Delta between two maps in Sentinel?

Hi there,

I would like to output the delta between two maps in Sentinel. There is a map with arpFlood set to “yes” and others without. I would like to dynamically get keys of the objects that do not have arp_flood set to “yes”

import "tfplan/v2" as tfplan

bds = filter tfplan.planned_values.resources as _, rc {
    rc.type is "aci_rest_managed" and rc.values.class_name is "fvBD"
}

ok_bds = filter bds as _, rc {
    rc.values.content.arpFlood is "yes"
}

mandatory_flood = rule {
    length(ok_bds) == length(bds)
    }

main = rule {
    mandatory_flood
}

The objective is to return any keys that violate the rule. Or is there a better way to return the specific keys that do not match the rule?

Here is an example of the mock:

planned_values = {
	"outputs": {},
	"resources": {
		"module.tenant[\"dev\"].module.aci_bridge_domain[\"10.1.10.0_24\"].aci_rest_managed.fvBD": {
			"address":        "module.tenant[\"dev\"].module.aci_bridge_domain[\"10.1.10.0_24\"].aci_rest_managed.fvBD",
			"depends_on":     [],
			"deposed_key":    "",
			"index":          null,
			"mode":           "managed",
			"module_address": "module.tenant[\"dev\"].module.aci_bridge_domain[\"10.1.10.0_24\"]",
			"name":           "fvBD",
			"provider_name":  "registry.terraform.io/ciscodevnet/aci",
			"tainted":        false,
			"type":           "aci_rest_managed",
			"values": {
				"child":      [],
				"class_name": "fvBD",
				"content": {
					"arpFlood":              "yes",
					"descr":                 "",
					"hostBasedRouting":      "no",
}

Thanks in advance,
Rob

Hello Rob-

I’ve thrown a simple example here, where I filter to any value that doesn’t have “arpFlood”: “yes” specifically set (using the mock you provided as an example) and print the keys for the violation.

It makes use of a predicate rule to only evaluate the condition when violations are present

If this isn’t what you’re after, feel free to clarify and ideally provide a full mock example in the Sentinel Playground. Let me know if you have any questions!

https://play.sentinelproject.io/p/09lmqt5XAE8

1 Like

depending on the number of violations you may wish to iterate over the violations object and print/manipulate the keys individually rather than just grab keys on violations itself

On further thought, I updated this to remove the print statement from the predicate rule as this will result in it evaluating to true.

https://play.sentinelproject.io/p/4HFlNTp4XKV

I’ve explicitly set the return value of that to false instead, and handle logging the violations outside of the rule as is better practice.

@robvand

1 Like

Thanks Sean, indeed. The first example you shared does print the violating key, but results in true. The second example works. Thanks!

1 Like