open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.66k stars 1.34k forks source link

docs: Update Terraform guide with potential limitations #2005

Open patrick-east opened 4 years ago

patrick-east commented 4 years ago

The current guide doesn't really explain what all can or cannot be done with OPA policies and Terraform plans.

There are notably a few areas that are not easily covered by policies due to the information available at the time the JSON plan is generated:

https://www.terraform.io/docs/configuration/expressions.html#values-not-yet-known https://www.terraform.io/docs/configuration/expressions.html#dynamic-blocks https://www.terraform.io/docs/configuration/expressions.html#function-calls

It is probably worth noting in the docs update how Sentinel handles (or not) these sort of things: https://www.terraform.io/docs/cloud/sentinel/import/tfconfig.html#references-with-terraform-0-12 to ensure users have a good idea of what limitations there are with the different solutions and enforcing policies on terraform plans in general.

stale[bot] commented 2 years ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.