Regula + Conftest⚓︎
Conftest is a test runner for configuration files that uses Rego for policy-as-code. Conftest supports Terraform, but policies need to be written directly against the plan file which is often inconvenient and tricky.
Regula works seamlessly with Conftest. This way you get the advantages of both projects, in particular:
- Easy CI integration and policy retrieval from Conftest
- Terraform plan parsing & the rule set from Regula
To use Regula with Conftest:
plan.jsonusing the following terraform commands:
terraform init terraform plan -refresh=false -out=plan.tfplan terraform show -json plan.tfplan >plan.json
Now, we'll pull the conftest support for Regula and the Regula library in.
conftest pull -p policy/ 'github.com/fugue/regula//rego/conftest?ref=v2.9.1' conftest pull -p policy/regula/lib 'github.com/fugue/regula//rego/lib?ref=v2.9.1'
If we want to use the rules that come with regula, we can use:
conftest pull -p policy/regula/rules 'github.com/fugue/regula//rego/rules?ref=v2.9.1'
And of course you can pull in your own Regula rules as well.
At this point, it's simply a matter of running conftest!
conftest test plan.json