DNS Rego code to deny MX AND SOA Records

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

package example

import future.keywords.every
import future.keywords.if
import future.keywords.in

default allow_update_cname := false
allow_update_cname {
   resource := input[_]
   dns_record := resource.type
   dns_record == "CNAME"
}
allow_update_cname if some resource in resources("CNAME")

default allow_update_a := false
allow_update_a {
   resource_1 := input[_]
   dns_record_1 := resource_1.type
   dns_record_1 == "A"
}
allow_update_a if some resource in resources("A")


default allow_update_ns := false
allow_update_ns {
   resource_2 := input[_]
   dns_record_2 := resource_2.type[_]
   dns_record_2 == "NS"
}
allow_update_ns if some resource in resources("NS")


default allow_update_txt := false
allow_update_txt {
   resource_3 := input[_]
   dns_record_3 := resource_3.type
   dns_record_3 == "TXT"
}
allow_update_txt if some resource in resources("TXT")

default allow_update_caa := false
allow_update_caa {
   resource_4 := input[_]
   dns_record_4 := resource_4.type
   dns_record_4 == "CAA"
}
allow_update_caa if some resource in resources("CAA")

resources(type) := {r | some r in input[""]; r.type == type}

deny[msg] {
    some resource in resources("MX")
    msg := sprintf("dns_record '%v' Our policy recommends no changes to MX records", [resource])
}

deny[msg] {
    some resource in resources("SOA")
    msg := sprintf("dns_record '%v' Our policy recommends no changes to SOA records", [resource])
}