open-policy-agentconftest

conftest verify is unexpectedly passing


Running conftest verify resulted in a pass even though the rule should have failed at db.storage_encrypted != true. What am I missing here?

# deny.rego
deny_unencrypted[msg] {
  db := input.resource.aws_db_instance[x]
  db.storage_encrypted != true # should fail here
  msg = sprintf("RDS `%v` has unencrypted storage", [x])
}

# deny_test.rego
test_unencrypted {
  cfg := parse_config("hcl2", `
    resource "aws_db_instance" "default" {
      storage_encrypted = true
    }
  `)

   deny_unencrypted with input as cfg
}

Solution

  • The deny_unencrypted rule creates a set, and even empty sets are "truthy", so this expression is going to be true regardless of input:

    deny_unencrypted with input as cfg
    

    What you probably want to do is something like:

    count(deny_unencrypted) > 0 with input as cfg
    
    # or 
    
    count(deny_unencrypted) == 0 with input as cfg
    
    # if you're looking to test that no violations happened
    

    Or even take the expected message into account:

    deny_unencrypted["RDS `default` has unencrypted storage"] with cfg as input
    

    You'd need to set storage_encrypted = false in your mock data for that test to work though.