0

Running conftest verify resulted in a pass even though the rule should have failed at db.storage_encrypted != true. What am I missing here?

# deny.rego
deny_unencrypted[msg] {
  db := input.resource.aws_db_instance[x]
  db.storage_encrypted != true # should fail here
  msg = sprintf("RDS `%v` has unencrypted storage", [x])
}

# deny_test.rego
test_unencrypted {
  cfg := parse_config("hcl2", `
    resource "aws_db_instance" "default" {
      storage_encrypted = true
    }
  `)

   deny_unencrypted with input as cfg
}
Gerald
  • 567
  • 1
  • 10
  • 17

1 Answers1

0

The deny_unencrypted rule creates a set, and even empty sets are "truthy", so this expression is going to be true regardless of input:

deny_unencrypted with input as cfg

What you probably want to do is something like:

count(deny_unencrypted) > 0 with input as cfg

# or 

count(deny_unencrypted) == 0 with input as cfg

# if you're looking to test that no violations happened

Or even take the expected message into account:

deny_unencrypted["RDS `default` has unencrypted storage"] with cfg as input

You'd need to set storage_encrypted = false in your mock data for that test to work though.

Devoops
  • 2,018
  • 8
  • 21
  • 1
    "The deny_unencrypted rule creates a set, and even empty sets are "truthy", so this expression is going to be true regardless of input:" Now this makes sense. Testing for the number of items in the set seems to be a much better practice to check for violation. – Gerald May 10 '23 at 09:39