Sentinel empty resource

Hello, l am trying to write a policy that checks for lifecycle configuration in s3. I want the policy to fail if an s3 bucket is deployed without the lifecycle configuration. I used this code which works for my s3 specific module but fails all my other modules.
resources = plan.find_resources(“aws_s3_bucket_lifecycle_configuration”)
if !(resources is empty){
print (resources)
lifecycle_configuration_violation = plan.filter_attribute_is_value(resources, “values.0.rule”, , true)
validated = length(lifecycle_configuration_violation[“messages”]) is 0

} else {
	print("No lifecycle configured on S3 Bucket $BUCKET NAME, S3 buckets need to have lifecycle defined.")
	validated = false
}

Hi @f.nkeng

Thanks for posting your question. Unfortunately, it’s going to be very difficult for the community to provide assistance without some Sentinel mock data. You are likely to have more success if you share a playground link with the policy and the mock data.

I suspect that the issue is with your usage of the filter_attribute_is_value helper function, but without mock data, it is really hard to tell.

thanks for responding l have here a playground Sentinel Playground

Please correct me if I am wrong, but it appears that the policy you have provided is checking for the existence of rule on a aws_s3_bucket_lifecycle_configuration resource, but NOT checking to ensure that every bucket that is getting provisioned has a lifecycle configuration associated with it, which I believe is the outcome you are hoping to achieve?

yes please that is exactly what l am trying to achieve.checking to ensure that every bucket that is getting provisioned has a lifecycle configuration associated with it,

May l have some help achieving that objective please.
Thanks

@f.nkeng if you would like assistance, you will need to provide a full set of mocks that include all resources that will be provisioned. You mentioned that the policy passes on some modules but not on others. I think that’s likely because for the modules that passed, lifecycle resources did not exist and therefore there was nothing to check.

@f.nkeng If I have understood your issue properly, then Generally lifecycle configuration and s3 buckets are deployed as separate resources and while defining life cycle configuration we need to provide references to the S3 bucket id.
So in this case first you need to define function to collect list of s3s getting provisioned and then check on each lifecycle configuration if those all S3 ids are declared. Hope I am clear.

Thanks @hcrhall l have updated some mocks in my playground

@ashutoshrathore you are right the buckets are deployed as separate resources from the lifecycle configuration. But i am still unclears as to how to define the functions to check the buckets being provisioned please.

@f.nkeng As @hcrhall said, please provide mock files for both lifecycle configuration and S3 bucket in playground. Then I will be able to assist you how you can check it. :slight_smile:

Thank you l have provided the pass and fail mocks l am using in play ground.Sentinel Playground

@f.nkeng

It looks like you have sent us the previous URL. You will need to add the new mocks and then click the share button which will generate a new share URL. When you send the new URL we will have access to the new mock data.

https://play.sentinelproject.io/p/koQs70KH7oN
sorry about that. I hope this works.
Thanks