use destroy value to check destroyed resources

Author: rberlind

governance/second-generation/aws/enforce-mandatory-tags.sentinel

@@ -55,8 +55,9 @@ validate_attribute_contains_list = func(type, attribute, required_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/aws/require-private-acl-and-kms-for-s3-buckets.sentinel

@@ -57,8 +57,9 @@ validate_private_acl_and_kms_encryption = func() {
   for resource_instances as address, r {
 
     # Skip resources that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/aws/restrict-availability-zones.sentinel

@@ -53,8 +53,9 @@ validate_attribute_in_list = func(type, attribute, allowed_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/aws/restrict-db-instance-engines.sentinel

@@ -52,8 +52,9 @@ validate_attribute_in_list = func(type, attribute, allowed_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/aws/restrict-ec2-instance-type.sentinel

@@ -52,8 +52,9 @@ validate_attribute_in_list = func(type, attribute, allowed_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/aws/restrict-ingress-sg-rule-cidr-blocks.sentinel

@@ -53,8 +53,9 @@ validate_sgr_cidr_blocks = func() {
   for resource_instances as address, r {
 
     # Skip resources that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/aws/restrict-launch-configuration-instance-type.sentinel

@@ -59,8 +59,9 @@ validate_instance_types = func(allowed_types) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/azure/enforce-mandatory-tags.sentinel

@@ -56,8 +56,9 @@ validate_attribute_contains_list = func(type, attribute, required_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/azure/restrict-app-service-to-https.sentinel

@@ -53,8 +53,9 @@ validate_attribute_has_value = func(type, attribute, value) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/azure/restrict-vm-size.sentinel

@@ -52,8 +52,9 @@ validate_attribute_in_list = func(type, attribute, allowed_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/common-functions/plan/validate_attribute_contains_list.sentinel

@@ -10,8 +10,9 @@ validate_attribute_contains_list = func(type, attribute, required_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/common-functions/plan/validate_attribute_greater_than_value.sentinel

@@ -11,8 +11,9 @@ validate_attribute_greater_than_value = func(type, attribute, min_value) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/common-functions/plan/validate_attribute_has_value.sentinel

@@ -11,8 +11,9 @@ validate_attribute_has_value = func(type, attribute, value) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/common-functions/plan/validate_attribute_in_list.sentinel

@@ -11,8 +11,9 @@ validate_attribute_in_list = func(type, attribute, allowed_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/common-functions/plan/validate_attribute_less_than_value.sentinel

@@ -11,8 +11,9 @@ validate_attribute_less_than_value = func(type, attribute, max_value) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/common-functions/plan/validate_attribute_matches_expression.sentinel

@@ -11,8 +11,9 @@ validate_attribute_matches_expression = func(type, attribute, expression) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/gcp/enforce-mandatory-labels.sentinel

@@ -56,8 +56,9 @@ validate_attribute_contains_list = func(type, attribute, required_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/gcp/restrict-gce-machine-type.sentinel

@@ -52,8 +52,9 @@ validate_attribute_in_list = func(type, attribute, allowed_values) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/vmware/restrict-vm-cpu-and-memory.sentinel

@@ -52,8 +52,9 @@ validate_attribute_less_than_value = func(type, attribute, max_value) {
   for resource_instances as address, r {
 
     # Skip resource instances that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }

governance/second-generation/vmware/restrict-vm-disk-size.sentinel

@@ -51,8 +51,9 @@ validate_disk_size = func(disk_limit) {
   for resource_instances as address, r {
 
     # Skip resources that are being destroyed
-    # to avoid unnecessary policy violations
-    if length(r.diff) == 0 {
+    # to avoid unnecessary policy violations.
+    # Used to be: if length(r.diff) == 0
+    if r.destroy {
       print("Skipping resource", address, "that is being destroyed.")
       continue
     }