DevOps & Cloud Interview Prep: Real Scenarios & Answers

Conftest in Argo CD: Block Public S3 Buckets at GitOps Gate

Listen Later

A developer pushes a Terraform module with a public S3 bucket — here's exactly how to catch and block it in your Argo CD pipeline using Conftest policy-as-code before it ever reaches production.

You'll learn:

  • How Conftest integrates with Argo CD as a pre-sync hook to enforce OPA policies on Terraform plans
  • Writing a Rego rule that flags acl = public-read or block_public_acls = false on aws_s3_bucket resources
  • Where in the GitOps workflow the gate fires — and why admission controllers alone aren't enough for IaC drift
  • How to surface policy failures as Argo CD sync errors so engineers see the violation before merge, not after deploy
  • Common gotchas: Terraform plan JSON output format, conftest namespace mismatches, and false positives on legacy modules

    • Keywords: Conftest Argo CD policy, OPA Terraform GitOps, block public S3 bucket IaC, GitOps security controls, Rego policy Terraform plan

    🎧 Listen, then go deeper — DevOps & Cloud interview-prep ebooks at DevOpsInterview.Cloud

    ...more
    View all episodesView all episodes
    Download on the App Store
    DevOps & Cloud Interview Prep: Real Scenarios & AnswersBy https://DevOpsInterview.Cloud