-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathmandatory-and-acceptable-labels-gcp.rego
More file actions
53 lines (43 loc) · 1.43 KB
/
mandatory-and-acceptable-labels-gcp.rego
File metadata and controls
53 lines (43 loc) · 1.43 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
package spacelift
# This import is required for Rego v0 compatibility and can be removed if you are only using Rego v1.
import rego.v1
mandatory_labels := {"mandatory1", "mandatory2"}
acceptable_labels := {"acceptable1", "acceptable2"}
mandatory_resources := {
"google_redis_instance",
"google_spanner_instance",
"google_storage_bucket",
}
deny contains msg if {
some change in input.spacelift.run.changes
is_mandatory_resource(change.entity.type, mandatory_resources)
labels := change.entity.data.values.labels
missing_any_mandatory_label(labels, mandatory_labels)
msg := sprintf(
"Resource '%s' is missing mandatory labels: %v",
[change.entity.address, which_labels_missing(labels, mandatory_labels)],
)
}
deny contains msg if {
some change in input.spacelift.run.changes
is_mandatory_resource(change.entity.type, mandatory_resources)
labels := change.entity.data.values.labels
has_non_acceptable_labels(labels, mandatory_labels, acceptable_labels)
msg := sprintf("Resource '%s' has invalid labels.", [change.entity.address])
}
is_mandatory_resource(entity_type, resources) if {
entity_type in resources
}
missing_any_mandatory_label(labels, mandatory) if {
some label in mandatory
not labels[label]
}
has_non_acceptable_labels(labels, mandatory, acceptable) if {
some label in labels
not mandatory[label]
not acceptable[label]
}
which_labels_missing(labels, mandatory) := {label |
some label in mandatory
not labels[label]
}