Policy based on variable value

[JannoTjarks]

Hi :)

Currently i am working on a policy which will check the value of a variable. Just like the validation block of terraform/opentofu variable.

The policy would be helpful to have a central place for this kind of validation.

But for now... im not able to find the correct syntax. I understood, that i have to use the function terraform.variables(). But how can i access the value of a specific variable? For example, how can i get the value of a variable called location:
location = "germanaywestcentral".

Thanks! I really appreciate all the work you are doing here!

[wata727]

Hi janno! Thank you for your contributions to the Azure ruleset.

how can i access the value of a specific variable?

Are you talking about input variables or local values? In the former case you can use terraform.variables function, but in the latter case you can use terraform.locals.

[JannoTjarks]

Hi @wata727, you're welcome!
Thanks also to you!
We configured already a policy to enforce our tagging. That works really good!

Currently i am looking for input variables. I found the documentation about the function, but i don't get it 🫠

We have a variable called location:

variable "location" {
  type = string
}

Now I want to check, if the input is one of our allowed regions, e.g. "germanywestcentral".

What would be the pattern to get the value of the variable for the check? Do I have to set a dedicated schema?

Sorry, it's my first time working with OPA.

[bendrucker]

Now I want to check, if the input is...

You can't do this directly.

1. You can get the variable block to check if the default is an allowed value. You can't get variable values.
2. You can also check some block that references this variable. You can use terraform.providers to find your azurerm provider and assert its location attribute.

This is not so much an OPA thing as how rules work in general. You'd find the same behavior in the normal Go rulesets too. TFLint has a -var flag among other options. And then it handles creating the evaluation context including any variables, which rules use to evaluate attribute expressions that they want to assert on. Rules never get to "see" variable values, they just evaluate expressions of interest on a context that they cannot access directly. And TFLint evaluates a var.foo expression by fetching the value from its internal map.

This is because the variables are not the actual runtime inputs to apply the configuration as they are in Terraform. They are just example/placeholder values to help evaluate expressions that would otherwise be unknown.

If you want true policy enforcement with OPA, use it on your Terraform plans:

https://www.openpolicyagent.org/docs/latest/terraform/

There you'll face a similar situation around asserting outputs not inputs. You can write rules against configuration.provider_config or anything else using the variable. Variables values are an input to terraform plan but not part of the output.

[JannoTjarks]

@bendrucker thank you for the quick response. Now it is clear!

I will take a look into the terraform integration of OPA in our Quality Gate Pipeline.