[英]Validating every element of a list against another list using Rego
我是 rego 的新手,并试图编写一个策略来验证列表中的元素是否与另一个列表相对应。 这是我要解决的问题:我有一个已批准的安全组列表,我需要根据我的输入检查安全组。 如果我输入的 SG 不在批准的列表中,我需要 output 一条消息说“正在使用无效的 SG”。 我找不到任何说明如何将一个列表与另一个列表进行比较的文档。 这是 rego 游乐场的政策: https://play.openpolicyagent.org/p/m09f2K1g0h
政策:
check_list = ["sg-1001a1d199tx8866a","sg-2002b2e200in9966b", "sg-3003c3f201dc0011c","sg-4004d4e202nj1122d", "sg-5003c3f201dc0011e","sg-6004d4e202nj1122f"]
aws_valid_sgs := {i: Reason |
doc = input[i]; i="aws_launch_configuration.ecs-cluster-lc"
key_ids := [k | doc[k]; startswith(k, "security_groups.")]
resource := {
doc[k] : doc[replace(k, ".key", ".value")] | key_ids[_] == k
}
sg_ids := [m | resource[m]; startswith(m, "sg-")]
list := {x| x:=check_list[_]}
not(list[sg_ids[i]])
Reason := sprintf("Resource %v is not using an approved SG ", [doc.name])
}
输入:
{
"aws_launch_configuration.ecs-cluster-lc": {
"associate_public_ip_address": "false",
"destroy": false,
"destroy_tainted": false,
"ebs_block_device.#": "",
"ebs_optimized": "",
"enable_monitoring": "true",
"id": "",
"instance_type": "t3.large",
"key_name": "",
"name": "test_r1-us-east-1",
"security_groups.1122334455": "sg-1001a1d199tx8866a",
"security_groups.2233445566": "sg-2002b2e200in9966b",
"security_groups.3344556677": "sg-3003c3f201dc0011c",
"security_groups.4455667788": "sg-4004d4e202nj1122d"
},
"destroy": false
}
任何帮助表示赞赏。 谢谢。
TLDR; 这最好使用集合操作来完成,例如{"foo", "bar", "baz"} - {"bar"} == {"foo", "baz"} )。 这是一个完整的例子:
# Define a SET of valid SGs to compare against.
valid_sgs := {"sg-1001a1d199tx8866a","sg-2002b2e200in9966b", "sg-3003c3f201dc0011c","sg-4004d4e202nj1122d", "sg-5003c3f201dc0011e","sg-6004d4e202nj1122f"}
# Compute the SET of SGs from the launch configuration in the input.
launch_config_sgs := {sg |
some key
launch_config := input["aws_launch_configuration.ecs-cluster-lc"]
sg := launch_config[key]
startswith(key, "security_groups.")
}
# Compute the SET of invalid SGs by taking the difference of the other two sets.
invalid_launch_config_sgs := launch_config_sgs - valid_sgs
# Generate a 'deny' message if there are any invalid SGs.
deny[msg] {
launch_config := input["aws_launch_configuration.ecs-cluster-lc"]
count(invalid_launch_config_sgs) > 0
msg := sprintf("Resource %v is not using an approved SG", [launch_config.name])
}
海报版本有几件事使问题变得比必要的更难:
check_list被定义为一个数组(不是一个集合)。 Arrays 由 position 索引。 要检查列表中是否包含值,您需要迭代. 构建集合并测试成员/交集/差异/等通常更容易。
aws_valid_sgs规则从输入中构造一堆不必要的中间值(例如doc 、 key_ids 、 resource等)。所需要的只是输入中的一组 SG,可以在 2 个语句中计算:在启动配置中查找字段其中密钥以security_group. 并为这些键构造一组字段值。
将列表中以 x 开头的每个项目放入一个新列表中 - Rego
[英]Take every item in list that starts with x and put it in a new list - Rego
Rego 检查地图是否包含在单独列表中定义的键
[英]Rego to check if a map, contains a key that is defined in a separate list
如何将列表转换为 object 在 OPA Rego 中具有重复键
[英]How to convert a list to an object with key duplications in OPA Rego
如何在 rego 中测试一个 object 是另一个 object 的子集
[英]How to test that one object is a subset of another object in rego
OPA REGO:如何在另一个字典中找到所有不匹配的项目?
[英]OPA REGO: How to find all not matching items in another dictionary?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.