infrastructure/policies/deny_dangerous.rego
Claude AI 5155f08584
Some checks failed
PR Checks / tofu-checks (pull_request) Failing after 4s
1/1 projects applied successfully.
feat: Add bpg/proxmox provider for bare-metal VM management (Step 4.5)
- Enable bpg/proxmox provider (~> 0.90) in production environment
- Add data source to verify Proxmox connectivity (read nodes)
- SOPS-encrypt Proxmox API token (root@pam!tofu)
- Custom Atlantis workflow: decrypt SOPS → inject PROXMOX_VE_API_TOKEN
- Update all OPA policies for bpg resource types:
  - proxmox_vm_qemu → proxmox_virtual_environment_vm
  - proxmox_lxc → proxmox_virtual_environment_container
  - Adjust field paths (cpu[0].cores, memory[0].dedicated, etc.)
  - Firewall check: per-network-device instead of top-level
  - Password check: via after_sensitive for cloud-init
  - Tags: list of strings instead of comma-separated
2026-02-11 08:17:39 +01:00

32 lines
865 B
Rego

package main
import rego.v1
# Block deletion of stateful resources (VMs, containers, volumes)
deny contains msg if {
some resource in input.resource_changes
resource.change.actions[_] == "delete"
stateful := {"proxmox_virtual_environment_vm", "proxmox_virtual_environment_container", "docker_volume"}
resource.type in stateful
msg := sprintf(
"BLOCKED: Deleting stateful resource '%s' (%s). Requires explicit override.",
[resource.address, resource.type],
)
}
# Block replace (delete+create) of VMs — risks data loss
deny contains msg if {
some resource in input.resource_changes
actions := resource.change.actions
"delete" in actions
"create" in actions
startswith(resource.type, "proxmox_virtual_environment_vm")
msg := sprintf(
"BLOCKED: Resource '%s' will be REPLACED (destroy + recreate). Data loss risk.",
[resource.address],
)
}