intel-aws-emr-cluster-deny-unapproved-instance-types.sentinel

import "tfplan/v2" as tfplan
import "approved"
import "policy_summary"

param valid_actions default [
	["no-op"],
	["create"],
	["update"],
]

doc = {
	"allowed":   approved.aws.aws_emr_cluster.optimal + approved.aws.aws_emr_cluster.alternative,
	"category":  approved.aws.aws_emr_cluster.category,
	"error":     approved.aws.aws_emr_cluster.error,
	"file_name": approved.aws.aws_emr_cluster.deny_file_name,
	"md_url":    approved.aws.policies_url,
	"parameter": approved.aws.aws_emr_cluster.parameter,
	"provider":  approved.aws.aws_emr_cluster.provider,
	"resource":  approved.aws.aws_emr_cluster.resource,
	"violation": approved.aws.aws_emr_cluster.violation,
}

// Filter resources by type
all_resources = filter tfplan.resource_changes as _, rc {
	rc.type is doc.resource and
		rc.mode is "managed" and
		rc.change.actions in valid_actions
}

// Filter resources that violate a given condition
violators = filter all_resources as _, r {
	all r.change.after.core_instance_fleet as _, core_instance_fleet {
		any core_instance_fleet.instance_type_configs as _, instance_type_config {
			instance_type_config.instance_type else [] not in doc.allowed
		} or
			any r.change.after.master_instance_fleet as _, master_instance_fleet {
				any master_instance_fleet.instance_type_configs as _, instance_type_config {
					instance_type_config.instance_type else [] not in doc.allowed
				}
			}
	}
}

// Build a summary report
summaryreport = {
	"name": doc.name,
	"violations": map violators as _, violation {
		{
			"name":    violation.name,
			"address": violation.address,
			"type":    violation.type,
			"message": violation.name + doc.error,
		}
	},
}

# Unapproved instance type detected
main = rule {
	policy_summary.summary(summaryreport, doc)
}