Support multiple source type for conftest policy check

[xNok]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request. Searching for pre-existing feature requests helps us consolidate datapoints for identical requirements into a single place, thank you!
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

---

• [X] I'd be willing to implement this feature (contributing guide)

Describe the user story

Conftest supports a command called pull see here that lets you fetch a policy bundle from various locations.

According to the doc see here, policy_sets only support local as a source.

Describe the solution you'd like

I think it would be nice to add a now source for police that leverage conftest pull

policies:
  owners:
    users:
      - nishkrishnan
  policy_sets:
    - name: null_resource_warning
      path: https://raw.githubusercontent.com/open-policy-agent/conftest/master/examples/compose/policy/deny.rego
      source: remote

What does this do in the background is calling conftest pull https://raw.githubusercontent.com/open-policy-agent/conftest/master/examples/compose/policy/deny.rego

Describe the drawbacks of your solution

The drawback is handling private repositories for policy libraries, but in that case, the local option is still there.

Describe alternatives you've considered

Using custom workflow to add this step manually, but conftest configuration would be simpler in the proposed way.

[alexlo03]

Great FR.

Consider making the conftest step a peer of the core Atlantis workflow in the server side config? EG

policy_workflows:
  my_policy_workflow:
    custom:
      pull: https://raw.githubusercontent.com/open-policy-agent/conftest/master/examples/compose/policy/deny.rego
      check: ...

To mitigate the complexity of git auth, could you use paths from the repository you are running a plan on?

[alexlo03]

Note: workflows seem to be possible, an example I found: https://github.com/infracost/infracost-atlantis/blob/7d446b97ee430815d07dfed0c80778c4cd9f0760/examples/conftest/conftest.yml#L27

[xNok]

The issues with @alexlo03 workflow is Create a policy file in the [Rego language](https://www.openpolicyagent.org/docs/latest/policy-language/) policy.rego and make it available at /home/atlantis/policy

This means you need to build a docker image or mount the policy as a volume

[alexlo03]

@xNok Definitely. My approach is a hack around current limitations. Conftest will let you have as many -p PATH args as you want. What I do is

1) Mount a No-Op rego file into the image / volume

2) In my repo I have a policy/ directory

3) in my workflows conf:

workflows:
  MYWORKFLOW:
    plan:
      steps:
      [...]
    policy_check:
      steps:
      - env:
          name: REPO_ROOT
          command: 'echo "${ATLANTIS_DATA_DIR}/repos/${BASE_REPO_OWNER}/${BASE_REPO_NAME}/${PULL_NUM}/${WORKSPACE}"'
      - run: echo "Running conftest in ${REPO_ROOT}/policy"
      - policy_check:
            extra_args: ["-p ${REPO_ROOT}/policy" , "--all-namespaces"]

You could imagine doing a different type of rego file fetch in the workflow if you don't want to specify policy in the Atlantis/TF repo.