open-policy-agent
diff --git a/‎README.md
+23-2 b/‎README.md
+23-2
diff --git a/‎terraform/example.rego
+51 b/‎terraform/example.rego
+51
diff --git a/‎terraform/input.rego
+220 b/‎terraform/input.rego
+220
@@ -1,2 +1,23 @@
-# library
-A policy library for the Open Policy Agent
+# Library
+This repository is a community-owned policy library for the Open Policy Agent.
+The goal is to provide a place where the community can find and share logic for
+analyzing common JSON documents like Terraform plans and Kubernetes API objects.
+
+The basic premise is to provide a library of Rego helper functions that
+other people can reuse and modify when writing their own policies
+along with example policies built using those functions, and
+tests that the example policies and helper functions operate as they should.
+OPA will be outfitted to pull in libraries and push/contribute helper functions
+to the library.
+
+The basic format of each library is:
+
+* Any number of .rego files within a directory constitute a library.
+* Files beginning with `example` are example policies demonstrating how to use the library.
+* Files beginning with `test` are tests either of the library or of the examples.
+* Files beginning with `input` are sample inputs used for tests or just as examples.
+
+
+
+
+
@@ -0,0 +1,51 @@
+package terraform.example
+
+import data.terraform.library
+
+import input as tfplan
+
+
+########################
+# Parameters for Policy
+########################
+
+# acceptable score for automated authorization
+blast_radius = 30
+
+# weights assigned for each operation on each resource-type
+weights = {
+    "aws_autoscaling_group": {"delete": 100, "create": 10, "modify": 1},
+    "aws_instance": {"delete": 10, "create": 1, "modify": 1}
+}
+
+#########
+# Policy
+#########
+
+# Authorization holds if score for the plan is acceptable and no changes are made to IAM
+default authz = false
+authz {
+    score < blast_radius
+    not touches_iam
+}
+
+# Compute the score for a Terraform plan as the weighted sum of deletions, creations, modifications
+score = s {
+    all = [ x | 
+            weights[resource_type] = crud
+            del = crud["delete"] * library.num_deletes_of_type[resource_type]
+            new = crud["create"] * library.num_creates_of_type[resource_type]
+            mod = crud["modify"] * library.num_modifies_of_type[resource_type]
+            x1 = del + new
+            x = x1 + mod
+    ]
+    sum(all, s)
+}
+
+# Whether there is any change to IAM
+touches_iam {
+    all = library.instance_names_of_type["aws_iam"]
+    count(all, c)
+    c > 0
+}
+
@@ -0,0 +1,220 @@
+package terraform.inputs
+
+
+# Garden of eden.  Create a few resources
+lineage0 = {
+    "aws_autoscaling_group.lamb": {
+        "arn": "",
+        "availability_zones.#": "1",
+        "availability_zones.3205754986": "us-west-1a",
+        "default_cooldown": "",
+        "desired_capacity": "4",
+        "destroy": false,
+        "destroy_tainted": false,
+        "force_delete": "true",
+        "health_check_grace_period": "300",
+        "health_check_type": "ELB",
+        "id": "",
+        "launch_configuration": "kitten",
+        "load_balancers.#": "",
+        "max_size": "5",
+        "metrics_granularity": "1Minute",
+        "min_size": "1",
+        "name": "lamb",
+        "protect_from_scale_in": "false",
+        "vpc_zone_identifier.#": "",
+        "wait_for_capacity_timeout": "10m"
+    },
+    "aws_instance.puppy": {
+        "ami": "ami-09b4b74c",
+        "associate_public_ip_address": "",
+        "availability_zone": "",
+        "destroy": false,
+        "destroy_tainted": false,
+        "ebs_block_device.#": "",
+        "ephemeral_block_device.#": "",
+        "id": "",
+        "instance_state": "",
+        "instance_type": "t2.micro",
+        "ipv6_addresses.#": "",
+        "key_name": "",
+        "network_interface_id": "",
+        "placement_group": "",
+        "private_dns": "",
+        "private_ip": "",
+        "public_dns": "",
+        "public_ip": "",
+        "root_block_device.#": "",
+        "security_groups.#": "",
+        "source_dest_check": "true",
+        "subnet_id": "",
+        "tenancy": "",
+        "vpc_security_group_ids.#": ""
+    },
+    "aws_launch_configuration.kitten": {
+        "associate_public_ip_address": "false",
+        "destroy": false,
+        "destroy_tainted": false,
+        "ebs_block_device.#": "",
+        "ebs_optimized": "",
+        "enable_monitoring": "true",
+        "id": "",
+        "image_id": "ami-09b4b74c",
+        "instance_type": "t2.micro",
+        "key_name": "",
+        "name": "kitten",
+        "root_block_device.#": ""
+    },
+    "destroy": false
+}
+
+# Create, modify, and delelete resources
+lineage1 = {
+    "aws_autoscaling_group.lamb": {
+        "destroy": false,
+        "destroy_tainted": false,
+        "max_size": "4"
+    },
+    "aws_instance.pony": {
+        "ami": "ami-09b4b74c",
+        "associate_public_ip_address": "",
+        "availability_zone": "",
+        "destroy": false,
+        "destroy_tainted": false,
+        "ebs_block_device.#": "",
+        "ephemeral_block_device.#": "",
+        "id": "",
+        "instance_state": "",
+        "instance_type": "t2.micro",
+        "ipv6_addresses.#": "",
+        "key_name": "",
+        "network_interface_id": "",
+        "placement_group": "",
+        "private_dns": "",
+        "private_ip": "",
+        "public_dns": "",
+        "public_ip": "",
+        "root_block_device.#": "",
+        "security_groups.#": "",
+        "source_dest_check": "true",
+        "subnet_id": "",
+        "tenancy": "",
+        "vpc_security_group_ids.#": ""
+    },
+    "aws_instance.puppy": {
+        "destroy": true,
+        "destroy_tainted": false
+    },
+    "destroy": false
+}
+
+# Create several resources
+large_create = {
+    "aws_autoscaling_group.my_asg": {
+        "arn": "",
+        "availability_zones.#": "1",
+        "availability_zones.3205754986": "us-west-1a",
+        "default_cooldown": "",
+        "desired_capacity": "4",
+        "destroy": false,
+        "destroy_tainted": false,
+        "force_delete": "true",
+        "health_check_grace_period": "300",
+        "health_check_type": "ELB",
+        "id": "",
+        "launch_configuration": "my_web_config",
+        "load_balancers.#": "",
+        "max_size": "5",
+        "metrics_granularity": "1Minute",
+        "min_size": "1",
+        "name": "my_asg",
+        "protect_from_scale_in": "false",
+        "vpc_zone_identifier.#": "",
+        "wait_for_capacity_timeout": "10m"
+    },
+    "aws_autoscaling_group.my_asg2": {
+        "arn": "",
+        "availability_zones.#": "1",
+        "availability_zones.2487133097": "us-west-2a",
+        "default_cooldown": "",
+        "desired_capacity": "4",
+        "destroy": false,
+        "destroy_tainted": false,
+        "force_delete": "true",
+        "health_check_grace_period": "300",
+        "health_check_type": "ELB",
+        "id": "",
+        "launch_configuration": "my_web_config",
+        "load_balancers.#": "",
+        "max_size": "6",
+        "metrics_granularity": "1Minute",
+        "min_size": "1",
+        "name": "my_asg2",
+        "protect_from_scale_in": "false",
+        "vpc_zone_identifier.#": "",
+        "wait_for_capacity_timeout": "10m"
+    },
+    "aws_autoscaling_group.my_asg3": {
+        "arn": "",
+        "availability_zones.#": "1",
+        "availability_zones.221770259": "us-west-2b",
+        "default_cooldown": "",
+        "desired_capacity": "4",
+        "destroy": false,
+        "destroy_tainted": false,
+        "force_delete": "true",
+        "health_check_grace_period": "300",
+        "health_check_type": "ELB",
+        "id": "",
+        "launch_configuration": "my_web_config",
+        "load_balancers.#": "",
+        "max_size": "7",
+        "metrics_granularity": "1Minute",
+        "min_size": "1",
+        "name": "my_asg3",
+        "protect_from_scale_in": "false",
+        "vpc_zone_identifier.#": "",
+        "wait_for_capacity_timeout": "10m"
+    },
+    "aws_instance.web": {
+        "ami": "ami-09b4b74c",
+        "associate_public_ip_address": "",
+        "availability_zone": "",
+        "destroy": false,
+        "destroy_tainted": false,
+        "ebs_block_device.#": "",
+        "ephemeral_block_device.#": "",
+        "id": "",
+        "instance_state": "",
+        "instance_type": "t2.micro",
+        "ipv6_addresses.#": "",
+        "key_name": "",
+        "network_interface_id": "",
+        "placement_group": "",
+        "private_dns": "",
+        "private_ip": "",
+        "public_dns": "",
+        "public_ip": "",
+        "root_block_device.#": "",
+        "security_groups.#": "",
+        "source_dest_check": "true",
+        "subnet_id": "",
+        "tenancy": "",
+        "vpc_security_group_ids.#": ""
+    },
+    "aws_launch_configuration.my_web_config": {
+        "associate_public_ip_address": "false",
+        "destroy": false,
+        "destroy_tainted": false,
+        "ebs_block_device.#": "",
+        "ebs_optimized": "",
+        "enable_monitoring": "true",
+        "id": "",
+        "image_id": "ami-09b4b74c",
+        "instance_type": "t2.micro",
+        "key_name": "",
+        "name": "my_web_config",
+        "root_block_device.#": ""
+    },
+    "destroy": false
+}