├── .github └── workflows │ ├── ci.yml │ ├── golangci-lint.yml │ └── release.yml ├── .gitignore ├── .goreleaser.yml ├── LICENSE ├── Makefile ├── README.md ├── cmd └── pulumi-analyzer-policy-opa │ ├── analyzer.go │ ├── eval.go │ ├── main.go │ ├── policy.go │ └── serve.go ├── examples ├── app │ ├── .gitignore │ ├── Pulumi.yaml │ ├── README.md │ ├── index.ts │ ├── package.json │ └── tsconfig.json └── policy-kubernetes │ ├── PulumiPolicy.yaml │ └── kubernetes.rego ├── go.mod ├── go.sum ├── scripts └── get-version └── tests ├── GETTING_STARTED.md ├── README.md ├── SUMMARY.md ├── TEST_INDEX.md ├── aws ├── PulumiPolicy.yaml ├── fixtures │ ├── ec2_invalid_instance_type.json │ ├── ec2_valid.json │ ├── rds_invalid_public.json │ ├── rds_valid.json │ ├── s3_invalid_no_encryption.json │ ├── s3_invalid_public.json │ ├── s3_valid.json │ ├── sg_invalid_ssh.json │ └── sg_valid.json └── policies │ ├── ec2_security.rego │ ├── iam_security.rego │ ├── rds_security.rego │ └── s3_security.rego ├── azure ├── PulumiPolicy.yaml ├── fixtures │ ├── nsg_invalid_ssh.json │ ├── nsg_valid.json │ ├── storage_invalid_tls.json │ ├── storage_valid.json │ └── vm_valid.json └── policies │ ├── compute_security.rego │ ├── network_security.rego │ ├── sql_security.rego │ └── storage_security.rego ├── integration ├── README.md ├── aws │ ├── s3-insecure │ │ ├── Pulumi.yaml │ │ ├── index.ts │ │ └── package.json │ └── s3-secure │ │ ├── Pulumi.yaml │ │ ├── index.ts │ │ └── package.json ├── kubernetes │ ├── insecure-deployment │ │ ├── Pulumi.yaml │ │ ├── index.ts │ │ └── package.json │ └── secure-deployment │ │ ├── Pulumi.yaml │ │ ├── index.ts │ │ └── package.json └── run_integration_tests.sh ├── kubernetes ├── PulumiPolicy.yaml ├── fixtures │ ├── deployment_invalid_no_resources.json │ ├── deployment_invalid_privileged.json │ ├── deployment_valid.json │ ├── ingress_invalid_no_tls.json │ ├── ingress_valid.json │ └── service_valid.json └── policies │ ├── image_security.rego │ ├── labels_annotations.rego │ ├── pod_security.rego │ ├── resource_requirements.rego │ └── service_security.rego ├── run_tests.sh └── test_runner_test.go /.github/workflows/ci.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/.github/workflows/ci.yml -------------------------------------------------------------------------------- /.github/workflows/golangci-lint.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/.github/workflows/golangci-lint.yml -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/.github/workflows/release.yml -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | vendor/ 2 | dist/ 3 | pulumi-analyzer-policy-opa 4 | -------------------------------------------------------------------------------- /.goreleaser.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/.goreleaser.yml -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/LICENSE -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/Makefile -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/README.md -------------------------------------------------------------------------------- /cmd/pulumi-analyzer-policy-opa/analyzer.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/cmd/pulumi-analyzer-policy-opa/analyzer.go -------------------------------------------------------------------------------- /cmd/pulumi-analyzer-policy-opa/eval.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/cmd/pulumi-analyzer-policy-opa/eval.go -------------------------------------------------------------------------------- /cmd/pulumi-analyzer-policy-opa/main.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/cmd/pulumi-analyzer-policy-opa/main.go -------------------------------------------------------------------------------- /cmd/pulumi-analyzer-policy-opa/policy.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/cmd/pulumi-analyzer-policy-opa/policy.go -------------------------------------------------------------------------------- /cmd/pulumi-analyzer-policy-opa/serve.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/cmd/pulumi-analyzer-policy-opa/serve.go -------------------------------------------------------------------------------- /examples/app/.gitignore: -------------------------------------------------------------------------------- 1 | /bin/ 2 | /node_modules/ 3 | yarn.lock 4 | -------------------------------------------------------------------------------- /examples/app/Pulumi.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/examples/app/Pulumi.yaml -------------------------------------------------------------------------------- /examples/app/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/examples/app/README.md -------------------------------------------------------------------------------- /examples/app/index.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/examples/app/index.ts -------------------------------------------------------------------------------- /examples/app/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/examples/app/package.json -------------------------------------------------------------------------------- /examples/app/tsconfig.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/examples/app/tsconfig.json -------------------------------------------------------------------------------- /examples/policy-kubernetes/PulumiPolicy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/examples/policy-kubernetes/PulumiPolicy.yaml -------------------------------------------------------------------------------- /examples/policy-kubernetes/kubernetes.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/examples/policy-kubernetes/kubernetes.rego -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/go.mod -------------------------------------------------------------------------------- /go.sum: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/go.sum -------------------------------------------------------------------------------- /scripts/get-version: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/scripts/get-version -------------------------------------------------------------------------------- /tests/GETTING_STARTED.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/GETTING_STARTED.md -------------------------------------------------------------------------------- /tests/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/README.md -------------------------------------------------------------------------------- /tests/SUMMARY.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/SUMMARY.md -------------------------------------------------------------------------------- /tests/TEST_INDEX.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/TEST_INDEX.md -------------------------------------------------------------------------------- /tests/aws/PulumiPolicy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/PulumiPolicy.yaml -------------------------------------------------------------------------------- /tests/aws/fixtures/ec2_invalid_instance_type.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/fixtures/ec2_invalid_instance_type.json -------------------------------------------------------------------------------- /tests/aws/fixtures/ec2_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/fixtures/ec2_valid.json -------------------------------------------------------------------------------- /tests/aws/fixtures/rds_invalid_public.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/fixtures/rds_invalid_public.json -------------------------------------------------------------------------------- /tests/aws/fixtures/rds_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/fixtures/rds_valid.json -------------------------------------------------------------------------------- /tests/aws/fixtures/s3_invalid_no_encryption.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/fixtures/s3_invalid_no_encryption.json -------------------------------------------------------------------------------- /tests/aws/fixtures/s3_invalid_public.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/fixtures/s3_invalid_public.json -------------------------------------------------------------------------------- /tests/aws/fixtures/s3_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/fixtures/s3_valid.json -------------------------------------------------------------------------------- /tests/aws/fixtures/sg_invalid_ssh.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/fixtures/sg_invalid_ssh.json -------------------------------------------------------------------------------- /tests/aws/fixtures/sg_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/fixtures/sg_valid.json -------------------------------------------------------------------------------- /tests/aws/policies/ec2_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/policies/ec2_security.rego -------------------------------------------------------------------------------- /tests/aws/policies/iam_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/policies/iam_security.rego -------------------------------------------------------------------------------- /tests/aws/policies/rds_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/policies/rds_security.rego -------------------------------------------------------------------------------- /tests/aws/policies/s3_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/aws/policies/s3_security.rego -------------------------------------------------------------------------------- /tests/azure/PulumiPolicy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/PulumiPolicy.yaml -------------------------------------------------------------------------------- /tests/azure/fixtures/nsg_invalid_ssh.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/fixtures/nsg_invalid_ssh.json -------------------------------------------------------------------------------- /tests/azure/fixtures/nsg_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/fixtures/nsg_valid.json -------------------------------------------------------------------------------- /tests/azure/fixtures/storage_invalid_tls.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/fixtures/storage_invalid_tls.json -------------------------------------------------------------------------------- /tests/azure/fixtures/storage_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/fixtures/storage_valid.json -------------------------------------------------------------------------------- /tests/azure/fixtures/vm_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/fixtures/vm_valid.json -------------------------------------------------------------------------------- /tests/azure/policies/compute_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/policies/compute_security.rego -------------------------------------------------------------------------------- /tests/azure/policies/network_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/policies/network_security.rego -------------------------------------------------------------------------------- /tests/azure/policies/sql_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/policies/sql_security.rego -------------------------------------------------------------------------------- /tests/azure/policies/storage_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/azure/policies/storage_security.rego -------------------------------------------------------------------------------- /tests/integration/README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/README.md -------------------------------------------------------------------------------- /tests/integration/aws/s3-insecure/Pulumi.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/aws/s3-insecure/Pulumi.yaml -------------------------------------------------------------------------------- /tests/integration/aws/s3-insecure/index.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/aws/s3-insecure/index.ts -------------------------------------------------------------------------------- /tests/integration/aws/s3-insecure/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/aws/s3-insecure/package.json -------------------------------------------------------------------------------- /tests/integration/aws/s3-secure/Pulumi.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/aws/s3-secure/Pulumi.yaml -------------------------------------------------------------------------------- /tests/integration/aws/s3-secure/index.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/aws/s3-secure/index.ts -------------------------------------------------------------------------------- /tests/integration/aws/s3-secure/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/aws/s3-secure/package.json -------------------------------------------------------------------------------- /tests/integration/kubernetes/insecure-deployment/Pulumi.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/kubernetes/insecure-deployment/Pulumi.yaml -------------------------------------------------------------------------------- /tests/integration/kubernetes/insecure-deployment/index.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/kubernetes/insecure-deployment/index.ts -------------------------------------------------------------------------------- /tests/integration/kubernetes/insecure-deployment/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/kubernetes/insecure-deployment/package.json -------------------------------------------------------------------------------- /tests/integration/kubernetes/secure-deployment/Pulumi.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/kubernetes/secure-deployment/Pulumi.yaml -------------------------------------------------------------------------------- /tests/integration/kubernetes/secure-deployment/index.ts: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/kubernetes/secure-deployment/index.ts -------------------------------------------------------------------------------- /tests/integration/kubernetes/secure-deployment/package.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/kubernetes/secure-deployment/package.json -------------------------------------------------------------------------------- /tests/integration/run_integration_tests.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/integration/run_integration_tests.sh -------------------------------------------------------------------------------- /tests/kubernetes/PulumiPolicy.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/PulumiPolicy.yaml -------------------------------------------------------------------------------- /tests/kubernetes/fixtures/deployment_invalid_no_resources.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/fixtures/deployment_invalid_no_resources.json -------------------------------------------------------------------------------- /tests/kubernetes/fixtures/deployment_invalid_privileged.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/fixtures/deployment_invalid_privileged.json -------------------------------------------------------------------------------- /tests/kubernetes/fixtures/deployment_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/fixtures/deployment_valid.json -------------------------------------------------------------------------------- /tests/kubernetes/fixtures/ingress_invalid_no_tls.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/fixtures/ingress_invalid_no_tls.json -------------------------------------------------------------------------------- /tests/kubernetes/fixtures/ingress_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/fixtures/ingress_valid.json -------------------------------------------------------------------------------- /tests/kubernetes/fixtures/service_valid.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/fixtures/service_valid.json -------------------------------------------------------------------------------- /tests/kubernetes/policies/image_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/policies/image_security.rego -------------------------------------------------------------------------------- /tests/kubernetes/policies/labels_annotations.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/policies/labels_annotations.rego -------------------------------------------------------------------------------- /tests/kubernetes/policies/pod_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/policies/pod_security.rego -------------------------------------------------------------------------------- /tests/kubernetes/policies/resource_requirements.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/policies/resource_requirements.rego -------------------------------------------------------------------------------- /tests/kubernetes/policies/service_security.rego: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/kubernetes/policies/service_security.rego -------------------------------------------------------------------------------- /tests/run_tests.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/run_tests.sh -------------------------------------------------------------------------------- /tests/test_runner_test.go: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/pulumi/pulumi-policy-opa/HEAD/tests/test_runner_test.go --------------------------------------------------------------------------------