feat: add conftest policy for provider version pinning in modules (#203)

marekaf · web-flow · commit be44080361e8 · 2026-03-04T09:47:35.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -49,3 +49,6 @@ modules/**/.terraform.lock.hcl
 
 # ignore infracost resources
 .infracost/
+
+# test fixtures
+conftest-policies/testdata/
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -6,12 +6,13 @@ repos:
       - id: terraform_fmt
       - id: terraform_docs
       - id: terraform_validate
-        exclude: '^[^/]+$|^modules/certificate/'
+        exclude: '^[^/]+$|^modules/certificate/|^conftest-policies/testdata/'
       - id: terraform_tflint
         args:
           - "--args=--config=__GIT_WORKING_DIR__/.tflint.hcl"
           - "--args=--disable-rule=terraform_standard_module_structure"
           - "--args=--disable-rule=terraform_unused_required_providers"
+        exclude: '^conftest-policies/testdata/'
       - id: terraform_checkov
         args:
           - --args=--quiet
diff --git a/conftest-policies/provider_version_pinning.rego b/conftest-policies/provider_version_pinning.rego
@@ -0,0 +1,18 @@
+package main
+
+import rego.v1
+
+deny_unpinned_provider_version contains msg if {
+	some path
+	some block in input.resource.terraform[path]
+	some name, provider in block.required_providers
+	version_constraint := object.get(provider, "version", "")
+	version_constraint != ""
+	startswith(version_constraint, ">=")
+	not contains(version_constraint, "~>")
+	not contains(version_constraint, "<")
+	msg := sprintf(
+		"%s/versions.tf: provider '%s' has loose version constraint '%s' - pin to specific version or use '~>' for minor version pinning",
+		[path, name, version_constraint],
+	)
+}
diff --git a/conftest-policies/testdata/provider-version-pinning/fail-loose.tf b/conftest-policies/testdata/provider-version-pinning/fail-loose.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = ">= 4.66.0"
+    }
+  }
+}
diff --git a/conftest-policies/testdata/provider-version-pinning/pass-exact.tf b/conftest-policies/testdata/provider-version-pinning/pass-exact.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "= 4.66.0"
+    }
+  }
+}
diff --git a/conftest-policies/testdata/provider-version-pinning/pass-tilde.tf b/conftest-policies/testdata/provider-version-pinning/pass-tilde.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4.66.0"
+    }
+  }
+}
