forked from arodd/security-policies
-
Notifications
You must be signed in to change notification settings - Fork 1
/
limit-cost-by-workspace-type.sentinel
59 lines (49 loc) · 1.54 KB
/
limit-cost-by-workspace-type.sentinel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
# This policy uses the Sentinel tfrun import to restrict the
# proposed monthly cost that would be incurred if the current
# plan were applied, using different limits for different
# workspaces based on their names.
##### Imports #####
import "tfrun"
import "decimal"
##### Functions #####
# Validate that the proposed monthly cost is less than the limit
limit_cost_by_workspace_type = func(limits) {
# Get workspace name
workspace_name = tfrun.workspace.name
# Determine limit for current workspace
if workspace_name matches "(.*)-development$" {
limit = limits["dev"]
} else if workspace_name matches "(.*)-staging$" {
limit = limits["qa"]
} else if workspace_name matches "(.*)-production$" {
limit = limits["prod"]
} else {
limit = limits["other"]
}
# Determine proposed monthly cost
proposed_cost = decimal.new(tfrun.cost_estimate.proposed_monthly_cost)
# Compare proposed monthly cost to the limit
if proposed_cost.lte(limit) {
print("Proposed monthly cost", proposed_cost.string,
"of workspace", workspace_name,
"is under the limit:", limit.string)
return true
} else {
print("Proposed monthly cost", proposed_cost.string,
"of workspace", workspace_name,
"is over the limit:", limit.string)
return false
}
}
##### Monthly Limits #####
limits = {
"dev": decimal.new(5),
"qa": decimal.new(10),
"prod": decimal.new(25),
"other": decimal.new(5),
}
##### Rules #####
cost_validated = limit_cost_by_workspace_type(limits)
main = rule {
cost_validated
}