tfrun example data

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
 {
     "tfplan": "<terraform plan content>",
     "tfrun": {
     "workspace": {
       "name": "input_plans",
       "description": null,
       "auto_apply": false,
       "working_directory": "",
       "tags": {}
     },
     "vcs": {
       "repository_id": "Scalr/examples",
       "path": "aws",
       "branch": "master",
       "commit": {
         "sha": "8a4a401f1696cfa0584rg5hrth30ce93004142f",
         "message": "Update main.tf",
         "author": {
           "email": "noreply@github.com",
           "name": "GitHub",
           "username": "null"
         }
       }
     },
     "cost_estimate": {
       "prior_monthly_cost": 0,
       "proposed_monthly_cost": 5.03,
       "delta_monthly_cost": 5.03
     },
     "credentials": {
       "azure": "cred-sssaltmagskedbo",
       "ec2": "cred-sssaltmf02ci9g8",
       "gce": "cred-sssaltma7op3vjg"
     },
     "source": "ui",
     "message": "Update README.md",
     "is_destroy": false,
     "is_dry": false,
     "created_by": {
       "name": "Mr. Test",
       "email": "test@scalr.com",
       "username": "test@scalr.com"
     }
   }
 }

When VCS is not used the “vcs” block will be "vcs": null

  • source: source type of a run. Can have one of the following values:

    • api: The run was kicked off via the Terraform API

    • cli: The run was kicked off via the Terraform CLI

    • configuration-version: The run was kicked off by uploading a new configuration version via the API

    • template registry: The run was kicked off by requesting a Terraform configuration from the template registry

    • ui: The run was kicked off manually through the UI

    • vcs: The run was kicked off by a merge/commit/pull request webhook from the VCS repository linked to the workspace.

Example policy using tfrun

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 # Check valid users for runs
 package terraform

 import input.tfplan as tfplan
 import input.tfrun as tfrun


 allowed_cli_users = ["d.johnson", "j.smith"]


 array_contains(arr, elem) {
   arr[_] = elem
 }

 get_basename(path) = basename{
     arr := split(path, "/")
     basename:= arr[count(arr)-1]
 }

 deny["User is not allowed to perform runs from Terraform CLI"] {
     "cli" == tfrun.source
     not array_contains(allowed_cli_users, tfrun.created_by.username)
 }

 deny["Only commits from authorized authors are allowed to trigger AWS infrastructure update"] {
     "vcs" == tfrun.source
     resource := tfplan.resource_changes[_]
     provider_name := get_basename(resource.provider_name)
     "aws" == provider_name
     not endswith(tfrun.vcs.commit.author.email, "-aws-ops@foo.bar")
 }