Hi All, We have a requirement to check the value of parent resource and then based on it, need to evaluate the child resource values.
eg: for google_privateca_certificate_authority we need to retrieve the value of corresponding google_privateca_ca_pool.tier value.
This value needs to be checked in both config and state files.
We managed to prepare the below code, but this doesn’t seems optimized. Can we have forum suggestions on this please. Thanks in advance
violations_ca_caalgorithm = {}
allowed_algo = ["RSA_PKCS1_4096_SHA256", "RSA_PKCS1_2048_SHA256" ,"RSA_PKCS1_3072_SHA256" ]
found_rc = false
for all_ca_authority as address, rc {
ca_cacmek_pool= plan.evaluate_attribute(rc, "pool")
print(ca_cacmek_pool)
for all_ca_pool as address_t, rc_t {
ca_poolname = plan.evaluate_attribute(rc_t, "name")
if ca_poolname is ca_cacmek_pool {
ca_pool_tier = plan.evaluate_attribute(rc_t, "tier")
print(ca_pool_tier)
#print(rc_dev)
if ca_pool_tier is "DEVOPS" {
cacmek_algo = plan.evaluate_attribute(rc, "key_spec.0.algorithm")
print(cacmek_algo)
if cacmek_algo in allowed_algo {
print("algo matches")
} else {
print ("capool is not devops")
violations_ca_caalgorithm[address] = rc
}
}
}
}
for all_ca_pool_st as address_st, rc_st {
ca_poolname_st = state.evaluate_attribute(rc_st, "name")
if ca_poolname_st is ca_cacmek_pool {
ca_pool_tier_st = state.evaluate_attribute(rc_st, "tier")
print(ca_poolname_st)
#print(ca_pool_tier_st)
#print(rc_dev)
if ca_pool_tier_st is "DEVOPS" {
cacmek_algo_st = plan.evaluate_attribute(rc, "key_spec.0.algorithm")
print(cacmek_algo_st)
if cacmek_algo_st in allowed_algo {
print("algo matches")
} else {
print ("capool is not devops")
violations_ca_caalgorithm[address] = rc
}
}
}
}
}
GCP_CAS_CAALGORITHM = rule { length(violations_ca_caalgorithm) is 0 }