Hi folks,
i have the following code for CIDR range :
import "tfplan/v2" as tfplan
import "tfplan-functions" as plan
param allowed_vnet_cidr default ["192.168.0.0/24", "172.0.0.0/16", "10.0.0.0/8"]
VNetAllowRules = filter tfplan.resource_changes as address, rc {
rc.type is "azurerm_virtual_network" and
rc.mode is "managed" and
(rc.change.actions contains "create" or rc.change.actions contains "update" or
rc.change.actions contains "read" or rc.change.actions contains "no-op")
}
violatingVnetRules = plan.filter_attribute_contains_items_not_in_list(
VNetAllowRules, "address_space", allowed_vnet_cidr, true)
main = rule {
length(violatingVnetRules["messages"]) is 0
}
But, when i input the following for vnet, it got failed:
10.210.1.0/24 & 10.210.1.0/28 it will error on 10.210.1.0/28 saying its not in 10.210.1.0/24
Hi @AnthonyBratt
Welcome to the community, and thanks for your question.
violatingVnetRules = plan.filter_attribute_contains_items_not_in_list(
VNetAllowRules, “address_space”, allowed_vnet_cidr, true)
Reviewing your policy, it appears that you are checking for the existence of a value within the list allowed_vnet_cidr which is a parameter. Have you confirmed that 10.210.1.0/28 is a valid value in this list?
Just to confirm, the policy logic is looking for a string value, it is not checking the range of the CIDR address space.
@hcrhall the 10.210.1.0/28 is a valid value that i want to have it for the vnet.
btw, how can i check for the range of the CIDR address space ?
Try updating the allowed_vnet_cidr value to the following:
param allowed_vnet_cidr default ["192.168.0.0/24", "172.0.0.0/16", "10.0.0.0/8", "10.210.1.0/28"]
how can i check for the range of the CIDR address space
There is no out of box solution for this, however you could use the Sentinel HTTP import. For example, you could write a module that sends a GET request to an external service that returns the range.
thanks, i will update and try to run it!