-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathdo-not-delete-stateful-resources.rego
More file actions
35 lines (27 loc) · 1.17 KB
/
do-not-delete-stateful-resources.rego
File metadata and controls
35 lines (27 loc) · 1.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
package spacelift
# This import is required for Rego v0 compatibility and can be removed if you are only using Rego v1.
import rego.v1
# This policy is a plan policy, it will validate the resources during the plan phase.
# More details at: https://docs.spacelift.io/concepts/policy/terraform-plan-policy
# The "deny" rule fires when a specified resource is being deleted.
# The result is a formatted message with the address of the offending resource.
deny contains sprintf(message, [resource.address]) if {
# Define the error message format
message := "do not delete %s"
# Loop over each resource change in the plan
resource := input.terraform.resource_changes[_]
# Define a set of resource types for which deletions should be prevented.
prevent_delete := {
"aws_db_instance",
"aws_efs_file_system",
"aws_dynamodb_table",
"aws_s3_bucket",
}
# Check if the resource type is one of those defined in prevent_delete
prevent_delete[resource.type]
# Check if any of the actions on the resource is "delete"
"delete" in resource.change.actions
}
# Learn more about sampling policy evaluations here:
# https://docs.spacelift.io/concepts/policy#sampling-policy-inputs
sample := true