Running conftest verify resulted in a pass even though the rule should have failed at db.storage_encrypted != true
. What am I missing here?
# deny.rego
deny_unencrypted[msg] {
db := input.resource.aws_db_instance[x]
db.storage_encrypted != true # should fail here
msg = sprintf("RDS `%v` has unencrypted storage", [x])
}
# deny_test.rego
test_unencrypted {
cfg := parse_config("hcl2", `
resource "aws_db_instance" "default" {
storage_encrypted = true
}
`)
deny_unencrypted with input as cfg
}
The deny_unencrypted
rule creates a set, and even empty sets are "truthy", so this expression is going to be true regardless of input:
deny_unencrypted with input as cfg
What you probably want to do is something like:
count(deny_unencrypted) > 0 with input as cfg
# or
count(deny_unencrypted) == 0 with input as cfg
# if you're looking to test that no violations happened
Or even take the expected message into account:
deny_unencrypted["RDS `default` has unencrypted storage"] with cfg as input
You'd need to set storage_encrypted = false
in your mock data for that test to work though.