Selectors only available for imports, maps, and modules got list error

frank.lugo · November 8, 2022, 8:40pm

getting the following error on my policy

An error occurred evaluating the policy:

policy.sentinel:15:7: selectors only available for imports, maps, and modules, got list

"endpoint_config": [
  {
       "enable_http_port_access": false,
       "http_ports":              {},
  },
],

I know it is because it is finding a list, but I am not sure what I need to correct.

import “tfplan/v2” as tfplan
import “strings”
import “types”

Find all Dataproc Clusters

allDataprocCluster = filter tfplan.resource_changes as _, resource_changes {
resource_changes.type is “google_dataproc_cluster” and
resource_changes.mode is “managed” and
( resource_changes.change.actions is [“create”] or
resource_changes.change.actions is [“update”] )
}

enable_http_port_access_is_true = rule {
all allDataprocCluster as _, dc {
all dc.change.after.cluster_config.endpoint_config as _, ehpa {
ehpa.enabled is true
}
}
}

main = rule { enable_http_port_access_is_true }

here is my policy on the playground

https://play.sentinelproject.io/p/2SJVEDWsCvu

cam-stitt · November 8, 2022, 9:21pm

Thanks for reaching out @frank.lugo. It seems that cluster_config and endpoint_config are both lists, which means accessing them directly via a selector (.) is in fact not allowed. However, you can go one level deeper on the all chain and handle it that way.

Playground example:

https://play.sentinelproject.io/p/R_xhpAeysib

levidos · February 7, 2023, 7:47pm

It would make sense if this operation would return undefined instead of error, to allow escaping from it with else.

It would be more elegant than nesting multiple for blocks.