### Install Conftest Plugin Source: https://www.conftest.dev/plugins Installs a Conftest plugin from a given URL. The plugin is downloaded and cached according to XDG specifications. It supports various protocols including Git, HTTP/S, and cloud storage. ```bash conftest plugin install github.com/open-policy-agent/conftest//contrib/plugins/kubectl ``` -------------------------------- ### Custom Documentation Template Example Source: https://www.conftest.dev/documentation This Go template example shows how to iterate over annotations grouped by package or rule path. It demonstrates accessing annotation fields like 'Path' and 'Annotations' to create custom documentation outputs. ```go-template {{ range . -}} {{ .Path }} has annotations {{ .Annotations }} {{ end -}} ``` -------------------------------- ### Example Input Files for --combine Flag Source: https://www.conftest.dev/options Example YAML files used with the Conftest --combine flag. 'manifests.yaml' contains both a Service and a Deployment, demonstrating how Conftest processes multiple resource types from a single input. ```yaml apiVersion: v1 kind: Service metadata: name: hello-kubernetes spec: type: LoadBalancer ports: - port: 80 targetPort: 8080 selector: app: goodbye-kubernetes --- apiVersion: apps/v1 kind: Deployment metadata: name: hello-kubernetes spec: replicas: 3 selector: matchLabels: app: hello-kubernetes ``` -------------------------------- ### Rego Example: Kubernetes Deployment Root Exception Source: https://www.conftest.dev/exceptions Provides a Rego example demonstrating how to create an exception for a specific Kubernetes deployment. It defines a deny rule for running as root and an exception that exempts the 'can-run-as-root' deployment from the 'run_as_root' rule. ```rego package main deny_run_as_root contains msg if { input.kind == "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot msg := "Containers must not run as root" } exception contains rules if { input.kind == "Deployment" input.metadata.name == "can-run-as-root" rules := ["run_as_root"] } ``` -------------------------------- ### Conftest Configuration File Example Source: https://www.conftest.dev/options An example of a conftest.toml configuration file. This file allows overriding default settings for policy directories and namespaces. It is read from the working directory. ```toml # You can override the directory in which to store and look for policies policy = "tests" # You can override the namespace which to search for rules namespace = "conftest" ``` -------------------------------- ### Policy Data Import Example Source: https://www.conftest.dev/options Example of importing data from a YAML file into a Rego policy. The 'services.yaml' file defines a 'services' structure with a 'ports' list, which is then accessible as 'data.services.ports' within the policy. ```rego import data.services ports := services.ports ``` -------------------------------- ### Conftest Test Command Examples Source: https://www.conftest.dev/index Demonstrates how to use the 'conftest test' command to evaluate policies against a YAML file, both directly and via standard input. It shows the expected output for failing tests. ```bash $ conftest test deployment.yaml FAIL - deployment.yaml - Containers must not run as root FAIL - deployment.yaml - Containers must provide app label for pod selectors 2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions ``` ```bash $ cat deployment.yaml | conftest test - FAIL - Containers must not run as root FAIL - Containers must provide app label for pod selectors 2 tests, 0 passed, 0 warnings, 2 failures, 0 exceptions ``` -------------------------------- ### Use Conftest Kubectl Plugin Source: https://www.conftest.dev/plugins Executes the installed kubectl plugin to audit Kubernetes deployments against specified policies. The plugin interacts with the kubectl binary to fetch deployment information and then uses Conftest for policy evaluation. ```bash conftest kubectl deployment --policy examples/kubernetes/policy ``` -------------------------------- ### Conftest Verify Command for Policy Testing Source: https://www.conftest.dev/index The `conftest verify` command is used to execute policy tests. This example shows how to run verification for policies located in the './policy' directory. ```bash conftest verify --policy ./policy ``` -------------------------------- ### Conftest Command with --config-file Source: https://www.conftest.dev/options Example command demonstrating the use of the --config-file option in Conftest. This command specifies a custom configuration file and runs tests against a deployment YAML, using a specific policy directory. ```bash conftest -c examples/configfile/conftest.toml test -p examples/configfile/test examples/configfile/deployment.yaml ``` -------------------------------- ### Policy Module with Metadata Source: https://www.conftest.dev/documentation This example showcases a policy module with different levels of metadata. It includes package-level metadata ('scope', 'organizations') and rule-level metadata ('title'). This structure is used for generating documentation. ```rego # METADATA # scope: subpackages # organizations: # - Acme Corp. package foo --- # METADATA # description: A couple of useful rules package foo.bar # METADATA # title: My Rule P p := 7 ``` -------------------------------- ### Conftest Policy Example in Rego Source: https://www.conftest.dev/index A basic Rego policy defining a 'deny' rule that generates a violation object. This policy is intended to be used with Conftest for policy evaluation. ```rego package main deny contains violation if { # ... other logic violation := { "msg": "Violation for some reason.", "metadata_abc": 123, "metadata_xyz": true, "_loc": { "file": "foo.txt", "line": 99999, }, } } ``` -------------------------------- ### Conftest Plugin Definition (plugin.yaml) Source: https://www.conftest.dev/plugins Defines a Conftest plugin using a YAML file. It includes metadata like name, version, usage, description, and the command to execute. Executables should be placed alongside this file. ```yaml name: "kubectl" version: "0.1.0" usage: conftest kubectl (TYPE[.VERSION][.GROUP] [NAME] | TYPE[.VERSION][.GROUP]/NAME). description: |- A Kubectl plugin for using Conftest to test objects in Kubernetes using Open Policy Agent. Usage: conftest kubectl (TYPE[.VERSION][.GROUP] [NAME] | TYPE[.VERSION][.GROUP]/NAME). command: $CONFTEST_PLUGIN_DIR/kubectl-conftest.sh ``` -------------------------------- ### Conftest Command with --data Flag Source: https://www.conftest.dev/options Example command showcasing the --data flag in Conftest. This command runs policy tests, specifying a policy directory and one or more data files (exclusions and service.yaml) that the policies can reference. ```bash conftest test -p examples/data/policy -d examples/data/exclusions examples/data/service.yaml ``` -------------------------------- ### Rego Policy with Metadata Source: https://www.conftest.dev/index An example of a Rego policy that returns structured data, including custom metadata, for violations. This allows for richer error reporting when using the JSON outputter. ```rego # policy.json package main deny contains violation if { # ... other logic violation := { "msg": "Violation for some reason.", "metadata_abc": 123, "metadata_xyz": true, } } ``` -------------------------------- ### Rego Unit Test with Input Override Source: https://www.conftest.dev/index An example of a Rego unit test using the `with` keyword to override the `input` document. This allows for testing policies against specific input scenarios without modifying the main input. ```rego test_foo if { input := { "abc": 123, "foo": ["bar", "baz"], } deny with input as input } ``` -------------------------------- ### Conftest Trace to stderr with Table Output Source: https://www.conftest.dev/debug This example demonstrates how to use the `--trace` flag with `--output=table`. The trace information is sent to standard error (stderr), while the formatted table output is sent to standard output (stdout). This is useful for debugging purposes without interfering with the primary output. ```bash # Output trace to stderr and table format to stdout $ conftest test --trace --output=table deployment.yaml ``` ```bash # Capture trace output to a file while viewing table output $ conftest test --trace --output=table deployment.yaml 2>trace.log ``` -------------------------------- ### Conftest Command with --ignore Flag Source: https://www.conftest.dev/options Examples of using the --ignore flag with Conftest to exclude specific files or directories from testing. The flag accepts a regular expression pattern for matching paths. ```bash conftest test -p examples/test/ test/ --ignore="parent/" conftest test -p examples/test/ test/ --ignore="child/" conftest test -p examples/test/ test/ --ignore=".*.yaml" conftest test -p examples/test/ test/ --ignore=".*.cue|.*.yaml" ``` -------------------------------- ### Trace Policy Evaluation with Conftest CLI Source: https://www.conftest.dev/debug This command demonstrates how to use the `--trace` flag to output a detailed trace of policy evaluation for a given input file. The trace shows the step-by-step execution of Rego rules, including function calls, condition evaluations, and rule matching. This is invaluable for understanding policy behavior and debugging complex logic. ```bash conftest test --trace deployment.yaml ``` -------------------------------- ### Rendered Documentation from Custom Template Source: https://www.conftest.dev/documentation This is the output generated by applying the custom Go template to the provided policy module. It lists each data path and its associated annotations, demonstrating the effect of the template logic. ```text data.foo has annotations {"organizations":["Acme Corp."],"scope":"subpackages"} data.foo.bar has annotations {"description":"A couple of useful rules","scope":"package"} data.foo.bar.p has annotations {"scope":"rule","title":"My Rule P"} ``` -------------------------------- ### OPA Policy with Metadata Annotation Source: https://www.conftest.dev/documentation This snippet demonstrates how to annotate an OPA policy using the METADATA format. It includes fields like 'title', 'description', 'authors', and 'entrypoint'. Ensure packages have at least 'title' and rules have 'title' and 'description' for complete documentation. ```rego # METADATA # title: My rule # description: A rule that determines if x is allowed. # authors: # - John Doe # entrypoint: true allow if { ... } ``` -------------------------------- ### Generate Markdown Documentation with conftest Source: https://www.conftest.dev/documentation This command generates static markdown documentation for OPA policies by retrieving annotations from a targeted module. It's a straightforward way to create human-readable policy references. ```bash conftest doc path/to/policy ``` -------------------------------- ### Generate Documentation with Custom Template Source: https://www.conftest.dev/documentation This command allows you to override the default documentation template with your own custom template file (e.g., 'template.md'). This provides flexibility in how your policy documentation is rendered. ```bash conftest -t template.md path/tp/policies ``` -------------------------------- ### Debug Policy Evaluation with --trace Source: https://www.conftest.dev/options Enables detailed tracing of Rego query evaluation during conftest policy testing. This option is invaluable for debugging complex policies. Note that `--trace` only functions with the default standard output format and is ignored if a specific `--output` format is provided. ```bash $ conftest test --trace deployment.yaml file: deployment.yaml | query: data.main.deny TRAC Enter data.main.deny = _ TRAC | Eval data.main.deny = _ TRAC | Index data.main.deny = _ matched 3 rules) TRAC | Enter data.main.deny TRAC | | Eval data.kubernetes.is_deployment ... ``` -------------------------------- ### Conftest JSON Output for Policy Violations Source: https://www.conftest.dev/index Demonstrates how to use Conftest with the JSON outputter to test a Rego policy against an empty input. The output shows detailed violation information, including messages, locations, and metadata. ```bash $ echo "{}" | conftest test -p policy.rego --output json - [ { "filename": "", "namespace": "main", "successes": 0, "failures": [ { "msg": "Violation for some reason.", "loc": { "file": "foo.txt", "line": 99999 }, "metadata": { "metadata_abc": 123, "metadata_xyz": true, "query": "data.main.deny" } } ] } ] ``` -------------------------------- ### Conftest GitHub Actions Integration Source: https://www.conftest.dev/options A GitHub Actions workflow demonstrating how to use Conftest to validate Kubernetes policies on pull requests. It checks out the code and runs Conftest with the GitHub output format. ```yaml --- name: Conftest on: pull_request: branches: - main jobs: conftest: runs-on: ubuntu-latest container: openpolicyagent/conftest:latest steps: - name: Code checkout uses: actions/checkout@v3 - name: Validate Kubernetes policy run: | conftest test -o github -p examples/kubernetes/policy examples/kubernetes/deployment.yaml ``` -------------------------------- ### Test Unencrypted Azure Disk using File Source: https://www.conftest.dev/index This test uses `parse_config_file` to load an Azure disk configuration from a Terraform file and then applies the `deny` rule to check for encryption status. ```rego test_unencrypted_azure_disk if { cfg := parse_config_file("unencrypted_azure_disk.tf") deny with input as cfg } ``` -------------------------------- ### Specify Policy Directories with --policy Source: https://www.conftest.dev/options Customizes the directories where Conftest searches for policy files using the `--policy` or `-p` flag. This allows for organizing policies across multiple directories, such as separating organization-wide rules from team-specific ones. When multiple directories are specified, rules are merged, so naming conflicts must be managed. ```bash $ conftest test files/ $ conftest test -p my-policies files/ $ conftest test -p my-policies -p org-policies files/ ``` -------------------------------- ### Define Rego Policy for Deployment Source: https://www.conftest.dev/index This Rego policy defines rules to check Kubernetes Deployments for security context and app label presence. It uses 'deny' rules to flag violations with specific messages. ```rego package main deny contains msg if { input.kind == "Deployment" not input.spec.template.spec.securityContext.runAsNonRoot msg := "Containers must not run as root" } deny contains msg if { input.kind == "Deployment" not input.spec.selector.matchLabels.app msg := "Containers must provide app label for pod selectors" } ``` -------------------------------- ### Conftest GitHub Actions Output for Policy Violations Source: https://www.conftest.dev/index Shows how Conftest can output results in a format compatible with GitHub Actions annotations. This allows for inline error reporting directly in pull requests. ```bash $ echo "{}" | conftest test -p /tmp/policy.rego --output github - ::group::Testing "-" against 1 policies in namespace "main" ::error file=foo.txt,line=99999::Violation for some reason. ::error file=-,line=1::(ORIGINATING FROM foo.txt L99999) Violation for some reason. ::notice file=-,line=1::Number of successful checks: 0 ::endgroup:: 1 test, 0 passed, 0 warnings, 1 failure, 0 exceptions ``` -------------------------------- ### Conftest JUnit Output Source: https://www.conftest.dev/options Demonstrates the JUnit XML output format from Conftest, which is commonly used for test reporting in CI/CD pipelines. This output details test suites, individual test cases, and any failures encountered. ```shell $ conftest test -p examples/kubernetes/policy examples/kubernetes/service.yaml -o junit Containers must not run as root in Deployment hello-kubernetes Deployment hello-kubernetes must provide app/release labels for pod selectors hello-kubernetes must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels Found deployment hello-kubernetes but deployments are not allowed /.git//sub/folder ``` -------------------------------- ### Conftest GitHub Output Source: https://www.conftest.dev/options Shows the output format of Conftest when configured for GitHub, suitable for integrating into GitHub Actions. This format uses GitHub's workflow commands for annotations and error reporting. ```shell $ conftest test -o github -p examples/kubernetes/policy examples/kubernetes/deployment.yaml ::group::Testing 'examples/kubernetes/deployment.yaml' against 5 policies in namespace 'main' ::error file=examples/kubernetes/deployment.yaml,line=1::Containers must not run as root in Deployment hello-kubernetes ::error file=examples/kubernetes/deployment.yaml,line=1::Deployment hello-kubernetes must provide app/release labels for pod selectors ::error file=examples/kubernetes/deployment.yaml,line=1::hello-kubernetes must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels ::error file=examples/kubernetes/deployment.yaml,line=1::Found deployment hello-kubernetes but deployments are not allowed success file=examples/kubernetes/deployment.yaml 1 ::endgroup:: 5 tests, 1 passed, 0 warnings, 4 failures, 0 exceptions ``` -------------------------------- ### Update Policies and Test with Conftest --update flag Source: https://www.conftest.dev/sharing Downloads the latest available policies from the specified URL(s) and then runs tests against the given file. This flag combines fetching and testing into a single command. ```bash conftest test --update ``` -------------------------------- ### Rego Exception Syntax for Rules Source: https://www.conftest.dev/exceptions Defines an exception block in Rego that specifies a list of rules to be exempted. The 'rules' array should contain the names of the deny or violation rules that should not apply to matching inputs. An empty string for 'rules' exempts all deny/violation rules. ```rego exception contains rules if { # Logic rules := ["foo","bar"] } ``` -------------------------------- ### Push Policies to OCI Registry with Conftest Source: https://www.conftest.dev/sharing Uploads policy bundles to an OCI-compatible registry. This action leverages the ORAS tool to facilitate the push operation, enabling shared access to your policies. ```bash conftest push opa.azurecr.io/test ``` -------------------------------- ### Configure Conftest as Pre-commit Hook Source: https://www.conftest.dev/pre_commit Integrates Conftest into your pre-commit configuration to validate configuration files. Requires specifying the Conftest repository, revision, and the path to your policy directory. The `conftest-test` hook validates files, and `conftest-verify` runs policy unit tests. ```yaml repos: - repo: https://github.com/open-policy-agent/conftest rev: v0.64.0 # Use a specific tag or 'HEAD' for the latest commit hooks: - id: conftest-test args: [--policy, path/to/your/policies] # Specify your policy directory # Optional: Add the verify hook to run policy unit tests - id: conftest-verify args: [--policy, path/to/your/policies] ``` -------------------------------- ### Conftest Policy with --combine Flag Source: https://www.conftest.dev/options A Rego policy that demonstrates the use of the --combine flag in Conftest. It checks if Deployments have corresponding Services by examining the input array structure, where each element contains 'path' and 'contents'. ```rego package main deny contains msg if { input[i].contents.kind == "Deployment" deployment := input[i].contents not service_selects_app(deployment.spec.selector.matchLabels.app) msg := sprintf("Deployment %v with selector %v does not match any Services", [deployment.metadata.name, deployment.spec.selector.matchLabels]) } service_selects_app(app) if { input[service].contents.kind == "Service" input[service].contents.spec.selector.app == app } ``` -------------------------------- ### Test AWS ALB HTTP Protocol Denial Source: https://www.conftest.dev/index This test verifies that an AWS ALB listener configured with HTTP protocol is flagged as a violation. It uses `parse_config` to create the configuration and `deny` to check for violations. ```rego test_fails_with_http_alb if { cfg := parse_config("hcl2", "" resource "aws_alb_listener" "name" { protocol = \"HTTP\" } ") deny["ALB `name` is using HTTP rather than HTTPS"] with input as cfg } ``` -------------------------------- ### Conftest JSON Output with Metadata Source: https://www.conftest.dev/index Shows the JSON output format of Conftest when a Rego policy returns structured data with metadata. This includes the violation message and custom metadata fields. ```json $ echo "{}" | conftest test -p policy.rego --output json - [ { "filename": "", "namespace": "main", "successes": 0, "failures": [ { "msg": "Violation for some reason.", "metadata": { "metadata_abc": 123, "metadata_xyz": true, "query": "data.main.deny" } } ] } ] ``` -------------------------------- ### Pull Policies via Git with Access Token using Conftest Source: https://www.conftest.dev/sharing Downloads policies from a private Git repository by including a personal access token in the URL. This enables secure access to policies stored in private repositories. ```bash conftest pull git::https://@github.com//.git//sub/folder ``` -------------------------------- ### Test AWS ALB HTTP Protocol Denial (v2) Source: https://www.conftest.dev/index An alternative Rego rule `deny_alb_http` specifically for detecting AWS ALB listeners using HTTP. This allows for more targeted testing. ```rego deny_alb_http contains msg if { some name some lb in input.resource.aws_alb_listener[name] lb.protocol == "HTTP" msg = sprintf("ALB `%v` is using HTTP rather than HTTPS", [name]) } ``` -------------------------------- ### Output SARIF Report with Conftest Source: https://www.conftest.dev/options Generates a SARIF report detailing policy violations found by conftest. This output format is useful for integrating conftest results into security analysis tools. It requires specifying policy and input files, and directing the output to SARIF. ```bash $ conftest test --proto-file-dirs examples/textproto/protos -p examples/textproto/policy examples/textproto/fail.textproto -o sarif {"version":"2.1.0","$schema":"https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json","runs":[{"tool":{"driver":{"informationUri":"https://github.com/open-policy-agent/conftest","name":"conftest","rules":[{"id":"main/deny","shortDescription":{"text":"Policy violation"}}]}},"invocations":[{"executionSuccessful":true,"exitCode":1,"exitCodeDescription":"Policy violations found"}],"results":[{"ruleId":"main/deny","ruleIndex":0,"level":"error","message":{"text":"fail: Power level must be over 9000"},"locations":[{"physicalLocation":{"artifactLocation":{"uri":"examples/textproto/fail.textproto"}}}]}]}]} ``` -------------------------------- ### Conftest Azure DevOps Output Source: https://www.conftest.dev/options Illustrates the output format of Conftest when used with Azure DevOps. This format utilizes Azure DevOps' task logging commands to report errors and test results within the pipeline. ```shell $ conftest test -o azuredevops -p examples/kubernetes/policy examples/kubernetes/deployment.yaml ##[section]Testing 'examples/kubernetes/deployment.yaml' against 5 policies in namespace 'main' ##[group]See conftest results ##vso[task.logissue type=error] file=examples/kubernetes/deployment.yaml --> Containers must not run as root in Deployment hello-kubernetes ##vso[task.logissue type=error] file=examples/kubernetes/deployment.yaml --> Deployment hello-kubernetes must provide app/release labels for pod selectors ##vso[task.logissue type=error] file=examples/kubernetes/deployment.yaml --> hello-kubernetes must include Kubernetes recommended labels: https://kubernetes.io/docs/concepts/overview/working-with-objects/common-labels/#labels ##vso[task.logissue type=error] file=examples/kubernetes/deployment.yaml --> Found deployment hello-kubernetes but deployments are not allowed success file=examples/kubernetes/deployment.yaml 1 ##[endgroup] 5 tests, 1 passed, 0 warnings, 4 failures, 0 exceptions ``` -------------------------------- ### Pull Policies from OCI Registry with Conftest Source: https://www.conftest.dev/sharing Retrieves policies stored in an OCI (Open Container Initiative) registry. This method is ideal for centralized policy management and distribution within an organization. ```bash conftest pull oci://opa.azurecr.io/test ``` -------------------------------- ### Rego Unit Test Helper for Empty Set Check Source: https://www.conftest.dev/index A helper rule in Rego to check if a given set is empty. This is often used in tests to assert that no violations were generated. ```rego # "not deny" doesn't work because deny is a set. # Instead we need to define "no_violations" to be true when `deny` is empty. empty(value) if { count(value) == 0 } no_violations if { empty(deny) } ``` -------------------------------- ### Terraform Configuration for Unencrypted Azure Disk Source: https://www.conftest.dev/index A Terraform configuration snippet defining an Azure managed disk with encryption explicitly disabled. ```hcl resource "azurerm_managed_disk" "sample" { encryption_settings { enabled = false } } ``` -------------------------------- ### Pull Policies via HTTPS with Conftest Source: https://www.conftest.dev/sharing Downloads policies from a remote URL using the HTTPS protocol. Ensure the URL points to a valid policy bundle. This is a straightforward method for fetching publicly accessible policies. ```bash conftest pull https://raw.githubusercontent.com/open-policy-agent/conftest/master/examples/compose/policy/deny.rego ``` -------------------------------- ### Test AWS ALB HTTPS Protocol Allowance Source: https://www.conftest.dev/index This test ensures that an AWS ALB listener configured with HTTPS protocol does not trigger any violations. It uses `parse_config` to create the configuration and `no_violations` to assert the absence of issues. ```rego test_allow_with_alb_https if { cfg := parse_config("hcl2", "" resource "aws_alb_listener" "lb_with_https" { protocol = \"HTTPS\" } ") no_violations with input as cfg } ``` -------------------------------- ### Test AWS ALB Unspecified Protocol Allowance Source: https://www.conftest.dev/index This test checks that an AWS ALB listener without a specified protocol does not result in violations. It utilizes `parse_config` for configuration and `no_violations` for verification. ```rego test_deny_alb_protocol_unspecified if { cfg := parse_config("hcl2", "" resource "aws_alb_listener" "lb_with_unspecified_protocol" { foo = \"bar\" } ") no_violations with input as cfg } ``` -------------------------------- ### Force Parser with --parser Source: https://www.conftest.dev/options Overrides Conftest's automatic file parser detection by explicitly specifying the parser to use with the `--parser` flag. This is useful when dealing with files that might have ambiguous extensions or when you need to ensure a specific parsing logic is applied, such as using `hcl2` for Terraform HCL files. ```bash $ conftest test -p examples/hcl1/policy examples/hcl1/gke.tf --parser hcl2 2 tests, 2 passed, 0 warnings, 0 failures, 0 exceptions ``` -------------------------------- ### Deny Unencrypted Azure Disk Source: https://www.conftest.dev/index This Rego rule identifies Azure managed disks that are not configured with encryption enabled. It checks for the presence and value of the `encryption_settings.enabled` field. ```rego deny contains msg if { disk = input.resource.azurerm_managed_disk[name] has_field(disk, "encryption_settings") disk.encryption_settings.enabled != true msg = sprintf("Azure disk `%v` is not encrypted", [name]) } ``` -------------------------------- ### Rego Policy for ALB HTTP Protocol Check Source: https://www.conftest.dev/index A Rego policy that checks for AWS Application Load Balancer (ALB) listeners using the HTTP protocol instead of HTTPS. It identifies the listener name and generates a violation message. ```rego deny contains msg if { some name some lb in input.resource.aws_alb_listener[name] lb.protocol == "HTTP" msg = sprintf("ALB `%v` is using HTTP rather than HTTPS", [name]) } ``` -------------------------------- ### Test AWS ALB HTTP Protocol Allowance (v2) Source: https://www.conftest.dev/index This test uses the `deny_alb_http` rule to specifically check if an AWS ALB listener configured with HTTP triggers the expected violation. ```rego test_fails_with_http_alb if { cfg := parse_config("hcl2", "" resource "aws_alb_listener" "name" { protocol = \"HTTP\" } ") deny_alb_http with input as cfg } ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.