Policy As Code using OPA — Conftest Automation

Aziz Zoaib
2 min readFeb 28, 2021

In our last guide we looked at what is OPA — Conftest, and how you can use it to validate your terraform manifests and avoid human mistakes.

In this guide we will look at how we can automate this stuff so that conftest policies that you have written actually run against every Pull Request raised.

For that to happen we will need to cover one pre-requisite which is running Atlantis in your source control provider, in our case we are using Github.

Atlantis!? wait whats that?

For anyone who is not aware of Atlantis, can actually get some insights about this tool here.

Atlantis is an application for automating Terraform via pull requests. It is deployed as a standalone application into your infrastructure. No third-party has access to your credentials.

So Yalla! Let’s start automation?

Pre-requisites is to write one custom small script which we have written already for you and you clone it from below link.

https://github.com/azizzoaib786/conftest

The script actually perform below actions:

  • Runs conftest test command to validate against terraform plan
  • Updates Github status using POST to Github API with the PR’s pull number
  • Finally writes the Github comment using POST to Github API if policy validation fails.
Github status example.
Github comment example.

And thats all you need to do to automate the validations of Pull Requests against the policies written, invest some time in writing the policies and let machine do the validation for you.

Happy Automation!

--

--