Difficulty causing pass.hcl to become a fail

This is going to be a bit inverted but I’m trying to ensure the roles “allUsers” and “allAuthenticatedUsers” are not present in the mock file. However, I get a pass in the pass file and a fail in the fail file when both or either/or are present.

The fail works fine. However, the pass file should fail if “allUsers” and/or “allAuthenticatedUsers” is present. What I’m getting is a pass for the pass.hcl if either of the two user roles are present. This should not be the case since it violates our policy.

The resources I’m targeting are: google_service_account_iam_binding, google_kms_crypto_key_iam_member, and google_iam_policy


Unfortunately I couldn’t get this script to work on playground this time, so you’ll have to use a personal environment unless you know a workaround.

-Thank you

@Hiddenmessages my recommendation would be to try and write a lot of the logic yourself where possible. The function library is a great resource but sometimes I feel like it abstracts away too much of the policy logic.

Based on my understanding, you would like to:

  1. Filter resources based on type
  2. Check the members property and validate that the configured members are not contained in a predefined list
  3. Fail the policy is there are violations of the rule defined above

I would implement the policy as follows:

import "tfplan/v2" as tfplan

resource_types = [

forbidden_members = [

all_resources = filter tfplan.resource_changes as _, resource_changes {
    resource_changes.type in resource_types and
        resource_changes.mode is "managed" and
        (resource_changes.change.actions contains "create" or
            resource_changes.change.actions is ["update"])

violations = filter all_resources as _, resource {
	resource.change.after.member in forbidden_members

main = rule {
	violations is empty

Playground Example: Sentinel Playground

I haven’t accounted for undefined values, but this should get you started.

1 Like