Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Running a UT doesn't work with Regula > v2.5.0 #373

Open
rsareth opened this issue Nov 14, 2022 · 0 comments
Open

[BUG] Running a UT doesn't work with Regula > v2.5.0 #373

rsareth opened this issue Nov 14, 2022 · 0 comments

Comments

@rsareth
Copy link

rsareth commented Nov 14, 2022

Describe the bug
Since the version 2.6.0, one of our UT doesn't pass anymore. And I don't understand why. Syntax looks good to me.

How you're running Regula

  • I'm using Regula >= v2.6.0 as a Rego library with OPA >= v0.37.2

Operating System
Mac OS and Linux

Steps to reproduce

  • Step 1 - Create this tree file:
# Content in test/aws/input/aws_002_lambda_check_with_log_group.tf
resource "aws_cloudwatch_log_group" "valid" {
  name = "/aws/lambda/valid"
}

resource "aws_lambda_function" "valid" {
  depends_on = [aws_cloudwatch_log_group.valid]

  function_name = "valid"
  role          = ""
}

resource "aws_lambda_function" "invalid" {
  function_name = "invalid"
  role          = ""
}
# Content in test/aws/aws_002_lambda_check_with_log_group.tf
package rules.tf_aws_lambda_associated_with_cloudwatch_log_group

import data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_input

test_lambda_only {
	pol = policy with input as mock_input
	resources := {p.id: p.valid | p := pol[_]}

	resources["aws_lambda_function.valid"] == true
	resources["aws_lambda_function.invalid"] == false
}
# Content policy/aws/tf/aws_002_lambda_check_with_log_group.rego
package rules.tf_aws_lambda_associated_with_cloudwatch_log_group

import data.fugue

__rego__metadoc__ := {
	"custom": {"severity": "Medium"},
	"id": "AWS_002",
	"title": "Ensure that each lambda has its own log group",
	"description": "Creating the log group for each lambda prevent it from creating the log group dynamically",
}

resource_type := "MULTIPLE"

log_group_resource_type := "aws_cloudwatch_log_group"

all_log_groups := fugue.resources(log_group_resource_type)

lambda_resource_type := "aws_lambda_function"

all_lambdas := fugue.resources(lambda_resource_type)

check_log_group_name_match_lambda_name(lambda) {
	lambda_name := lambda.function_name
	log_group_name := concat("/", ["/aws/lambda", lambda_name])
	all_log_groups[_].name == log_group_name
}

depends_on_log_group(current_lambda) {
	is_array(current_lambda.depends_on)
	current_lambda.depends_on[_] == all_log_groups[_].id
}

policy[r] {
	current_lambda := all_lambdas[_]
	depends_on_log_group(current_lambda)
	check_log_group_name_match_lambda_name(current_lambda)
	r := fugue.allow_resource(current_lambda)
}

policy[r] {
	current_lambda := all_lambdas[_]
	not depends_on_log_group(current_lambda)
	not check_log_group_name_match_lambda_name(current_lambda)
	msg := sprintf("The lambda %v doesn't have any %v associated with it!", [current_lambda.id, log_group_resource_type])
	r := fugue.deny_resource_with_message(current_lambda, msg)
}
  • Step 2 - Running the UT
$ regula -v test -t policy test
[...]
FAILURES
--------------------------------------------------------------------------------
data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.test_lambda_only: FAIL (1.082938ms)

  query:1                                                               Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.test_lambda_only = _
  query:1                                                               | Eval data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.test_lambda_only = _
  query:1                                                               | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.test_lambda_only (matched 1 rule, early exit)
  test/aws/aws_002_lambda_check_with_log_group_test.rego:5          | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.test_lambda_only
  test/aws/aws_002_lambda_check_with_log_group_test.rego:6          | | Eval __local1502__ = data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_input
  test/aws/aws_002_lambda_check_with_log_group_test.rego:6          | | Index data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_input (matched 1 rule)
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:18     | | Enter data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_input
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:19     | | | Eval __local1491__ = data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_config
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:19     | | | Index data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_config (matched 1 rule, early exit)
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:22     | | | Enter data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_config
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:22     | | | | Eval true
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:22     | | | | Exit data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_config early
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:19     | | | Eval ret = data.fugue.resource_view.resource_view_input with input as __local1491__
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:19     | | | Index data.fugue.resource_view.resource_view_input (matched 1 rule)
  lib/fugue/resource_view.rego:44                                       | | | Enter data.fugue.resource_view.resource_view_input
  lib/fugue/resource_view.rego:45                                       | | | | Eval _ = input.hcl_resource_view_version
  lib/fugue/resource_view.rego:46                                       | | | | Eval __local1677__ = data.fugue.resource_view.resource_view
  lib/fugue/resource_view.rego:46                                       | | | | Index data.fugue.resource_view.resource_view (matched 1 rule)
  lib/fugue/resource_view.rego:26                                       | | | | Enter data.fugue.resource_view.resource_view
  lib/fugue/resource_view.rego:28                                       | | | | | Eval _ = input.hcl_resource_view_version
  lib/fugue/resource_view.rego:29                                       | | | | | Eval ret = input.resources
  lib/fugue/resource_view.rego:26                                       | | | | | Exit data.fugue.resource_view.resource_view
  lib/fugue/resource_view.rego:46                                       | | | | Eval ret = {"resources": __local1677__}
  lib/fugue/resource_view.rego:44                                       | | | | Exit data.fugue.resource_view.resource_view_input
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:18     | | | Exit data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_input
  test/aws/aws_002_lambda_check_with_log_group_test.rego:6          | | Eval pol = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.policy with input as __local1502__
  test/aws/aws_002_lambda_check_with_log_group_test.rego:6          | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.policy (matched 2 rules)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:33         | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.policy
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:34         | | | Eval current_lambda = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas[_]
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:34         | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas (matched 1 rule)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | | Eval true
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | | Eval __local1769__ = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.lambda_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.lambda_resource_type (matched 1 rule, early exit)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:18         | | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.lambda_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:18         | | | | | Eval true
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:18         | | | | | Exit data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.lambda_resource_type early
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | | Eval data.fugue.resources(__local1769__, __local1362__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | | Index data.fugue.resources (matched 1 rule)
  lib/fugue.rego:38                                                     | | | | Enter data.fugue.resources
  lib/fugue.rego:39                                                     | | | | | Eval ret = data.fugue.resources_by_type[rt]
  lib/fugue.rego:39                                                     | | | | | Index data.fugue.resources_by_type (matched 1 rule)
  lib/fugue.rego:26                                                     | | | | | Enter data.fugue.resources_by_type
  lib/fugue.rego:26                                                     | | | | | | Eval true
  lib/fugue.rego:26                                                     | | | | | | Eval __local1455__ = {rt: rs | data.fugue.resource_types[rt]; rs = {ri: r | r = input.resources[ri]; r._type = rt}}
  lib/fugue.rego:27                                                     | | | | | | Enter data.fugue.resource_types[rt]; rs = {ri: r | r = input.resources[ri]; r._type = rt}
  lib/fugue.rego:27                                                     | | | | | | | Eval data.fugue.resource_types[rt]
  lib/fugue.rego:27                                                     | | | | | | | Index data.fugue.resource_types (matched 1 rule)
  lib/fugue.rego:19                                                     | | | | | | | Enter data.fugue.resource_types
  lib/fugue.rego:19                                                     | | | | | | | | Eval true
  lib/fugue.rego:19                                                     | | | | | | | | Eval __local1453__ = {rt | r = input.resources[_]; rt = r._type}
  lib/fugue.rego:20                                                     | | | | | | | | Enter r = input.resources[_]; rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | | Eval r = input.resources[_]
  lib/fugue.rego:21                                                     | | | | | | | | | Eval rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | | Exit r = input.resources[_]; rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | Redo r = input.resources[_]; rt = r._type
  lib/fugue.rego:21                                                     | | | | | | | | | Redo rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | | Redo r = input.resources[_]
  lib/fugue.rego:21                                                     | | | | | | | | | Eval rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | | Exit r = input.resources[_]; rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | Redo r = input.resources[_]; rt = r._type
  lib/fugue.rego:21                                                     | | | | | | | | | Redo rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | | Redo r = input.resources[_]
  lib/fugue.rego:21                                                     | | | | | | | | | Eval rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | | Exit r = input.resources[_]; rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | Redo r = input.resources[_]; rt = r._type
  lib/fugue.rego:21                                                     | | | | | | | | | Redo rt = r._type
  lib/fugue.rego:20                                                     | | | | | | | | | Redo r = input.resources[_]
  lib/fugue.rego:19                                                     | | | | | | | | Exit data.fugue.resource_types
  lib/fugue.rego:28                                                     | | | | | | | Eval rs = {ri: r | r = input.resources[ri]; r._type = rt}
  lib/fugue.rego:29                                                     | | | | | | | Enter r = input.resources[ri]; r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | | Eval r = input.resources[ri]
  lib/fugue.rego:30                                                     | | | | | | | | Eval r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | | Exit r = input.resources[ri]; r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | Redo r = input.resources[ri]; r._type = rt
  lib/fugue.rego:30                                                     | | | | | | | | Redo r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | | Redo r = input.resources[ri]
  lib/fugue.rego:30                                                     | | | | | | | | Eval r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | | Exit r = input.resources[ri]; r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | Redo r = input.resources[ri]; r._type = rt
  lib/fugue.rego:30                                                     | | | | | | | | Redo r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | | Redo r = input.resources[ri]
  lib/fugue.rego:30                                                     | | | | | | | | Eval r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | | Exit r = input.resources[ri]; r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | Redo r = input.resources[ri]; r._type = rt
  lib/fugue.rego:30                                                     | | | | | | | | Redo r._type = rt
  lib/fugue.rego:29                                                     | | | | | | | | Redo r = input.resources[ri]
  lib/fugue.rego:27                                                     | | | | | | | Exit data.fugue.resource_types[rt]; rs = {ri: r | r = input.resources[ri]; r._type = rt}
  lib/fugue.rego:27                                                     | | | | | | Redo data.fugue.resource_types[rt]; rs = {ri: r | r = input.resources[ri]; r._type = rt}
  lib/fugue.rego:28                                                     | | | | | | | Redo rs = {ri: r | r = input.resources[ri]; r._type = rt}
  lib/fugue.rego:27                                                     | | | | | | | Redo data.fugue.resource_types[rt]
  lib/fugue.rego:28                                                     | | | | | | | Eval rs = {ri: r | r = input.resources[ri]; r._type = rt}
  lib/fugue.rego:27                                                     | | | | | | | Exit data.fugue.resource_types[rt]; rs = {ri: r | r = input.resources[ri]; r._type = rt}
  lib/fugue.rego:27                                                     | | | | | | Redo data.fugue.resource_types[rt]; rs = {ri: r | r = input.resources[ri]; r._type = rt}
  lib/fugue.rego:28                                                     | | | | | | | Redo rs = {ri: r | r = input.resources[ri]; r._type = rt}
  lib/fugue.rego:27                                                     | | | | | | | Redo data.fugue.resource_types[rt]
  lib/fugue.rego:19                                                     | | | | | | | Redo data.fugue.resource_types
  lib/fugue.rego:19                                                     | | | | | | | | Redo __local1453__ = {rt | r = input.resources[_]; rt = r._type}
  lib/fugue.rego:19                                                     | | | | | | | | Redo true
  lib/fugue.rego:26                                                     | | | | | | Exit data.fugue.resources_by_type
  lib/fugue.rego:38                                                     | | | | | Exit data.fugue.resources
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | | Exit data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:35         | | | Eval data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:35         | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group (matched 1 rule, early exit)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:28         | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | Eval __local1770__ = current_lambda.depends_on
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | Fail __local1770__ = current_lambda.depends_on
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:35         | | | Fail data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:34         | | | Redo current_lambda = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas[_]
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:35         | | | Eval data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:35         | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group (matched 1 rule, early exit)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:28         | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | Eval __local1770__ = current_lambda.depends_on
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | Eval is_array(__local1770__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:30         | | | | Eval current_lambda.depends_on[_] = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups[_].id
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:30         | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups (matched 1 rule)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | | Eval true
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | | Eval __local1768__ = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.log_group_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.log_group_resource_type (matched 1 rule, early exit)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:14         | | | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.log_group_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:14         | | | | | | Eval true
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:14         | | | | | | Exit data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.log_group_resource_type early
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | | Eval data.fugue.resources(__local1768__, __local1361__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | | Index data.fugue.resources (matched 1 rule)
  lib/fugue.rego:38                                                     | | | | | Enter data.fugue.resources
  lib/fugue.rego:39                                                     | | | | | | Eval ret = data.fugue.resources_by_type[rt]
  lib/fugue.rego:39                                                     | | | | | | Index data.fugue.resources_by_type (matched 1 rule)
  lib/fugue.rego:38                                                     | | | | | | Exit data.fugue.resources
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | | Exit data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | Redo data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | | Redo data.fugue.resources(__local1768__, __local1361__)
  lib/fugue.rego:38                                                     | | | | | Redo data.fugue.resources
  lib/fugue.rego:39                                                     | | | | | | Redo ret = data.fugue.resources_by_type[rt]
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | | Redo __local1768__ = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.log_group_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:14         | | | | | Redo data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.log_group_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:14         | | | | | | Redo true
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:16         | | | | | Redo true
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:30         | | | | Fail current_lambda.depends_on[_] = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups[_].id
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | Redo is_array(__local1770__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | Redo __local1770__ = current_lambda.depends_on
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:35         | | | Fail data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:34         | | | Redo current_lambda = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas[_]
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | Redo data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | | Redo data.fugue.resources(__local1769__, __local1362__)
  lib/fugue.rego:38                                                     | | | | Redo data.fugue.resources
  lib/fugue.rego:39                                                     | | | | | Redo ret = data.fugue.resources_by_type[rt]
  lib/fugue.rego:26                                                     | | | | | Redo data.fugue.resources_by_type
  lib/fugue.rego:26                                                     | | | | | | Redo __local1455__ = {rt: rs | data.fugue.resource_types[rt]; rs = {ri: r | r = input.resources[ri]; r._type = rt}}
  lib/fugue.rego:26                                                     | | | | | | Redo true
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | | Redo __local1769__ = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.lambda_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:18         | | | | Redo data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.lambda_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:18         | | | | | Redo true
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:20         | | | | Redo true
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:40         | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.policy
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:41         | | | Eval current_lambda = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas[_]
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:41         | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas (matched 1 rule)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | Eval not data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | | Eval data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group (matched 1 rule, early exit)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:28         | | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | | Eval __local1770__ = current_lambda.depends_on
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | | Fail __local1770__ = current_lambda.depends_on
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | | Fail data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | Eval not data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | | Eval data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name (matched 1 rule, early exit)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:22         | | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:23         | | | | | Eval lambda_name = lambda.function_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:24         | | | | | Eval concat("/", ["/aws/lambda", lambda_name], __local1363__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:24         | | | | | Eval log_group_name = __local1363__
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:25         | | | | | Eval data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups[_].name = log_group_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:25         | | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups (matched 1 rule)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:25         | | | | | Fail data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups[_].name = log_group_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:24         | | | | | Redo log_group_name = __local1363__
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:24         | | | | | Redo concat("/", ["/aws/lambda", lambda_name], __local1363__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:23         | | | | | Redo lambda_name = lambda.function_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | | Fail data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:44         | | | Eval __local1771__ = current_lambda.id
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:44         | | | Eval __local1772__ = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.log_group_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:44         | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.log_group_resource_type (matched 1 rule, early exit)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:44         | | | Eval sprintf("The lambda %v doesn't have any %v associated with it!", [__local1771__, __local1772__], __local1365__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:44         | | | Eval msg = __local1365__
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:45         | | | Eval data.fugue.deny_resource_with_message(current_lambda, msg, __local1366__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:45         | | | Index data.fugue.deny_resource_with_message (matched 1 rule)
  lib/fugue.rego:64                                                     | | | Enter data.fugue.deny_resource_with_message
  lib/fugue.rego:65                                                     | | | | Eval data.fugue.deny({"message": message, "resource": resource}, __local1006__)
  lib/fugue.rego:65                                                     | | | | Index data.fugue.deny (matched 1 rule)
  lib/fugue.rego:68                                                     | | | | Enter data.fugue.deny
  lib/fugue.rego:74                                                     | | | | | Eval object.get(params, "attribute", null, __local1007__)
  lib/fugue.rego:76                                                     | | | | | Eval __local1604__ = params.resource
  lib/fugue.rego:76                                                     | | | | | Eval object.get(__local1604__, "_filepath", "", __local1008__)
  lib/fugue.rego:73                                                     | | | | | Eval object.get(params, "message", "", __local1009__)
  lib/fugue.rego:77                                                     | | | | | Eval __local1605__ = params.resource
  lib/fugue.rego:77                                                     | | | | | Eval object.get(__local1605__, "_tags", {}, __local1010__)
  lib/fugue.rego:71                                                     | | | | | Eval __local1606__ = params.resource.id
  lib/fugue.rego:75                                                     | | | | | Eval __local1607__ = params.resource._provider
  lib/fugue.rego:72                                                     | | | | | Eval __local1608__ = params.resource._type
  lib/fugue.rego:69                                                     | | | | | Eval ret = {"attribute": __local1007__, "filepath": __local1008__, "id": __local1606__, "message": __local1009__, "provider": __local1607__, "tags": __local1010__, "type": __local1608__, "valid": false}
  lib/fugue.rego:68                                                     | | | | | Exit data.fugue.deny
  lib/fugue.rego:65                                                     | | | | Eval ret = __local1006__
  lib/fugue.rego:64                                                     | | | | Exit data.fugue.deny_resource_with_message
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:45         | | | Eval r = __local1366__
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:40         | | | Exit data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.policy
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:40         | | Redo data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.policy
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:45         | | | Redo r = __local1366__
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:45         | | | Redo data.fugue.deny_resource_with_message(current_lambda, msg, __local1366__)
  lib/fugue.rego:64                                                     | | | Redo data.fugue.deny_resource_with_message
  lib/fugue.rego:65                                                     | | | | Redo ret = __local1006__
  lib/fugue.rego:65                                                     | | | | Redo data.fugue.deny({"message": message, "resource": resource}, __local1006__)
  lib/fugue.rego:68                                                     | | | | Redo data.fugue.deny
  lib/fugue.rego:69                                                     | | | | | Redo ret = {"attribute": __local1007__, "filepath": __local1008__, "id": __local1606__, "message": __local1009__, "provider": __local1607__, "tags": __local1010__, "type": __local1608__, "valid": false}
  lib/fugue.rego:72                                                     | | | | | Redo __local1608__ = params.resource._type
  lib/fugue.rego:75                                                     | | | | | Redo __local1607__ = params.resource._provider
  lib/fugue.rego:71                                                     | | | | | Redo __local1606__ = params.resource.id
  lib/fugue.rego:77                                                     | | | | | Redo object.get(__local1605__, "_tags", {}, __local1010__)
  lib/fugue.rego:77                                                     | | | | | Redo __local1605__ = params.resource
  lib/fugue.rego:73                                                     | | | | | Redo object.get(params, "message", "", __local1009__)
  lib/fugue.rego:76                                                     | | | | | Redo object.get(__local1604__, "_filepath", "", __local1008__)
  lib/fugue.rego:76                                                     | | | | | Redo __local1604__ = params.resource
  lib/fugue.rego:74                                                     | | | | | Redo object.get(params, "attribute", null, __local1007__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:44         | | | Redo msg = __local1365__
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:44         | | | Redo sprintf("The lambda %v doesn't have any %v associated with it!", [__local1771__, __local1772__], __local1365__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:44         | | | Redo __local1772__ = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.log_group_resource_type
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:44         | | | Redo __local1771__ = current_lambda.id
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:41         | | | Redo current_lambda = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas[_]
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | Eval not data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | | Eval data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group (matched 1 rule, early exit)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:28         | | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | | Eval __local1770__ = current_lambda.depends_on
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | | Eval is_array(__local1770__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:30         | | | | | Eval current_lambda.depends_on[_] = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups[_].id
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:30         | | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups (matched 1 rule)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:30         | | | | | Fail current_lambda.depends_on[_] = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups[_].id
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | | Redo is_array(__local1770__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:29         | | | | | Redo __local1770__ = current_lambda.depends_on
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:42         | | | | Fail data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.depends_on_log_group(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | Eval not data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | | Eval data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name (matched 1 rule, early exit)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:22         | | | | Enter data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:23         | | | | | Eval lambda_name = lambda.function_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:24         | | | | | Eval concat("/", ["/aws/lambda", lambda_name], __local1363__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:24         | | | | | Eval log_group_name = __local1363__
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:25         | | | | | Eval data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups[_].name = log_group_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:25         | | | | | Index data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups (matched 1 rule)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:22         | | | | | Exit data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name early
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | | Exit data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | Redo data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | | Redo data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:22         | | | | Redo data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:25         | | | | | Redo data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_log_groups[_].name = log_group_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:24         | | | | | Redo log_group_name = __local1363__
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:24         | | | | | Redo concat("/", ["/aws/lambda", lambda_name], __local1363__)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:23         | | | | | Redo lambda_name = lambda.function_name
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:43         | | | Fail not data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.check_log_group_name_match_lambda_name(current_lambda)
  policy/aws/tf/aws_002_lambda_check_with_log_group.rego:41         | | | Redo current_lambda = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.all_lambdas[_]
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | Eval resources = {__local1417__: __local1418__ | p = pol[_]; __local1417__ = p.id; __local1418__ = p.valid}
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | Enter p = pol[_]; __local1417__ = p.id; __local1418__ = p.valid
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | | Eval p = pol[_]
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | | Eval __local1417__ = p.id
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | | Eval __local1418__ = p.valid
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | | Exit p = pol[_]; __local1417__ = p.id; __local1418__ = p.valid
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | Redo p = pol[_]; __local1417__ = p.id; __local1418__ = p.valid
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | | Redo __local1418__ = p.valid
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | | Redo __local1417__ = p.id
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | | Redo p = pol[_]
  test/aws/aws_002_lambda_check_with_log_group_test.rego:9          | | Eval resources["aws_lambda_function.valid"] = true
  test/aws/aws_002_lambda_check_with_log_group_test.rego:9          | | Fail resources["aws_lambda_function.valid"] = true
  test/aws/aws_002_lambda_check_with_log_group_test.rego:7          | | Redo resources = {__local1417__: __local1418__ | p = pol[_]; __local1417__ = p.id; __local1418__ = p.valid}
  test/aws/aws_002_lambda_check_with_log_group_test.rego:6          | | Redo pol = data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.policy with input as __local1502__
  test/aws/aws_002_lambda_check_with_log_group_test.rego:6          | | Redo __local1502__ = data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_input
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:18     | | Redo data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_input
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:19     | | | Redo ret = data.fugue.resource_view.resource_view_input with input as __local1491__
  lib/fugue/resource_view.rego:44                                       | | | Redo data.fugue.resource_view.resource_view_input
  lib/fugue/resource_view.rego:46                                       | | | | Redo ret = {"resources": __local1677__}
  lib/fugue/resource_view.rego:46                                       | | | | Redo __local1677__ = data.fugue.resource_view.resource_view
  lib/fugue/resource_view.rego:26                                       | | | | Redo data.fugue.resource_view.resource_view
  lib/fugue/resource_view.rego:29                                       | | | | | Redo ret = input.resources
  lib/fugue/resource_view.rego:28                                       | | | | | Redo _ = input.hcl_resource_view_version
  lib/fugue/resource_view.rego:45                                       | | | | Redo _ = input.hcl_resource_view_version
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:19     | | | Redo __local1491__ = data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_config
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:22     | | | Redo data.test.aws.input.aws_002_lambda_check_with_log_group_tf.mock_config
  test/aws/input/aws_002_lambda_check_with_log_group_tf.rego:22     | | | | Redo true
  query:1                                                               | Fail data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.test_lambda_only = _

[...]
test/aws/aws_002_lambda_check_with_log_group_test.rego:
data.rules.tf_aws_lambda_associated_with_cloudwatch_log_group.test_lambda_only: FAIL (1.574004ms)
[...]
--------------------------------------------------------------------------------
PASS: 11/12
FAIL: 1/12

Thank you in advance for looking at that.
Rasmey
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@rsareth