https://github.com/prancer-io/prancer-compliance-test/issues/189

prancer-io · Aug 11, 2021 · d6436bf · d6436bf
1 parent 87e64a3
commit d6436bf
Showing 1 changed file with 39 additions and 15 deletions.
diff --git a/azure/terraform/vnetsubnets.rego b/azure/terraform/vnetsubnets.rego
@@ -8,31 +8,55 @@ package rule
 
 default vnet_subnet_nsg = null
 
+#azure_attribute_absence["vnet_subnet_nsg"] {
+#    resource := input.resources[_]
+#    lower(resource.type) == "azurerm_subnet"
+#    count([c | input.resources[_].type == "azurerm_subnet_network_security_group_association";
+#    	   c := 1]) == 0
+#}
+
+#azure_issue["vnet_subnet_nsg"] {
+#    resource := input.resources[_]
+#    lower(resource.type) == "azurerm_subnet"
+#    count([c | r := input.resources[_];
+#               r.type == "azurerm_subnet_network_security_group_association";
+#               re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.subnet_id); #matching is not wokring as expected due tf veriable reference in json. eventually we should match with resource.id instead of resource.name as per document but the id will only available from tf output file. it will be impossible to get id during compile time.
+#               c := 1]) == 0
+#    true == false # workaround for inconsistent resource naming
+#}
+
+#azure_issue["vnet_subnet_nsg"] {
+#    resource := input.resources[_]
+#    lower(resource.type) == "azurerm_network_security_group"
+#    count([c | r := input.resources[_];
+#               r.type == "azurerm_subnet_network_security_group_association";
+#               re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.network_security_group_id ); #matching is not wokring as expected due tf veriable reference in json. eventually we should match with resource.id instead of resource.name as per document but the id will only available from tf output file. it will be impossible to get id during compile time.
+#               c := 1]) == 0
+#    true == false # workaround for inconsistent resource naming
+#}
+
+azure_attribute_absence["vnet_subnet_nsg"] {
+    resource := input.resources[_]
+    lower(resource.type) == "azurerm_subnet_network_security_group_association"
+    not resource.subnet_id
+}
+
 azure_attribute_absence["vnet_subnet_nsg"] {
     resource := input.resources[_]
-    lower(resource.type) == "azurerm_subnet"
-    count([c | input.resources[_].type == "azurerm_subnet_network_security_group_association";
-    	   c := 1]) == 0
+    lower(resource.type) == "azurerm_subnet_network_security_group_association"
+    not resource.network_security_group_id
 }
 
 azure_issue["vnet_subnet_nsg"] {
     resource := input.resources[_]
-    lower(resource.type) == "azurerm_subnet"
-    count([c | r := input.resources[_];
-               r.type == "azurerm_subnet_network_security_group_association";
-               re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.subnet_id); #matching is not wokring as expected due tf veriable reference in json. eventually we should match with resource.id instead of resource.name as per document but the id will only available from tf output file. it will be impossible to get id during compile time.
-               c := 1]) == 0
-    true == false # workaround for inconsistent resource naming
+    lower(resource.type) == "azurerm_subnet_network_security_group_association"
+    count(resource.subnet_id) == 0
 }
 
 azure_issue["vnet_subnet_nsg"] {
     resource := input.resources[_]
-    lower(resource.type) == "azurerm_network_security_group"
-    count([c | r := input.resources[_];
-               r.type == "azurerm_subnet_network_security_group_association";
-               re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.network_security_group_id ); #matching is not wokring as expected due tf veriable reference in json. eventually we should match with resource.id instead of resource.name as per document but the id will only available from tf output file. it will be impossible to get id during compile time.
-               c := 1]) == 0
-    true == false # workaround for inconsistent resource naming
+    lower(resource.type) == "azurerm_subnet_network_security_group_association"
+    count(resource.network_security_group_id) == 0
 }
 
 vnet_subnet_nsg {