kyverno · eddycharly · Oct 29, 2023 · Oct 29, 2023 · Oct 29, 2023 · Oct 29, 2023
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -10,6 +10,20 @@
             "args": [
                 "serve"
             ]
-        }
+        },
+        {
+            "name": "CLI",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/cmd/cli",
+            "args": [
+                "scan",
+                "--policy",
+                "/tmp/kube-policy.yaml",
+                "--payload",
+                "/tmp/pod.json"
+            ],
+        },
     ]
 }
diff --git a/README.md b/README.md
@@ -28,7 +28,7 @@ Policies for this tool belong to the `json.kyverno.io` group, exist only in `v1a
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: test
 spec:
@@ -53,7 +53,7 @@ This tool uses [assertion trees](#assertion-trees-replace-pattern-matching) to i
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: required-s3-tags
 spec:
@@ -83,7 +83,7 @@ This implementation supports the `let` feature and this tool leverages it to imp
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: required-s3-tags
 spec:
@@ -139,7 +139,7 @@ It is now possible to write a validation tree like this:
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: test
 spec:
@@ -186,7 +186,7 @@ The policy below does not use the `~` modifier and `foo.bar` array is compared a
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: test
 spec:
@@ -208,7 +208,7 @@ The policy below ensures that all elements in the input array are `< 5`:
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: test
 spec:
@@ -246,7 +246,7 @@ The following policy will compute a sum and bind the result to the `sum` binding
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: test
 spec:
@@ -270,7 +270,7 @@ As a consequence, the policy below is perfectly valid:
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: test
 spec:
@@ -290,7 +290,7 @@ Note that all context entries are made available to the rule via bindings:
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: required-s3-tags
 spec:
@@ -315,9 +315,10 @@ spec:
 
 Finally, we can always access the current payload, policy and rule being evaluated using the builtin `$payload`, `$policy` and `$rule` bindings. No protection is made to prevent you from overriding those bindings though.
 
-#### Escaping projection
+#### Escaping projections
 
 It can be necessary to prevent a projection under certain circumstances.
+
 Consider the following document:
 
 ```yaml
@@ -334,7 +335,7 @@ To workaround this issue, you can escape a projection by surrounding it with `\`
 
 ```yaml
 apiVersion: json.kyverno.io/v1alpha1
-kind: Policy
+kind: ValidatingPolicy
 metadata:
   name: test
 spec:

diff --git a/pkg/commands/scan/command_test.go b/pkg/commands/scan/command_test.go
@@ -79,6 +79,19 @@ func Test_Execute(t *testing.T) {
 		policies: []string{"../../../test/dockerfile/policy.yaml"},
 		out:      "../../../test/dockerfile/out.txt",
 		wantErr:  false,
+	}, {
+		name:     "tf-s3",
+		payload:  "../../../test/tf-s3/payload.json",
+		policies: []string{"../../../test/tf-s3/policy.yaml"},
+		out:      "../../../test/tf-s3/out.txt",
+		wantErr:  false,
+	}, {
+		name:          "tf-ec2",
+		payload:       "../../../test/tf-ec2/payload.json",
+		preprocessors: []string{"planned_values.root_module.resources"},
+		policies:      []string{"../../../test/tf-ec2/policy.yaml"},
+		out:           "../../../test/tf-ec2/out.txt",
+		wantErr:       false,
 	}}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

diff --git a/test/api/README.md b/test/api/README.md
@@ -17,7 +17,7 @@ make install-crds
 ```bash
 kubectl apply -f - <<EOF
 apiVersion: json.kyverno.io/v1alpha1
-kind: ValidationPolicy
+kind: ValidatingPolicy
 metadata:
   name: test
 spec:

diff --git a/test/tf-ec2/ec2.tf b/test/tf-ec2/ec2.tf
@@ -0,0 +1,23 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.16"
+    }
+  }
+
+  required_version = ">= 1.2.0"
+}
+
+provider "aws" {
+  region = "us-west-2"
+}
+
+resource "aws_instance" "app_server" {
+  ami           = "ami-830c94e3"
+  instance_type = "t2.micro"
+
+  tags = {
+    Name = "ExampleAppServerInstance"
+  }
+}
diff --git a/test/tf-ec2/out.txt b/test/tf-ec2/out.txt
@@ -0,0 +1,6 @@
+Loading policies ...
+Loading payload ...
+Pre processing ...
+Running ( evaluating 1 resource against 1 policy ) ...
+- required-ec2-tags / require-team-tag / (unknown) PASSED
+Done
diff --git a/test/tf-ec2/payload.json b/test/tf-ec2/payload.json
@@ -0,0 +1,200 @@
+{
+  "format_version": "1.2",
+  "terraform_version": "1.5.7",
+  "planned_values": {
+    "root_module": {
+      "resources": [
+        {
+          "address": "aws_instance.app_server",
+          "mode": "managed",
+          "type": "aws_instance",
+          "name": "app_server",
+          "provider_name": "registry.terraform.io/hashicorp/aws",
+          "schema_version": 1,
+          "values": {
+            "ami": "ami-830c94e3",
+            "credit_specification": [],
+            "get_password_data": false,
+            "hibernation": null,
+            "instance_type": "t2.micro",
+            "launch_template": [],
+            "source_dest_check": true,
+            "tags": {
+              "Name": "ExampleAppServerInstance"
+            },
+            "tags_all": {
+              "Name": "ExampleAppServerInstance"
+            },
+            "timeouts": null,
+            "user_data_replace_on_change": false,
+            "volume_tags": null
+          },
+          "sensitive_values": {
+            "capacity_reservation_specification": [],
+            "cpu_options": [],
+            "credit_specification": [],
+            "ebs_block_device": [],
+            "enclave_options": [],
+            "ephemeral_block_device": [],
+            "ipv6_addresses": [],
+            "launch_template": [],
+            "maintenance_options": [],
+            "metadata_options": [],
+            "network_interface": [],
+            "private_dns_name_options": [],
+            "root_block_device": [],
+            "secondary_private_ips": [],
+            "security_groups": [],
+            "tags": {},
+            "tags_all": {},
+            "vpc_security_group_ids": []
+          }
+        }
+      ]
+    }
+  },
+  "resource_changes": [
+    {
+      "address": "aws_instance.app_server",
+      "mode": "managed",
+      "type": "aws_instance",
+      "name": "app_server",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "ami": "ami-830c94e3",
+          "credit_specification": [],
+          "get_password_data": false,
+          "hibernation": null,
+          "instance_type": "t2.micro",
+          "launch_template": [],
+          "source_dest_check": true,
+          "tags": {
+            "Name": "ExampleAppServerInstance"
+          },
+          "tags_all": {
+            "Name": "ExampleAppServerInstance"
+          },
+          "timeouts": null,
+          "user_data_replace_on_change": false,
+          "volume_tags": null
+        },
+        "after_unknown": {
+          "arn": true,
+          "associate_public_ip_address": true,
+          "availability_zone": true,
+          "capacity_reservation_specification": true,
+          "cpu_core_count": true,
+          "cpu_options": true,
+          "cpu_threads_per_core": true,
+          "credit_specification": [],
+          "disable_api_stop": true,
+          "disable_api_termination": true,
+          "ebs_block_device": true,
+          "ebs_optimized": true,
+          "enclave_options": true,
+          "ephemeral_block_device": true,
+          "host_id": true,
+          "host_resource_group_arn": true,
+          "iam_instance_profile": true,
+          "id": true,
+          "instance_initiated_shutdown_behavior": true,
+          "instance_state": true,
+          "ipv6_address_count": true,
+          "ipv6_addresses": true,
+          "key_name": true,
+          "launch_template": [],
+          "maintenance_options": true,
+          "metadata_options": true,
+          "monitoring": true,
+          "network_interface": true,
+          "outpost_arn": true,
+          "password_data": true,
+          "placement_group": true,
+          "placement_partition_number": true,
+          "primary_network_interface_id": true,
+          "private_dns": true,
+          "private_dns_name_options": true,
+          "private_ip": true,
+          "public_dns": true,
+          "public_ip": true,
+          "root_block_device": true,
+          "secondary_private_ips": true,
+          "security_groups": true,
+          "subnet_id": true,
+          "tags": {},
+          "tags_all": {},
+          "tenancy": true,
+          "user_data": true,
+          "user_data_base64": true,
+          "vpc_security_group_ids": true
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "capacity_reservation_specification": [],
+          "cpu_options": [],
+          "credit_specification": [],
+          "ebs_block_device": [],
+          "enclave_options": [],
+          "ephemeral_block_device": [],
+          "ipv6_addresses": [],
+          "launch_template": [],
+          "maintenance_options": [],
+          "metadata_options": [],
+          "network_interface": [],
+          "private_dns_name_options": [],
+          "root_block_device": [],
+          "secondary_private_ips": [],
+          "security_groups": [],
+          "tags": {},
+          "tags_all": {},
+          "vpc_security_group_ids": []
+        }
+      }
+    }
+  ],
+  "configuration": {
+    "provider_config": {
+      "aws": {
+        "name": "aws",
+        "full_name": "registry.terraform.io/hashicorp/aws",
+        "version_constraint": "~> 4.16",
+        "expressions": {
+          "region": {
+            "constant_value": "us-west-2"
+          }
+        }
+      }
+    },
+    "root_module": {
+      "resources": [
+        {
+          "address": "aws_instance.app_server",
+          "mode": "managed",
+          "type": "aws_instance",
+          "name": "app_server",
+          "provider_config_key": "aws",
+          "expressions": {
+            "ami": {
+              "constant_value": "ami-830c94e3"
+            },
+            "instance_type": {
+              "constant_value": "t2.micro"
+            },
+            "tags": {
+              "constant_value": {
+                "Name": "ExampleAppServerInstance"
+              }
+            }
+          },
+          "schema_version": 1
+        }
+      ]
+    }
+  },
+  "timestamp": "2023-10-26T06:40:48Z"
+}