First steps
As I mentioned in my previous blog post, my first OPA policy was just to catch one simple parameter, if we have in the S3 Terrafom module set the force_destroy = true.
Here’s a simple OPA policy that will catch this dangerous configuration:
package terraform.plan
deny[msg] {
# Find all resources in the plan
resource := input.resource_changes[_]
# Check if it's an S3 bucket
resource.type == "aws_s3_bucket"
# Look for force_destroy in the configuration
resource.change.after.force_destroy == true
msg := sprintf("S3 bucket '%s' has force_destroy set to true. This is dangerous as it allows bucket deletion even when not empty.", [resource.address])
}
This policy works by:
