use version import in use-latest-module-versions.sentinel

Author: rberlind

governance/third-generation/cloud-agnostic/http-examples/README.md

@@ -18,7 +18,7 @@ You can test the first policy from this directory (after forking or cloning the
 sentinel test -run=check -verbose
 ```
 
-The second policy uses the HTTP import to call the Terraform Registry [List Modules API](https://www.terraform.io/docs/registry/api.html#list-modules) against a Terraform Cloud or Terraform Enterprise server in order to determine the most recent version of each module in the [Private Module Registry](https://www.terraform.io/docs/cloud/registry/index.html) (PMR) of an organization on that server or in the [public Terraform registry](https://registry.terraform.io). This policy also uses parameters as described below.
+The second policy uses the HTTP import to call the Terraform Registry [List Modules API](https://www.terraform.io/docs/registry/api.html#list-modules) against a Terraform Cloud or Terraform Enterprise server in order to determine the most recent version of each module in the [Private Module Registry](https://www.terraform.io/docs/cloud/registry/index.html) (PMR) of an organization on that server or in the [public Terraform registry](https://registry.terraform.io). It then checks that the version constraints used in module calls allow the most recent version. This policy also uses parameters as described below.
 
 The third policy uses the HTTP import to call a [NASA API](https://api.nasa.gov/) that retrieves a list of Near Earth Objects and warns if any of them are too close for comfort. This is based on an example from this HashiCorp [blog](https://www.hashicorp.com/blog/announcing-business-aware-policies-for-terraform-cloud-and-enterprise/) that announced the HTTP import and "Business-aware Policies". This policy also uses parameters as described below.
 
@@ -51,7 +51,7 @@ sentinel apply -trace -config=use-latest-module-versions.hcl use-latest-module-v
 ```
 You do not need a token when talking to the public registry, so the use-latest-module-versions.hcl file sets `token` to an empty string.
 
-The policy should fail since the mock does not use the most recent versions of the two modules. If you would like to see the policy pass, change the versions of the modules in mocks/mock-tfconfig-fail.sentinel to the most recent versions listed under https://registry.terraform.io/modules/Azure/network/azurerm and https://registry.terraform.io/modules/Azure/compute/azurerm. Currently, those are "3.2.1" and "3.10.0" respectively.
+The policy should fail since the mock does not use or allow the most recent versions of the two modules. If you would like to see the policy pass, change the versions of the modules in mocks/mock-tfconfig-fail.sentinel to the most recent versions listed under https://registry.terraform.io/modules/Azure/network/azurerm and https://registry.terraform.io/modules/Azure/compute/azurerm. Currently, those are "3.3.0" and "3.11.0" respectively.
 
 Note that the `sentinel test` and `sentinel apply` commands for testing/applying the use-latest-module-versions.sentinel policy **really** are making HTTP calls to the API endpoints to retrieve the list of matching modules in the registries. However, the mocks simulate which modules would actually be used by Terraform code.
 

governance/third-generation/cloud-agnostic/http-examples/mocks/mock-tfconfig-fail.sentinel

@@ -73,7 +73,7 @@ module_calls = {
 		"module_address":     "",
 		"name":               "windowsserver",
 		"source":             "Azure/compute/azurerm",
-		"version_constraint": "1.1.7",
+		"version_constraint": ">= 2.0.0, < 3.0.0",
 	},
 }
 

governance/third-generation/cloud-agnostic/http-examples/test/use-latest-module-versions/fail-invalid-version-constraint.hcl

@@ -0,0 +1,23 @@
+param "organization" {
+  value = "Cloud-Operations"
+}
+
+param "token" {
+  value = ""
+}
+
+module "tfconfig-functions" {
+      source = "../../../../common-functions/tfconfig-functions/tfconfig-functions.sentinel"
+}
+
+mock "tfconfig/v2" {
+  module {
+    source = "mock-tfconfig-fail-invalid-version-constraint.sentinel"
+  }
+}
+
+test {
+  rules = {
+    main = false
+  }
+}

governance/third-generation/cloud-agnostic/http-examples/test/use-latest-module-versions/fail.hcl renamed to governance/third-generation/cloud-agnostic/http-examples/test/use-latest-module-versions/fail-invalid-version-number.hcl

@@ -12,7 +12,7 @@ module "tfconfig-functions" {
 
 mock "tfconfig/v2" {
   module {
-    source = "mock-tfconfig-fail.sentinel"
+    source = "mock-tfconfig-fail-invalid-version-number.sentinel"
   }
 }
 

governance/third-generation/cloud-agnostic/http-examples/test/use-latest-module-versions/mock-tfconfig-fail-invalid-version-constraint.sentinel

@@ -0,0 +1,176 @@
+import "strings"
+
+module_calls = {
+	"module.windowsserver:os": {
+		"config": {
+			"vm_os_simple": {
+				"references": [
+					"var.vm_os_simple",
+				],
+			},
+		},
+		"count":              {},
+		"for_each":           {},
+		"module_address":     "module.windowsserver",
+		"name":               "os",
+		"source":             "./os",
+		"version_constraint": "",
+	},
+	"network": {
+		"config": {
+			"allow_ssh_traffic": {
+				"constant_value": true,
+			},
+			"location": {
+				"references": [
+					"var.location",
+				],
+			},
+			"resource_group_name": {
+				"references": [
+					"var.windows_dns_prefix",
+				],
+			},
+		},
+		"count":              {},
+		"for_each":           {},
+		"module_address":     "",
+		"name":               "network",
+		"source":             "app.terraform.io/Cloud-Operations/network/azurerm",
+		"version_constraint": ">= 2.0.0, < 3.0.0",
+	},
+	"windowsserver": {
+		"config": {
+			"admin_password": {
+				"references": [
+					"var.admin_password",
+				],
+			},
+			"location": {
+				"references": [
+					"var.location",
+				],
+			},
+			"public_ip_dns": {
+				"references": [
+					"var.windows_dns_prefix",
+				],
+			},
+			"resource_group_name": {
+				"references": [
+					"var.windows_dns_prefix",
+				],
+			},
+			"storage_account_type": {
+				"references": [
+					"var.storage_account_type",
+				],
+			},
+			"vm_hostname": {
+				"constant_value": "demohost",
+			},
+			"vm_os_simple": {
+				"constant_value": "WindowsServer",
+			},
+			"vm_size": {
+				"references": [
+					"var.vm_size",
+				],
+			},
+			"vnet_subnet_id": {
+				"references": [
+					"module.network.vnet_subnets",
+				],
+			},
+		},
+		"count":              {},
+		"for_each":           {},
+		"module_address":     "",
+		"name":               "windowsserver",
+		"source":             "app.terraform.io/Cloud-Operations/compute/azurerm",
+		"version_constraint": ">= 1.0.0, <= 1.1.5",
+	},
+	"module.network:network2": {
+		"config": {
+			"allow_ssh_traffic": {
+				"constant_value": true,
+			},
+			"location": {
+				"references": [
+					"var.location",
+				],
+			},
+			"resource_group_name": {
+				"references": [
+					"var.windows_dns_prefix",
+				],
+			},
+		},
+		"count":              {},
+		"for_each":           {},
+		"module_address":     "module.network",
+		"name":               "network2",
+		"source":             "app.terraform.io/Cloud-Operations/network/azurerm",
+		"version_constraint": "<= 3.0.0",
+	},
+	"module.network:windowsserver2": {
+		"config": {
+			"admin_password": {
+				"references": [
+					"var.admin_password",
+				],
+			},
+			"location": {
+				"references": [
+					"var.location",
+				],
+			},
+			"public_ip_dns": {
+				"references": [
+					"var.windows_dns_prefix",
+				],
+			},
+			"resource_group_name": {
+				"references": [
+					"var.windows_dns_prefix",
+				],
+			},
+			"storage_account_type": {
+				"references": [
+					"var.storage_account_type",
+				],
+			},
+			"vm_hostname": {
+				"constant_value": "demohost",
+			},
+			"vm_os_simple": {
+				"constant_value": "WindowsServer",
+			},
+			"vm_size": {
+				"references": [
+					"var.vm_size",
+				],
+			},
+			"vnet_subnet_id": {
+				"references": [
+					"module.network.vnet_subnets",
+				],
+			},
+		},
+		"count":              {},
+		"for_each":           {},
+		"module_address":     "module.network",
+		"name":               "windowsserver2",
+		"source":             "app.terraform.io/Cloud-Operations/compute/azurerm",
+		"version_constraint": "<= 1.1.5",
+	},
+}
+
+strip_index = func(addr) {
+	s = strings.split(addr, ".")
+	for s as i, v {
+		s[i] = strings.split(v, "[")[0]
+	}
+
+	return strings.join(s, ".")
+}