Hi, please l am trying to evaluate my aws glue resource to ensure that connection_passward_encryption is enabled and this can be verified using the attribute return_connection_passward_encrypted which should be true. However this is in a dictionary in the sentinel mocks and l cannot figure out exactly how to loop through to extract that value for my check. Heres my mocks and policy thank you https://play.sentinelproject.io/
@f.nkeng it would be best if you provide a playground example of your policy, including mocks. We need these to be able to provide guidance.
thank you @hcrhall but l cant seem to find a blank playground. l edited the one l sent above with my code but reverted back to s3.
Click the Share button to generate a unique link that is shareable.
The problem is that you’re using a giant (>1400 lines!) library of Sentinel functions, but you’re passing a data type to one of those functions that it doesn’t expect (string, where it expects something it can iterate over).
Moreover, even with that bug fixed, I don’t think the function you’re calling matches your description of the behaviour you want.
It looks like you want something more like
plan.filter_attribute_is_not_value(all_data_catalog_encryption,
"data_catalog_encryption_settings.0.connection_password_encryption.0.return_connection_password_encrypted",
true, true)
Thank you @maxb l tried using the function you suggested before and it doesn’t loop through the dictionary. l get error
logs:
aws_glue_data_catalog_encryption_settings.example has data_catalog_encryption_settings.0.connection_password_encryption.0.retention_connection_passward_encrypted that is null or undefined. It is supposed to be true
That’s because you misspelt the word password.
indeed its friday thanks for pointing that out but still does not work.
aws_glue_data_catalog_encryption_settings.example has data_catalog_encryption_settings.0.connection_password_encryption.0.retention_connection_password_encrypted that is null or undefined. It is supposed to be true
I literally just took the expression I posted, copied it into your playground example, ran it, and it worked:
aws_glue_data_catalog_encryption_settings.example has data_catalog_encryption_settings.0.connection_password_encryption.0.return_connection_password_encrypted with value false that is not equal to true
Which is apparently because you used the word retention instead of return.
1 Like
wow l feel extremely foggy today l appreciate your patience with me. Thanks that works.
1 Like
I wish Hashicorp allowed emoji reactions in this forum.
me too! :grinning lol
@f.nkeng just so you are aware, you can use some of the newer capabilities in Sentinel to make the policy a bit easier to read and more compact. The change that I have made is moved validated, made it an expression in main and using emptiness comparison instead of a length check.
import "tfplan/v2" as tfplan
import "tfplan-functions" as plan
encryption_settings = plan.find_resources("aws_glue_data_catalog_encryption_settings")
violations = plan.filter_attribute_is_not_value(encryption_settings, "data_catalog_encryption_settings.0.connection_password_encryption.0.return_connection_password_encrypted", true, true)
main = rule {
violations.messages is empty
}
https://play.sentinelproject.io/p/_-onTkgfEpx
I’m actually interested in knowing more about folks experience working with the tfplan-functions module. These are not actively maintained by HashiCorp and I feel that sometimes there is a bit too much magic in the module. The results are that when things go bad, there is a steep learning curve.
Anybody got any thoughts on my observations?