getting the following error on my policy

An error occurred evaluating the policy:

policy.sentinel:15:7: selectors only available for imports, maps, and modules, got list

"endpoint_config": [
  {
       "enable_http_port_access": false,
       "http_ports":              {},
  },
],

I know it is because it is finding a list, but I am not sure what I need to correct.

import “tfplan/v2” as tfplan
import “strings”
import “types”

Find all Dataproc Clusters

allDataprocCluster = filter tfplan.resource_changes as _, resource_changes {
resource_changes.type is “google_dataproc_cluster” and
resource_changes.mode is “managed” and
( resource_changes.change.actions is [“create”] or
resource_changes.change.actions is [“update”] )
}

enable_http_port_access_is_true = rule {
all allDataprocCluster as _, dc {
all dc.change.after.cluster_config.endpoint_config as _, ehpa {
ehpa.enabled is true
}
}
}

main = rule { enable_http_port_access_is_true }

here is my policy on the playground

https://play.sentinelproject.io/p/2SJVEDWsCvu

Thanks for reaching out @frank.lugo. It seems that cluster_config and endpoint_config are both lists, which means accessing them directly via a selector (.) is in fact not allowed. However, you can go one level deeper on the all chain and handle it that way.

Playground example:

https://play.sentinelproject.io/p/R_xhpAeysib

It would make sense if this operation would return undefined instead of error, to allow escaping from it with else.

It would be more elegant than nesting multiple for blocks.

hey,

what if we had to apply checks on “http_ports”: {},
and that’s so using sockaddr supose there is any other field over like
cidr_blocks {
cidr_block = “10.0.0.0/16”
}

not in this config suppose for composer environment master_authorized_networks_config

it will be quite similar