Delta between two maps in Sentinel?

Hi there,

I would like to output the delta between two maps in Sentinel. There is a map with arpFlood set to “yes” and others without. I would like to dynamically get keys of the objects that do not have arp_flood set to “yes”

import "tfplan/v2" as tfplan

bds = filter tfplan.planned_values.resources as _, rc {
    rc.type is "aci_rest_managed" and rc.values.class_name is "fvBD"

ok_bds = filter bds as _, rc {
    rc.values.content.arpFlood is "yes"

mandatory_flood = rule {
    length(ok_bds) == length(bds)

main = rule {

The objective is to return any keys that violate the rule. Or is there a better way to return the specific keys that do not match the rule?

Here is an example of the mock:

planned_values = {
	"outputs": {},
	"resources": {
		"module.tenant[\"dev\"].module.aci_bridge_domain[\"\"].aci_rest_managed.fvBD": {
			"address":        "module.tenant[\"dev\"].module.aci_bridge_domain[\"\"].aci_rest_managed.fvBD",
			"depends_on":     [],
			"deposed_key":    "",
			"index":          null,
			"mode":           "managed",
			"module_address": "module.tenant[\"dev\"].module.aci_bridge_domain[\"\"]",
			"name":           "fvBD",
			"provider_name":  "",
			"tainted":        false,
			"type":           "aci_rest_managed",
			"values": {
				"child":      [],
				"class_name": "fvBD",
				"content": {
					"arpFlood":              "yes",
					"descr":                 "",
					"hostBasedRouting":      "no",

Thanks in advance,

Hello Rob-

I’ve thrown a simple example here, where I filter to any value that doesn’t have “arpFlood”: “yes” specifically set (using the mock you provided as an example) and print the keys for the violation.

It makes use of a predicate rule to only evaluate the condition when violations are present

If this isn’t what you’re after, feel free to clarify and ideally provide a full mock example in the Sentinel Playground. Let me know if you have any questions!

1 Like

depending on the number of violations you may wish to iterate over the violations object and print/manipulate the keys individually rather than just grab keys on violations itself

On further thought, I updated this to remove the print statement from the predicate rule as this will result in it evaluating to true.

I’ve explicitly set the return value of that to false instead, and handle logging the violations outside of the rule as is better practice.


1 Like

Thanks Sean, indeed. The first example you shared does print the violating key, but results in true. The second example works. Thanks!

1 Like