Skip to content

Commit eb684c0

Browse files
rberlindrberlind
committed
fix new functions and add docs
1 parent 62a9d72 commit eb684c0

File tree

3 files changed

+70
-2
lines changed

3 files changed

+70
-2
lines changed

governance/third-generation/common-functions/tfplan-functions/docs/filter_attribute_was_not_value.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
# filter_attribute_was_not_value
2+
This function filters a collection of resources, data sources, or blocks to those with an attribute that was not equal to a given value. A policy would call it when it wants the attribute to equal the given value, especially when trying to delete a resource. Note that this function passes `rc.change.before` instead of `rc` to the `evaluate_attribute()` function which converts `rc` to `rc.change.after`.
3+
4+
## Sentinel Module
5+
This function is contained in the [tfplan-functions.sentinel](../tfplan-functions.sentinel) module.
6+
7+
## Declaration
8+
`filter_attribute_was_not_value = func(resources, attr, value, prtmsg)`
9+
10+
## Arguments
11+
* **resources**: a map of resources derived from [`tfplan.resource_changes`](https://www.terraform.io/docs/cloud/sentinel/import/tfplan-v2.html#the-resource_changes-collection) or a list of blocks returned by the `find_blocks` function.
12+
* **attr**: the name of a resource attribute given as a string that should have previously equaled a given value. If the attribute is nested, the various blocks containing it should be delimited with periods (`.`). Indices of lists should not include brackets and should start with 0. So, you would use `boot_disk.0.initialize_params.0.image` rather than `boot_disk[0].initialize_params[0].image`.
13+
* **value**: the value the attribute should have been equal to. This can be any primitive data type.
14+
* **prtmsg**: a boolean indicating whether violation messages should be printed (if `true`) or not (if `false`).
15+
16+
## Common Functions Used
17+
This function calls the [evaluate_attribute](./evaluate_attribute.md) and the [to_string](./to_string.md) functions.
18+
19+
## What It Returns
20+
This function returns a map with two maps, `resources` and `messages`, both of which are indexed by the complete [addresses](https://www.terraform.io/docs/internals/resource-addressing.html) of the resources, data sources, or blocks that meet the condition of the filter function. The `resources` map contains the actual resource instances for which the attribute (`attr`) is not equal to the given value, `value`, while the `messages` map contains the violation messages associated with those instances.
21+
22+
## What It Prints
23+
This function prints the violation messages if the parameter, `prtmsg`, was set to `true`. Otherwise, it does not print anything.
24+
25+
## Examples
26+
Here are some examples of calling this function, assuming that the tfplan-functions.sentinel file that contains it has been imported with the alias `plan`:
27+
```
28+
nonPrivateS3Buckets = plan.filter_attribute_was_not_value(allS3Buckets,
29+
"acl", "private", true)
30+
31+
violatingAzureAppServices = plan.filter_attribute_is_not_value(allAzureAppServices,
32+
"https_only", true, true)
33+
```

governance/third-generation/common-functions/tfplan-functions/docs/filter_attribute_was_value.md

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
# filter_attribute_was_value
2+
This function filters a collection of resources, data sources, or blocks to those with an attribute that was equal to a given value. A policy would call it when it wants the attribute to not equal the given value, especially when trying to delete a resource. Note that this function passes `rc.change.before` instead of `rc` to the `evaluate_attribute()` function which converts `rc` to `rc.change.after`.
3+
4+
## Sentinel Module
5+
This function is contained in the [tfplan-functions.sentinel](../tfplan-functions.sentinel) module.
6+
7+
## Declaration
8+
`filter_attribute_was_value = func(resources, attr, value, prtmsg)`
9+
10+
## Arguments
11+
* **resources**: a map of resources derived from [`tfplan.resource_changes`](https://www.terraform.io/docs/cloud/sentinel/import/tfplan-v2.html#the-resource_changes-collection) or a list of blocks returned by the `find_blocks` function.
12+
* **attr**: the name of a resource attribute given as a string that should not have previously equaled a given value. If the attribute is nested, the various blocks containing it should be delimited with periods (`.`). Indices of lists should not include brackets and should start with 0. So, you would use `boot_disk.0.initialize_params.0.image` rather than `boot_disk[0].initialize_params[0].image`.
13+
* **value**: the value the attribute should not have been equal to. This can be any primitive data type. If you want to match null, set value to "null".
14+
* **prtmsg**: a boolean indicating whether violation messages should be printed (if `true`) or not (if `false`).
15+
16+
## Common Functions Used
17+
This function calls the [evaluate_attribute](./evaluate_attribute.md) and the [to_string](./to_string.md) functions.
18+
19+
## What It Returns
20+
This function returns a map with two maps, `resources` and `messages`, both of which are indexed by the complete [addresses](https://www.terraform.io/docs/internals/resource-addressing.html) of the resources, data sources, or blocks that meet the condition of the filter function. The `resources` map contains the actual resource instances for which the attribute (`attr`) is equal to the given value, `value`, while the `messages` map contains the violation messages associated with those instances.
21+
22+
## What It Prints
23+
This function prints the violation messages if the parameter, `prtmsg`, was set to `true`. Otherwise, it does not print anything.
24+
25+
## Examples
26+
Here is an example of calling this function, assuming that the tfplan-functions.sentinel file that contains it has been imported with the alias `plan`:
27+
```
28+
violatingRDSInstances = plan.filter_attribute_was_value(RDSInstancesBeingDeleted,
29+
"deletion_protection", true, false)
30+
31+
violatingAzureAppServices = plan.filter_attribute_was_value(allAzureAppServices,
32+
"https_only", true, true)
33+
```
34+
35+
This function is used by the [protect-against-rds-instance-deletion.sentinel (AWS)](../../../aws/protect-against-rds-instance-deletion.sentinel) policy.

governance/third-generation/common-functions/tfplan-functions/tfplan-functions.sentinel

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -513,7 +513,7 @@ filter_attribute_is_not_value = func(resources, attr, value, prtmsg) {
513513
# Resources should be derived by applying filters to tfplan.resource_changes.
514514
# Set prtmsg to `true` (without quotes) if you want to print violation messages.
515515
# If you want to match null, set value to "null".
516-
# Note that it this function passes `change.actions.before` instead of `rc`
516+
# Note that it this function passes `rc.change.before` instead of `rc`
517517
# to the evaluate_attribute() function which converts `rc` to `rc.change.after`.
518518
filter_attribute_was_not_value = func(resources, attr, value, prtmsg) {
519519
violators = {}
@@ -579,7 +579,7 @@ filter_attribute_is_value = func(resources, attr, value, prtmsg) {
579579
# Resources should be derived by applying filters to tfplan.resource_changes.
580580
# Set prtmsg to `true` (without quotes) if you want to print violation messages.
581581
# If you want to match null, set value to "null".
582-
# Note that it this function passes `change.actions.before` instead of `rc`
582+
# Note that it this function passes `rc.change.before` instead of `rc`
583583
# to the evaluate_attribute() function which converts `rc` to `rc.change.after`.
584584
filter_attribute_was_value = func(resources, attr, value, prtmsg) {
585585
violators = {}

0 commit comments

Comments
 (0)