infrastructure/policies/deny_dangerous.rego

package main

import rego.v1

# Block deletion of stateful resources (VMs, containers, volumes)
deny contains msg if {
	some resource in input.resource_changes
	resource.change.actions[_] == "delete"

	stateful := {"proxmox_virtual_environment_vm", "proxmox_virtual_environment_container", "docker_volume"}
	resource.type in stateful

	msg := sprintf(
		"BLOCKED: Deleting stateful resource '%s' (%s). Requires explicit override.",
		[resource.address, resource.type],
	)
}

# Block replace (delete+create) of VMs — risks data loss
deny contains msg if {
	some resource in input.resource_changes
	actions := resource.change.actions
	"delete" in actions
	"create" in actions
	startswith(resource.type, "proxmox_virtual_environment_vm")

	msg := sprintf(
		"BLOCKED: Resource '%s' will be REPLACED (destroy + recreate). Data loss risk.",
		[resource.address],
	)
}