enforce-terraform-version-list.rego

package spacelift

# This import is required for Rego v0 compatibility and can be removed if you are only using Rego v1.
import rego.v1

# Define a list of not allowed Terraform versions.
notallowed_versions := ["1.4.1", "1.4.2", "1.4.3"]

# Define a list of allowed Terraform versions.
allowed_versions := ["1.4.4", "1.4.5", "1.5.0"]

# The "deny" rule fires when a blocked Terraform version is used.
# The result is a formatted message with the blocked version.
deny contains sprintf("Not allowed to use Terraform version %s. Please consider using one of the following versions: %v", [terraform_version, allowed_versions]) if {
	# Extract the Terraform version from the runtime configuration
	terraform_version := input.terraform.terraform_version

	# Check if the Terraform version is one of those defined in the notallowed_versions list
	terraform_version in notallowed_versions
}

# The "warn" rule fires for any other Terraform version.
warn contains sprintf("You're using Terraform version %s, which isn't explicitly allowed or denied. Consider using one of the allowed versions: %v", [terraform_version, allowed_versions]) if {
	# Extract the Terraform version from the runtime configuration
	terraform_version := input.terraform.terraform_version

	# Ensure the version is neither in the allowed_versions nor in the notallowed_versions
	not is_version_allowed(terraform_version)
	not is_version_notallowed(terraform_version)
}

# Helper rule to check if a version is in the allowed_versions
is_version_allowed(version) if {
	version in allowed_versions
}

# Helper rule to check if a version is in the notallowed_versions
is_version_notallowed(version) if {
	version in notallowed_versions
}

# Learn more about sampling policy evaluations here:
# https://docs.spacelift.io/concepts/policy#sampling-policy-inputs
sample := true