Can't catch undefined values in functions

[roco1234]

I want to write a policy to check that GroupDescription is defined and that IF SecurityGroupEgress AND/OR SecurityGroupIngress is defined, they both have Description defined

yaml

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  SecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupName: GroupName
      GroupDescription: GroupDescription
      SecurityGroupEgress: 
          - Description: GroupDescription

allow {
  security_group.GroupDescription
  all_rules_have_descriptions(security_group.SecurityGroupIngress)
  all_rules_have_descriptions(security_group.SecurityGroupEgress)
}

all_rules_have_descriptions(rules) {
    not rules
} {
    count([rule | rule := rules[_]; rule.Description]) == count(rules)
}

In this example the template check fails because all_rules_have_descriptions(security_group.SecurityGroupIngress) fails. Is there something I can do to get undefined to pass? I have also tried == null, count(rules) == 0

Or do I have to just explicitly check every scenario where ingress could be set but egress isn't etc

[srenatus]

I'll pick out one part of the puzzle and you'll probably able to fill in the rest 😃

IF SecurityGroupEgress [...] is defined, they both have Description defined

security_group_ingress_has_description(sg) if not sg.SecurityGroupIngress # if there's no Ingress, it's OK
security_group_ingress_has_description(sg) if {
    sg.SecurityGroupIngress.Description != ""
}

Two rule bodies mean OR. So you get that it's either not there, or it is there and has a description.

You could now refactor it to take the field as argument:

security_group_field_has_description(sg, field) if not sg[field] # if there's no such field, it's OK
security_group_field_has_description(sg, field) if {
    sg[field].Description != ""
}

then you can use it like this:

allow if {
  security_group.GroupDescription
  security_group_field_has_description(security_group, "SecurityGroupIngress")
  security_group_field_has_description(security_group, "SecurityGroupEgress")
}

or, with every:

allow if {
  security_group.GroupDescription
  every field in {"SecurityGroupIngress", "SecurityGroupEgress"} {
    security_group_field_has_description(security_group, field)
  }
}

[roco1234]

@srenatus thanks that works for the scenario i mentioned above but fails for the following scenario:

• ingress has no description - should fail

policy[p] {
    security_group := security_groups[_]
    security_group.GroupDescription
    every field in {"SecurityGroupIngress", "SecurityGroupEgress"} {
        security_group_field_has_description(security_group, field)
    }
    p = allow(security_group)
} {
    security_group := security_groups[_]
    not security_group.GroupDescription
    every field in {"SecurityGroupIngress", "SecurityGroupEgress"} {
        not security_group_field_has_description(security_group, field)
    }
    p = deny(security_group)
}

security_group_field_has_description(sg, field) if {
   not sg[field]
}

security_group_field_has_description(sg, field) if {
    rule := sg[field][_]
    rule.Description != ""
}

[srenatus]

Could you provide a playground example? It'll help us helping you 😄

[roco1234]

@srenatus https://play.openpolicyagent.org/p/trlKyaXuMs I'm not sure if this is correctly showing my issue as the output doesn't show "deny", but it does show "allow" when the Ingress also has a description

[roco1234]

@srenatus does the playground example demonstrate the issue?

[srenatus]

Deny and allow are not interchangeable like that, I'm afraid. Usually, you have

allow if everything is correct

vs

deny if anything is not correct

As such your deny should probably be something like this

deny if not security_group.GroupDescription
# OR (implicit)
deny if {
	some field in  {"SecurityGroupIngress", "SecurityGroupEgress"}
	not security_group_field_has_description(security_group, field)
}