
+# Get resources by type
+get_resources_by_type(type) = filtered_resources if {
+    filtered_resources := [resource | resource := resources[_]; resource.type == type]
+}
+
+# Get resources by action
+get_resources_by_action(action) = filtered_resources if {
+    filtered_resources := [resource | resource := resources[_]; action in resource.change.actions]
+}
+
+# Get resources by type and action
+get_resources_by_type_and_action(type, action) = filtered_resources if {
+    filtered_resources := [resource | resource := resources[_]; resource.type == type; action in resource.change.actions]
+}
+
+# Get resource by name
+get_resource_by_name(resource_name) = filtered_resources if {
+    filtered_resources := [resource | resource := resources[_]; resource.name == resource_name]
+}
+
+# Get resource by type and name
+get_resource_by_type_and_name(type, resource_name) = filtered_resources if {
+    filtered_resources := [resource | resource := resources[_]; resource.type == type; resource.name == resource_name]
+}

terraform/customer_simple_registration.tf

@@ -32,7 +32,7 @@ resource "davinci_flow" "registration_flow" {
 # {@link https://registry.terraform.io/providers/pingidentity/davinci/latest/docs/resources/application}
 
 resource "davinci_application" "registration_flow_app" {
-  name           = "PingOne DaVinci Registration Example"
+  name           = "AppTeam PingOne DaVinci Registration Example"
   environment_id = var.pingone_target_environment_id
   depends_on     = [data.davinci_connections.read_all]
   oauth {

terraform/davinci_flows/davinci-widget-reg-authn-flow.json

@@ -22,7 +22,7 @@
   },
   "isInputSchemaSaved": false,
   "isOutputSchemaSaved": false,
-  "name": "PingOne DaVinci Registration Example",
+  "name": "AppTeam PingOne DaVinci Registration Example",
   "publishedVersion": 4,
   "settings": {
     "csp": "worker-src 'self' blob:; script-src 'self' https://cdn.jsdelivr.net https://code.jquery.com https://devsdk.singularkey.com http://cdnjs.cloudflare.com 'unsafe-inline' 'unsafe-eval';",
@@ -616,7 +616,7 @@
             "nodeType": "ANNOTATION",
             "properties": {
               "annotation": {
-                "value": "PingOne DaVinci Registration Example"
+                "value": "AppTeam PingOne DaVinci Registration Example"
               },
               "annotationTextColor": {
                 "value": "#ffffffff"