Skip to content

Manual Test Runbook — D5: Policy Waiver Engine

Owner: Sagar  |  Time: ~10 min (local validation)  |  Sandbox: local

Overview

The D5 Policy Waiver Engine allows for time-boxed exceptions to OPA deny policies, enabling incremental brownfield adoption. Waivers are PR-linked and stored in waivers/exceptions.yaml. This runbook covers how to manually test that an active waiver suppresses the corresponding violation, while an expired waiver triggers a hard-deny CI failure.

Preparation

Create a dummy plan.json representing a tag violation (missing Environment tag): 

cat << 'EOF' > plan.json
{
  "resource_changes": [
    {
      "address": "azurerm_resource_group.test",
      "type": "azurerm_resource_group",
      "change": {
        "actions": ["create"],
        "after": {
          "location": "eastus",
          "name": "test-rg",
          "tags": {}
        }
      }
    }
  ]
}
EOF

Part A: Validate Default Denial

Run conftest test against the dummy plan without waivers: 

conftest test plan.json --policy policy/opa/rules
Expectation: Conftest fails with a snowops.tags violation against azurerm_resource_group.test.

Part B: Validate Active Waiver Suppression

  1. Open waivers/exceptions.yaml and add an active waiver: 
    waivers:
  test-waiver-active:
    rule_prefix: "snowops.tags"
    resource_address: "azurerm_resource_group.test"
    expiry_date: "2099-12-31" # Safely in the future
    owner: "tester@snowops.com"
    justification: "Testing D5 waiver suppression"
  2. Re-run conftest pointing to the waivers data: 
    conftest test plan.json --policy policy/opa/rules --data waivers/exceptions.yaml
    Expectation: The test passes successfully with 0 failures. The waiver suppressed the snowops.tags violation.

Part C: Validate Expired Waiver Enforcement

  1. Edit waivers/exceptions.yaml and change the expiry date to the past: 
    waivers:
  test-waiver-expired:
    rule_prefix: "snowops.tags"
    resource_address: "azurerm_resource_group.test"
    expiry_date: "2020-01-01" # In the past
    owner: "tester@snowops.com"
    justification: "Testing expired waiver failure"
  2. Re-run conftest: 
    conftest test plan.json --policy policy/opa/rules --data waivers/exceptions.yaml
    Expectation: The test fails with the message: snowops.waiver_expired: Waiver 'test-waiver-expired' for 'azurerm_resource_group.test' expired on 2020-01-01.

Cleanup

Remove the dummy plan.json and restore waivers/exceptions.yaml to its default state.

Sign-off

  • Tester: _  |  Date: _  |  Result: PASS / FAIL / N/A
  • Notes: