feat: add conftest policy for provider version pinning in modules

Author: marekaf

conftest-policies/provider_version_pinning.rego

@@ -0,0 +1,18 @@
+package main
+
+import rego.v1
+
+deny_unpinned_provider_version contains msg if {
+	some path
+	some block in input.resource.terraform[path]
+	some name, provider in block.required_providers
+	version_constraint := object.get(provider, "version", "")
+	version_constraint != ""
+	not contains(version_constraint, "~>")
+	not contains(version_constraint, "=")
+	endswith(version_constraint, ".x")
+	msg := sprintf(
+		"%s/versions.tf: provider '%s' has loose version constraint '%s' - pin to specific version or use '~>' for minor version pinning",
+		[path, name, version_constraint],
+	)
+}