Validate Terraform input variables using OPA policies #977
Conversation
|
Important Cloud Posse Engineering Team Review RequiredThis pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes. To expedite this process, reach out to us on Slack in the |
📝 WalkthroughWalkthroughThis pull request introduces a series of incremental changes across the Atmos project, focusing on enhancing configuration management, documentation, and dependency updates. The modifications span multiple files, including utility functions, configuration handling, documentation, and dependency version upgrades. Key changes include clarifying function comments, reinstating necessary imports, updating the Atmos tool version, and adding validation capabilities for Terraform variables. Changes
Possibly related PRs
Suggested Reviewers
✨ Finishing Touches
Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media? 🪧 TipsChatThere are 3 ways to chat with CodeRabbit:
Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments. CodeRabbit Commands (Invoked using PR comments)
Other keywords and placeholders
Documentation and Community
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (2)
website/docs/core-concepts/validate/terraform-variables.mdx (2)
44-55: Consider adding a visual diagram for variable precedence.The variable precedence section is well-explained but could benefit from a visual representation to make it more intuitive.
171-173: Consider adding a troubleshooting section.Since this introduces a new validation feature, it would be helpful to include common issues and their solutions.
🧰 Tools
🪛 LanguageTool
[typographical] ~171-~171: Consider using a typographic opening quote here.
Context: ...nt.rego"> ```rego package atmos errors["for the 'my-component' component, the va...(EN_QUOTES)
[typographical] ~171-~171: Consider using a typographic close quote here.
Context: ...n the command line using the '-var' flag"] { input.cli_vars.name } ``` </File...(EN_QUOTES)
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (14)
cmd/cmd_utils.go(1 hunks)cmd/terraform.go(1 hunks)examples/quick-start-advanced/Dockerfile(1 hunks)go.mod(9 hunks)internal/exec/helmfile.go(1 hunks)internal/exec/terraform.go(2 hunks)internal/exec/utils.go(2 hunks)pkg/config/const.go(1 hunks)tests/fixtures/scenarios/complete/components/terraform/test/template-functions-test/outputs.tf(1 hunks)tests/fixtures/scenarios/complete/stacks/catalog/terraform/template-functions-test/defaults.yaml(1 hunks)tests/fixtures/scenarios/complete/stacks/schemas/opa/test/template-functions-test/validate-template-functions-test-component.rego(1 hunks)website/docs/core-concepts/validate/editorconfig.mdx(1 hunks)website/docs/core-concepts/validate/terraform-variables.mdx(1 hunks)website/docs/integrations/atlantis.mdx(1 hunks)
✅ Files skipped from review due to trivial changes (5)
- cmd/terraform.go
- internal/exec/helmfile.go
- cmd/cmd_utils.go
- website/docs/integrations/atlantis.mdx
- website/docs/core-concepts/validate/editorconfig.mdx
👮 Files not reviewed due to content moderation or server errors (4)
- tests/fixtures/scenarios/complete/stacks/schemas/opa/test/template-functions-test/validate-template-functions-test-component.rego
- pkg/config/const.go
- internal/exec/terraform.go
- internal/exec/utils.go
🧰 Additional context used
📓 Learnings (1)
examples/quick-start-advanced/Dockerfile (2)
Learnt from: aknysh
PR: cloudposse/atmos#775
File: examples/quick-start-advanced/Dockerfile:9-9
Timestamp: 2024-11-12T05:52:05.088Z
Learning: It is acceptable to set `ARG ATMOS_VERSION` to a future version like `1.105.0` in `examples/quick-start-advanced/Dockerfile` if that will be the next release.
Learnt from: osterman
PR: cloudposse/atmos#801
File: examples/quick-start-advanced/Dockerfile:9-9
Timestamp: 2024-11-23T00:13:22.004Z
Learning: When updating the `ATMOS_VERSION` in Dockerfiles, the team prefers to pin to the next future version when the PR merges, even if the version is not yet released.
🪛 Regal (0.29.2)
tests/fixtures/scenarios/complete/stacks/schemas/opa/test/template-functions-test/validate-template-functions-test-component.rego
[error] 2-2: Directory structure should mirror package
(idiomatic)
[error] 2-2: Use import rego.v1
(imports)
🪛 LanguageTool
website/docs/core-concepts/validate/terraform-variables.mdx
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...tack> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` ...
(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...ck> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :...
(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...-- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::ti...
(EN_QUOTES)
[typographical] ~32-~32: Consider using typographic quotation marks here.
Context: ...-var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Double-...
(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...e=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Double-da...
(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...i -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Double-dash `...
(EN_QUOTES)
[typographical] ~135-~135: Consider using a typographic opening quote here.
Context: ...os considers the policy failed. errors["for the 'my-component' component, the va...
(EN_QUOTES)
[typographical] ~135-~135: Consider using a typographic close quote here.
Context: ...n the command line using the '-var' flag"] { not input.cli_vars.name } ``` </...
(EN_QUOTES)
[typographical] ~171-~171: Consider using a typographic opening quote here.
Context: ...nt.rego"> ```rego package atmos errors["for the 'my-component' component, the va...
(EN_QUOTES)
[typographical] ~171-~171: Consider using a typographic close quote here.
Context: ...n the command line using the '-var' flag"] { input.cli_vars.name } ``` </File...
(EN_QUOTES)
⏰ Context from checks skipped due to timeout of 90000ms (25)
- GitHub Check: [mock-macos] tests/fixtures/scenarios/complete
- GitHub Check: [mock-macos] examples/demo-vendoring
- GitHub Check: [mock-macos] examples/demo-context
- GitHub Check: [mock-macos] examples/demo-component-versions
- GitHub Check: [mock-macos] examples/demo-atlantis
- GitHub Check: [mock-windows] tests/fixtures/scenarios/complete
- GitHub Check: [mock-windows] examples/demo-vendoring
- GitHub Check: [mock-windows] examples/demo-context
- GitHub Check: [mock-windows] examples/demo-component-versions
- GitHub Check: [validate] demo-localstack
- GitHub Check: [mock-windows] examples/demo-atlantis
- GitHub Check: [mock-linux] tests/fixtures/scenarios/complete
- GitHub Check: [mock-linux] examples/demo-vendoring
- GitHub Check: [validate] demo-context
- GitHub Check: [mock-linux] examples/demo-context
- GitHub Check: [lint] demo-context
- GitHub Check: [mock-linux] examples/demo-component-versions
- GitHub Check: [mock-linux] examples/demo-atlantis
- GitHub Check: Acceptance Tests (macos-latest, macos)
- GitHub Check: [k3s] demo-helmfile
- GitHub Check: Acceptance Tests (windows-latest, windows)
- GitHub Check: Docker Lint
- GitHub Check: Acceptance Tests (ubuntu-latest, linux)
- GitHub Check: [localstack] demo-localstack
- GitHub Check: Summary
🔇 Additional comments (4)
tests/fixtures/scenarios/complete/components/terraform/test/template-functions-test/outputs.tf (1)
24-27: LGTM! Clean addition of tags output.The new output follows Terraform conventions and provides access to the module's tags.
examples/quick-start-advanced/Dockerfile (1)
9-9: LGTM! Version bump follows team conventions.The update to ATMOS_VERSION=1.156.0 aligns with the team's practice of pinning to future versions.
tests/fixtures/scenarios/complete/stacks/catalog/terraform/template-functions-test/defaults.yaml (1)
13-31: LGTM! Well-structured OPA validation configuration.The validation setup includes all necessary components:
- Schema type and path
- Additional module paths
- Appropriate timeout setting
Let's verify the referenced OPA policy file exists:
✅ Verification successful
OPA policy file verification successful! ⚔️
The referenced OPA policy file exists at the correct location, ensuring the validation configuration will work as intended.
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash # Description: Verify OPA policy file exists fd "validate-template-functions-test-component.rego" --type fLength of output: 191
go.mod (1)
Line range hint
10-107: LGTM! Dependency updates look appropriate.The version bumps appear to be routine maintenance updates, with notable updates to:
- OPA (v1.0.0 → v1.0.1)
- AWS SDK and related packages
Let's verify compatibility with the updated dependencies:
✅ Verification successful
Dependencies update verified - all clear! 🛡️
The dependency updates are safe to proceed:
- OPA usage follows stable SDK patterns and the v1.0.0 → v1.0.1 is a patch update
- AWS SDK usage is well-contained and follows standard v2 patterns
🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
#!/bin/bash # Description: Check for any known compatibility issues with updated dependencies curl -s "https://pkg.go.dev/github.com/open-policy-agent/[email protected]?tab=versions" | grep -A 5 "Breaking Changes"Length of output: 114
Script:
#!/bin/bash # Check for OPA imports and usage patterns echo "=== OPA Usage ===" rg --type go "github.com/open-policy-agent/opa" -l echo -e "\n=== AWS SDK Usage ===" rg --type go "github.com/aws/aws-sdk-go-v2" -l # Check for specific AWS SDK service usage echo -e "\n=== AWS SSM Usage ===" rg --type go "github.com/aws/aws-sdk-go-v2/service/ssm" -lLength of output: 529
Script:
#!/bin/bash # Check OPA usage patterns echo "=== OPA Usage Patterns ===" rg --type go -A 5 -B 5 "github.com/open-policy-agent/opa" internal/exec/validate_utils.go echo -e "\n=== AWS SSM Client Usage ===" rg --type go -A 5 "NewFromConfig" pkg/store/aws_ssm_param_store.goLength of output: 1174
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (3)
website/docs/core-concepts/validate/terraform-variables.mdx (3)
20-82: Consider adding security considerations for command-line variables.While the documentation clearly explains variable precedence and usage, it would be beneficial to add security considerations about:
- Protecting sensitive values in command-line arguments
- Using var-files for sensitive data instead of command-line variables
- Logging implications when using trace level with sensitive data
🧰 Tools
🪛 LanguageTool
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...tack> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` ...(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...ck> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :...(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...-- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::ti...(EN_QUOTES)
[typographical] ~32-~32: Consider using typographic quotation marks here.
Context: ...-var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Double-...(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...e=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Double-da...(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...i -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Double-dash `...(EN_QUOTES)
117-119: Add context for the timeout value.The timeout setting would benefit from additional context:
- What happens when timeout is reached?
- What's a reasonable default value?
- Are there recommendations for different scenarios?
122-196: Consider adding more complex policy examples.The current examples are excellent for basic understanding. Consider adding:
- Validation of variable formats (e.g., enforcing naming conventions)
- Complex conditional rules (e.g., if var X is set, var Y must also be set)
- Examples of combining multiple validation rules
🧰 Tools
🪛 LanguageTool
[typographical] ~135-~135: Consider using a typographic opening quote here.
Context: ...os considers the policy failed. errors["for the 'my-component' component, the va...(EN_QUOTES)
[typographical] ~135-~135: Consider using a typographic close quote here.
Context: ...n the command line using the '-var' flag"] { not input.cli_vars.name } ``` </...(EN_QUOTES)
[typographical] ~171-~171: Consider using a typographic opening quote here.
Context: ...nt.rego"> ```rego package atmos errors["for the 'my-component' component, the va...(EN_QUOTES)
[typographical] ~171-~171: Consider using a typographic close quote here.
Context: ...n the command line using the '-var' flag"] { input.cli_vars.name } ``` </File...(EN_QUOTES)
📜 Review details
Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (1)
website/docs/core-concepts/validate/terraform-variables.mdx(1 hunks)
🧰 Additional context used
🪛 LanguageTool
website/docs/core-concepts/validate/terraform-variables.mdx
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...tack> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` ...
(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...ck> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :...
(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...-- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::ti...
(EN_QUOTES)
[typographical] ~32-~32: Consider using typographic quotation marks here.
Context: ...-var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Double-...
(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...e=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Double-da...
(EN_QUOTES)
[typographical] ~32-~32: Consider using a typographic close quote here.
Context: ...i -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Double-dash `...
(EN_QUOTES)
[typographical] ~135-~135: Consider using a typographic opening quote here.
Context: ...os considers the policy failed. errors["for the 'my-component' component, the va...
(EN_QUOTES)
[typographical] ~135-~135: Consider using a typographic close quote here.
Context: ...n the command line using the '-var' flag"] { not input.cli_vars.name } ``` </...
(EN_QUOTES)
[typographical] ~171-~171: Consider using a typographic opening quote here.
Context: ...nt.rego"> ```rego package atmos errors["for the 'my-component' component, the va...
(EN_QUOTES)
[typographical] ~171-~171: Consider using a typographic close quote here.
Context: ...n the command line using the '-var' flag"] { input.cli_vars.name } ``` </File...
(EN_QUOTES)
⏰ Context from checks skipped due to timeout of 90000ms (6)
- GitHub Check: Build (windows-latest, windows)
- GitHub Check: Build (ubuntu-latest, linux)
- GitHub Check: Analyze (javascript-typescript)
- GitHub Check: website-deploy-preview
- GitHub Check: Analyze (go)
- GitHub Check: Summary
🔇 Additional comments (1)
website/docs/core-concepts/validate/terraform-variables.mdx (1)
1-13: Well-structured metadata and imports!The file metadata and component imports are properly organized and follow documentation best practices.
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (6)
internal/exec/utils.go (2)
669-678: LGTM! Consider adding debug logging for CLI args.The implementation correctly adds CLI arguments and variables to the component section, enabling validation through OPA policies. The error handling is robust.
Consider adding debug logging for CLI args similar to how CLI vars are logged:
configAndStacksInfo.ComponentSection[cfg.CliArgsSectionName] = configAndStacksInfo.AdditionalArgsAndFlags +if atmosConfig.Logs.Level == u.LogLevelTrace || atmosConfig.Logs.Level == u.LogLevelDebug { + u.LogDebug(atmosConfig, "\nCLI arguments:") + err = u.PrintAsYAMLToFileDescriptor(atmosConfig, configAndStacksInfo.AdditionalArgsAndFlags) + if err != nil { + return configAndStacksInfo, err + } +}
1214-1242: Add input validation and improve documentation.While the implementation is solid, consider these improvements:
- Add validation for empty or malformed var names
- Add validation for empty values
- Add function documentation with examples
Here's a suggested improvement:
+// getCliVars parses command-line variables provided with the -var flag and returns them as a map. +// It supports both simple string values and JSON-formatted values. +// +// Example usage: +// -var name=test -> {"name": "test"} +// -var 'tags={"a":"b"}' -> {"tags": {"a": "b"}} func getCliVars(args []string) (map[string]any, error) { var variables = make(map[string]any) for i := 0; i < len(args); i++ { if args[i] == "-var" && i+1 < len(args) { kv := args[i+1] parts := strings.SplitN(kv, "=", 2) if len(parts) == 2 { varName := parts[0] + if varName == "" { + return nil, fmt.Errorf("empty variable name in -var flag") + } part2 := parts[1] + if part2 == "" { + return nil, fmt.Errorf("empty value for variable %q", varName) + } var varValue any if u.IsJSON(part2) {tests/fixtures/scenarios/complete/stacks/schemas/opa/test/template-functions-test/validate-template-functions-test-component.rego (2)
7-9: Consider adding type checking for the name variable.While the rule correctly checks for the presence of the name variable, it could benefit from type checking.
Add type checking to ensure the name variable is a string:
errors["for the 'template-functions-test' component, the variable 'name' must be provided on the command line using the '-var' flag"] { not input.tf_cli_vars.name } + +errors["for the 'template-functions-test' component, the variable 'name' must be a string"] { + input.tf_cli_vars.name + not is_string(input.tf_cli_vars.name) +}
11-21: Consider organizing reference links by category.The reference links are valuable but could be better organized for clarity.
Consider organizing the links with comments:
-# https://www.openpolicyagent.org/docs/latest/policy-language -# https://www.openpolicyagent.org/ -# https://blog.openpolicyagent.org/rego-design-principle-1-syntax-should-reflect-real-world-policies-e1a801ab8bfb -# https://github.com/open-policy-agent/library -# https://github.com/open-policy-agent/example-api-authz-go -# https://github.com/open-policy-agent/opa/issues/2104 -# https://www.fugue.co/blog/5-tips-for-using-the-rego-language-for-open-policy-agent-opa -# https://medium.com/@agarwalshubhi17/rego-cheat-sheet-5e25faa6eee8 -# https://code.tutsplus.com/tutorials/regular-expressions-with-go-part-1--cms-30403 -# https://www.styra.com/blog/how-to-write-your-first-rules-in-rego-the-policy-language-for-opa -# https://www.openpolicyagent.org/docs/v0.12.2/how-does-opa-work +# Official Documentation +# https://www.openpolicyagent.org/ +# https://www.openpolicyagent.org/docs/latest/policy-language +# https://www.openpolicyagent.org/docs/v0.12.2/how-does-opa-work + +# Examples and Libraries +# https://github.com/open-policy-agent/library +# https://github.com/open-policy-agent/example-api-authz-go + +# Best Practices and Tips +# https://blog.openpolicyagent.org/rego-design-principle-1-syntax-should-reflect-real-world-policies-e1a801ab8bfb +# https://www.fugue.co/blog/5-tips-for-using-the-rego-language-for-open-policy-agent-opa +# https://www.styra.com/blog/how-to-write-your-first-rules-in-rego-the-policy-language-for-opa + +# Tutorials and Cheat Sheets +# https://medium.com/@agarwalshubhi17/rego-cheat-sheet-5e25faa6eee8 +# https://code.tutsplus.com/tutorials/regular-expressions-with-go-part-1--cms-30403 + +# Known Issues +# https://github.com/open-policy-agent/opa/issues/2104website/docs/core-concepts/validate/terraform-variables.mdx (2)
24-54: Consider adding more complex examples.While the examples are clear, consider adding more complex scenarios.
Add examples for:
- Multiple variables with JSON values
- Variables with special characters
- Common error scenarios to avoid
Example addition:
atmos terraform apply <component> -s <stack> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' + +# Example with multiple JSON values and special characters +atmos terraform apply <component> -s <stack> -- \ + -var 'config={"api_key":"abc-123"}' \ + -var 'tags={"Environment":"prod"}' \ + -var 'name=my-special-app' + +# Common pitfalls to avoid +# DON'T: Missing quotes around JSON +# atmos terraform apply <component> -s <stack> -- -var tags={"key":"value"} + +# DO: Properly quote JSON +# atmos terraform apply <component> -s <stack> -- -var 'tags={"key":"value"}'🧰 Tools
🪛 LanguageTool
[typographical] ~30-~30: Consider using a typographic close quote here.
Context: ...tack> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` ...(EN_QUOTES)
[typographical] ~30-~30: Consider using a typographic close quote here.
Context: ...ck> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :...(EN_QUOTES)
[typographical] ~30-~30: Consider using a typographic close quote here.
Context: ...-- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::ti...(EN_QUOTES)
[typographical] ~30-~30: Consider using typographic quotation marks here.
Context: ...-var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Use dou...(EN_QUOTES)
[typographical] ~30-~30: Consider using a typographic close quote here.
Context: ...e=api -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Use doubl...(EN_QUOTES)
[typographical] ~30-~30: Consider using a typographic close quote here.
Context: ...i -var 'tags={"Team":"api", "Group":"web"}' ``` :::tip Use double-da...(EN_QUOTES)
80-194: Add troubleshooting section for common issues.The configuration and examples are clear, but adding troubleshooting guidance would be helpful.
Consider adding a troubleshooting section:
### Troubleshooting Common issues and solutions: 1. Policy not being applied ```console # Check if the policy file exists ls stacks/schemas/opa/my-component/validate-my-component.rego # Verify policy syntax opa check stacks/schemas/opa/my-component/validate-my-component.rego
Unexpected validation failures
- Ensure variable names match exactly (they are case-sensitive)
- Check for whitespace in variable values
- Verify JSON formatting in complex values
Debug using trace logs
ATMOS_LOGS_LEVEL=Trace atmos terraform plan ...<details> <summary>🧰 Tools</summary> <details> <summary>🪛 LanguageTool</summary> [typographical] ~133-~133: Consider using a typographic opening quote here. Context: ...os considers the policy failed. errors["for the 'my-component' component, the va... (EN_QUOTES) --- [typographical] ~133-~133: Consider using a typographic close quote here. Context: ...n the command line using the '-var' flag"] { not input.tf_cli_vars.name } ```... (EN_QUOTES) --- [typographical] ~169-~169: Consider using a typographic opening quote here. Context: ...nt.rego"> ```rego package atmos errors["for the 'my-component' component, the va... (EN_QUOTES) --- [typographical] ~169-~169: Consider using a typographic close quote here. Context: ...n the command line using the '-var' flag"] { input.tf_cli_vars.name } ``` </F... (EN_QUOTES) </details> </details> </blockquote></details> </blockquote></details> <details> <summary>📜 Review details</summary> **Configuration used: .coderabbit.yaml** **Review profile: CHILL** **Plan: Pro** <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 15807b6c1dfe7dbc44d9e4e45eab3564361724f8 and 7c3372af41946d00353d0d1b0c04250701e7eb66. </details> <details> <summary>📒 Files selected for processing (5)</summary> * `internal/exec/terraform.go` (2 hunks) * `internal/exec/utils.go` (2 hunks) * `pkg/config/const.go` (1 hunks) * `tests/fixtures/scenarios/complete/stacks/schemas/opa/test/template-functions-test/validate-template-functions-test-component.rego` (1 hunks) * `website/docs/core-concepts/validate/terraform-variables.mdx` (1 hunks) </details> <details> <summary>🚧 Files skipped from review as they are similar to previous changes (1)</summary> * pkg/config/const.go </details> <details> <summary>🧰 Additional context used</summary> <details> <summary>🪛 Regal (0.29.2)</summary> <details> <summary>tests/fixtures/scenarios/complete/stacks/schemas/opa/test/template-functions-test/validate-template-functions-test-component.rego</summary> [error] 2-2: Directory structure should mirror package (idiomatic) --- [error] 2-2: Use `import rego.v1` (imports) </details> </details> <details> <summary>🪛 LanguageTool</summary> <details> <summary>website/docs/core-concepts/validate/terraform-variables.mdx</summary> [typographical] ~30-~30: Consider using a typographic close quote here. Context: ...tack> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` </Terminal> ... (EN_QUOTES) --- [typographical] ~30-~30: Consider using a typographic close quote here. Context: ...ck> -- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` </Terminal> :... (EN_QUOTES) --- [typographical] ~30-~30: Consider using a typographic close quote here. Context: ...-- -var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` </Terminal> :::ti... (EN_QUOTES) --- [typographical] ~30-~30: Consider using typographic quotation marks here. Context: ...-var name=api -var 'tags={"Team":"api", "Group":"web"}' ``` </Terminal> :::tip Use dou... (EN_QUOTES) --- [typographical] ~30-~30: Consider using a typographic close quote here. Context: ...e=api -var 'tags={"Team":"api", "Group":"web"}' ``` </Terminal> :::tip Use doubl... (EN_QUOTES) --- [typographical] ~30-~30: Consider using a typographic close quote here. Context: ...i -var 'tags={"Team":"api", "Group":"web"}' ``` </Terminal> :::tip Use double-da... (EN_QUOTES) --- [typographical] ~133-~133: Consider using a typographic opening quote here. Context: ...os considers the policy failed. errors["for the 'my-component' component, the va... (EN_QUOTES) --- [typographical] ~133-~133: Consider using a typographic close quote here. Context: ...n the command line using the '-var' flag"] { not input.tf_cli_vars.name } ```... (EN_QUOTES) --- [typographical] ~169-~169: Consider using a typographic opening quote here. Context: ...nt.rego"> ```rego package atmos errors["for the 'my-component' component, the va... (EN_QUOTES) --- [typographical] ~169-~169: Consider using a typographic close quote here. Context: ...n the command line using the '-var' flag"] { input.tf_cli_vars.name } ``` </F... (EN_QUOTES) </details> </details> </details> <details> <summary>⏰ Context from checks skipped due to timeout of 90000ms (2)</summary> * GitHub Check: Acceptance Tests (windows-latest, windows) * GitHub Check: Summary </details> <details> <summary>🔇 Additional comments (5)</summary><blockquote> <details> <summary>internal/exec/terraform.go (2)</summary> `221-239`: **LGTM! Clear documentation of variable precedence.** The documentation block and debug logging implementation effectively communicate the variable precedence order, with proper references to Terraform's documentation. --- `248-256`: **LGTM! Improved code formatting.** The reformatting of the ValidateComponent function call improves readability without changing functionality. </details> <details> <summary>tests/fixtures/scenarios/complete/stacks/schemas/opa/test/template-functions-test/validate-template-functions-test-component.rego (1)</summary> `1-6`: **LGTM! Clear documentation of OPA policy requirements.** The comments effectively explain the package requirement and how Atmos processes policy failures. <details> <summary>🧰 Tools</summary> <details> <summary>🪛 Regal (0.29.2)</summary> [error] 2-2: Directory structure should mirror package (idiomatic) --- [error] 2-2: Use `import rego.v1` (imports) </details> </details> </details> <details> <summary>website/docs/core-concepts/validate/terraform-variables.mdx (2)</summary> `1-23`: **LGTM! Clear and well-structured documentation header.** The metadata, imports, and introduction effectively set up the documentation. --- `55-79`: **LGTM! Comprehensive logging example.** The trace logging example effectively demonstrates the output format and variable structure. </details> </blockquote></details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
|
These changes were released in v1.156.0. |
what
why
Use Open Policy Agent (OPA) policies to validate Terraform input variables.
Introduction
When executing
atmos terraform <sub-command>commands, you can provide Terraform input variables on the command line using the-varflag. These variables will override the variables configured in Atmos stack manifests.For example:
NOTE: Terraform processes variables in the following order of precedence (from highest to lowest):
Explicit
-varflags: these variables have the highest priority and will override any other variable values, including those specified in--var-file.Variables in
--var-file: values in a variable file override default values set in the Terraform configuration.Atmos generates varfiles from stack configurations and provides it to Terraform using the
--var-fileflag.Environment variables: variables set as environment variables using the
TF_VAR_prefix.Default values in the Terraform configuration files: these have the lowest priority.
When log level
Traceis used, Atmos prints the Terraform variables specified on the command line in the "CLI variables" output.For example:
Atmos exposes the Terraform variables passed on the command line in the
tf_cli_varssection, which can be used in OPA policies for validation.Terraform Variables Validation using OPA Policies
In
atmos.yaml, configure theschemas.opasection:In the component manifest, add the
settings.validationsection to point to the OPA policy file:Require a Terraform variable to be specified on the command line
If you need to enforce that a Terraform variable must be specified on the command line (and not in Atmos stack manifests),
add the following OPA policy in the file
stacks/schemas/opa/my-component/validate-my-component.regoWhen executing the following command (and not passing the
namevariable on the command line), Atmos will validate the component using the OPA policy, which will fail and prevent the component from being provisioned:On the other hand, when passing the
namevariable on the command line using the-var name=apiflag, the command will succeed:Restrict a Terraform variable from being provided on the command line
If you need to prevent a Terraform variable from being passed (and overridden) on the command line, add the following OPA policy in the file
stacks/schemas/opa/my-component/validate-my-component.regoWhen executing the following command, Atmos will validate the component using the OPA policy, which will fail and prevent the component from being provisioned:
This command will pass the validation and succeed:
references
Summary by CodeRabbit
Summary by CodeRabbit
New Features
Documentation
Dependency Updates
Chores