Selectors only available for imports, maps, and modules got list error

getting the following error on my policy

An error occurred evaluating the policy:

policy.sentinel:15:7: selectors only available for imports, maps, and modules, got list

"endpoint_config": [
       "enable_http_port_access": false,
       "http_ports":              {},

I know it is because it is finding a list, but I am not sure what I need to correct.

import “tfplan/v2” as tfplan
import “strings”
import “types”

Find all Dataproc Clusters

allDataprocCluster = filter tfplan.resource_changes as _, resource_changes {
resource_changes.type is “google_dataproc_cluster” and
resource_changes.mode is “managed” and
( resource_changes.change.actions is [“create”] or
resource_changes.change.actions is [“update”] )

enable_http_port_access_is_true = rule {
all allDataprocCluster as _, dc {
all dc.change.after.cluster_config.endpoint_config as _, ehpa {
ehpa.enabled is true

main = rule { enable_http_port_access_is_true }

here is my policy on the playground

Thanks for reaching out @frank.lugo. It seems that cluster_config and endpoint_config are both lists, which means accessing them directly via a selector (.) is in fact not allowed. However, you can go one level deeper on the all chain and handle it that way.

Playground example:

It would make sense if this operation would return undefined instead of error, to allow escaping from it with else.

It would be more elegant than nesting multiple for blocks.


what if we had to apply checks on “http_ports”: {},
and that’s so using sockaddr supose there is any other field over like
cidr_blocks {
cidr_block = “”

not in this config suppose for composer environment master_authorized_networks_config

it will be quite similar