Skip to content

Commit

Permalink
Fix NSG associations (#727)
Browse files Browse the repository at this point in the history
- Format file with `opa fmt`
  • Loading branch information
xortim authored May 7, 2021
1 parent 964167b commit 2d06d74
Showing 1 changed file with 36 additions and 24 deletions.
Original file line number Diff line number Diff line change
@@ -1,44 +1,56 @@
package accurics

{{.prefix}}noSecurityGroupAssociated[retVal] {
vn := input.azurerm_virtual_network[_]
vn.type = "azurerm_virtual_network"
object.get(vn.config, "subnet", "undefined") != "undefined"
not sgExists(vn.config)
vn := input.azurerm_virtual_network[_]
vn.type = "azurerm_virtual_network"
object.get(vn.config, "subnet", "undefined") != "undefined"
not sgExists(vn.config)

traverse = "subnet[0].security_group"
retVal := { "Id": vn.id, "ReplaceType": "add", "CodeType": "block", "Traverse": traverse, "Attribute": "subnet.security_group", "AttributeDataType": "string", "Expected": "${azurerm_network_security_group.<security_group_name>.id}", "Actual": "" }
traverse = "subnet[0].security_group"
retVal := {"Id": vn.id, "ReplaceType": "add", "CodeType": "block", "Traverse": traverse, "Attribute": "subnet.security_group", "AttributeDataType": "string", "Expected": "${azurerm_network_security_group.<security_group_name>.id}", "Actual": ""}
}

{{.prefix}}noSecurityGroupAssociated[retVal] {
vn := input.azurerm_virtual_network[_]
vn.type = "azurerm_virtual_network"
vn := input.azurerm_virtual_network[_]
vn.type = "azurerm_virtual_network"

object.get(input, "azurerm_subnet", "undefined") == "undefined"
object.get(vn.config, "subnet", "undefined") == "undefined"
object.get(input, "azurerm_subnet", "undefined") == "undefined"
object.get(vn.config, "subnet", "undefined") == "undefined"

rc = "ewogICJzdWJuZXQiOiB7CiAgICAibmFtZSI6ICJzdWJuZXQzIiwKICAgICJhZGRyZXNzX3ByZWZpeCI6ICI8Y2lkcj4iLAogICAgInNlY3VyaXR5X2dyb3VwIjogIiR7YXp1cmVybV9uZXR3b3JrX3NlY3VyaXR5X2dyb3VwLjxzZWN1cml0eV9ncm91cF9uYW1lPi5pZH0iCiAgfQp9"
traverse = ""
retVal := { "Id": vn.id, "ReplaceType": "add", "CodeType": "block", "Traverse": traverse, "Attribute": "subnet", "AttributeDataType": "base64", "Expected": rc, "Actual": null }
rc = "ewogICJzdWJuZXQiOiB7CiAgICAibmFtZSI6ICJzdWJuZXQzIiwKICAgICJhZGRyZXNzX3ByZWZpeCI6ICI8Y2lkcj4iLAogICAgInNlY3VyaXR5X2dyb3VwIjogIiR7YXp1cmVybV9uZXR3b3JrX3NlY3VyaXR5X2dyb3VwLjxzZWN1cml0eV9ncm91cF9uYW1lPi5pZH0iCiAgfQp9"
traverse = ""
retVal := {"Id": vn.id, "ReplaceType": "add", "CodeType": "block", "Traverse": traverse, "Attribute": "subnet", "AttributeDataType": "base64", "Expected": rc, "Actual": null}
}

sgExists(cfg) = true {
sgExists(cfg) {
subs = cfg.subnet[_]
subs.security_group != ""
subs.security_group != ""
}

sgExists(cfg) = true {
sgExists(cfg) {
subs = cfg.subnet[_]
object.get(subs, "security_group", "undefined") == "undefined"
object.get(subs, "security_group", "undefined") == "undefined"
}

{{.prefix}}noSecurityGroupAssociated[subnet.id] {
subnet := input.azurerm_subnet[_]
subnet_name := subnet.name
not checkAssociation(subnet_name)
subnet := input.azurerm_subnet[_]
not hasAssociation(subnet)
}

checkAssociation(arg) {
subnet_with_sg := {nsga | nsga := split(input.azurerm_subnet_network_security_group_association[_].config.subnet_id, ".")[1]}
subnet_with_sg[arg]
}
hasAssociation(subnet) = exists {
security_group_association_hcl := {nsga |
nsga := split(input.azurerm_subnet_network_security_group_association[_].config.subnet_id, ".")[1]
}

security_group_association_hcl[subnet.name]
exists := true
}

hasAssociation(subnet) = exists {
security_group_association_plan := {nsga |
nsga := input.azurerm_subnet_network_security_group_association[_].config.subnet_id
}

security_group_association_plan[subnet.config.id]
exists := true
}

0 comments on commit 2d06d74

Please sign in to comment.