We are using Modules in conjunction with templates to deploy our terraform. The Mock files show resources that look like this:
resources = {
“module.appserviceplan["appserviceplan1"].azurerm_resource_group.this”: { “address”: “module.appserviceplan["appserviceplan1"].azurerm_resource_group.this”,
“depends_on”: ,
“deposed_key”: “”,
“index”: null,
“mode”: “data”,
“module_address”: “module.appserviceplan["appserviceplan1"]”,
“name”: “plan-name”,

I cannot seem to get my sentinel policy to recognize that resource name or attributes below it. Is there a way to make this work?

Here is my mock file

cat restrict-new-app-service-plan.sentinel

This policy uses the Sentinel tfplan/v2 state to advise that

Azure app services plans exist in ther resource group

so that developers can consider using that instead of creating new ones.

Import common-functions/tfstate-functions/tfstate-functions.sentinel with

alias “state”

import “tfstate-functions” as state

List of allowed publishers

Include “null” to allow missing or computed values

#allowed_list = [“useast”, “us-east2”]

Get all Azure app service plan

allAzureAppServicePlan = state.find_resources(“module.appserviceplan.[0].azurerm_resource_group.this”)

Filter to Azure app service plan with violations

Warnings will be printed for all violations since the last parameter is true

violatingAzureAppServicePlan = state.filter_attribute_not_in_list(allAzureAppServicePlan, “name”, “this”, true)

Main rule

violations = length(violatingAzureAppServicePlan[“messages”])

Print violation messages

if length(violatingAzureAppServicePlan) > 0 {
print(“An App Service Plan already exists in your resource group, please consider utilizing a plan that already exits before creating a new plan for Cost Optimization”)
}

main = rule {
violations is 0
}