fix checks related to security groups

Signed-off-by: Nikita Pivkin <[email protected]>

checks/cloud/aws/ec2/add_description_to_security_group_rule.rego

@@ -41,19 +41,35 @@ import rego.v1
 import data.lib.cloud.metadata
 import data.lib.cloud.value
 
-deny contains res if {
+rules := [
+rule |
 	some group in input.aws.ec2.securitygroups
 	some rule in array.concat(
 		object.get(group, "egressrules", []),
 		object.get(group, "ingressrules", []),
 	)
+]
+
+deny contains res if {
+	some rule in rules
+	isManaged(rule)
 	without_description(rule)
 	res := result.new(
 		"Security group rule does not have a description.",
 		metadata.obj_by_path(rule, ["description"]),
 	)
 }
 
+deny contains res if {
+	some rule in rules
+	isManaged(rule)
+	rule.description.value == "Managed by Terraform"
+	res := result.new(
+		"Security group explicitly uses the default description.",
+		rule.description,
+	)
+}
+
 without_description(rule) if value.is_empty(rule.description)
 
 without_description(rule) if not rule.description

checks/cloud/aws/elasticache/add_description_for_security_group.rego

@@ -39,13 +39,24 @@ import data.lib.cloud.value
 
 deny contains res if {
 	some secgroup in input.aws.elasticache.securitygroups
+	isManaged(secgroup)
 	without_description(secgroup)
 	res := result.new(
 		"Security group does not have a description.",
 		metadata.obj_by_path(secgroup, ["description"]),
 	)
 }
 
+deny contains res if {
+	some secgroup in input.aws.elasticache.securitygroups
+	isManaged(secgroup)
+	secgroup.description.value == "Managed by Terraform"
+	res := result.new(
+		"Security group explicitly uses the default description.",
+		secgroup.description,
+	)
+}
+
 without_description(sg) if value.is_empty(sg.description)
 
 without_description(sg) if not sg.description

checks/cloud/aws/redshift/add_description_to_security_group.rego

@@ -29,14 +29,26 @@ package builtin.aws.redshift.aws0083
 
 import rego.v1
 
+import data.lib.cloud.metadata
 import data.lib.cloud.value
 
 deny contains res if {
 	some group in input.aws.redshift.securitygroups
+	isManaged(group)
 	without_description(group)
 	res := result.new(
 		"Security group has no description.",
-		object.get(group, "description", group),
+		metadata.obj_by_path(group, ["description"]),
+	)
+}
+
+deny contains res if {
+	some group in input.aws.redshift.securitygroups
+	isManaged(group)
+	group.description.value == "Managed by Terraform"
+	res := result.new(
+		"Security group explicitly uses the default description.",
+		group.description,
 	)
 }
 

checks/cloud/nifcloud/computing/add_description_to_security_group.rego

@@ -34,16 +34,22 @@ package builtin.nifcloud.computing.nifcloud0002
 
 import rego.v1
 
+import data.lib.cloud.metadata
 import data.lib.cloud.value
 
 deny contains res if {
 	some sg in input.nifcloud.computing.securitygroups
+	isManaged(sg)
 	without_description(sg)
-	res := result.new("Security group does not have a description.", sg.description)
+	res := result.new(
+		"Security group does not have a description.",
+		metadata.obj_by_path(sg, ["description"]),
+	)
 }
 
 deny contains res if {
 	some sg in input.nifcloud.computing.securitygroups
+	isManaged(sg)
 	sg.description.value == "Managed by Terraform"
 	res := result.new("Security group explicitly uses the default description.", sg.description)
 }

checks/cloud/nifcloud/computing/add_description_to_security_group_rule.rego

@@ -37,13 +37,18 @@ import rego.v1
 import data.lib.cloud.metadata
 import data.lib.cloud.value
 
-deny contains res if {
+rules := [
+rule |
 	some sg in input.nifcloud.computing.securitygroups
 	some rule in array.concat(
 		object.get(sg, "ingressrules", []),
 		object.get(sg, "egressrules", []),
 	)
+]
 
+deny contains res if {
+	some rule in rules
+	isManaged(rule)
 	without_description(rule)
 	res := result.new(
 		"Security group rule does not have a description.",

checks/cloud/nifcloud/nas/add_description_to_nas_security_group.rego

@@ -34,18 +34,27 @@ package builtin.nifcloud.nas.nifcloud0015
 
 import rego.v1
 
+import data.lib.cloud.metadata
 import data.lib.cloud.value
 
 deny contains res if {
 	some sg in input.nifcloud.nas.nassecuritygroups
+	isManaged(sg)
 	without_description(sg)
-	res := result.new("NAS security group does not have a description.", sg.description)
+	res := result.new(
+		"NAS security group does not have a description.",
+		metadata.obj_by_path(sg, ["description"]),
+	)
 }
 
 deny contains res if {
 	some sg in input.nifcloud.nas.nassecuritygroups
+	isManaged(sg)
 	sg.description.value == "Managed by Terraform"
-	res := result.new("NAS security group explicitly uses the default description.", sg.description)
+	res := result.new(
+		"NAS security group explicitly uses the default description.",
+		sg.description,
+	)
 }
 
 without_description(sg) if value.is_empty(sg.description)

checks/cloud/nifcloud/rdb/add_description_to_db_security_group.rego

@@ -38,12 +38,14 @@ import data.lib.cloud.value
 
 deny contains res if {
 	some sg in input.nifcloud.rdb.dbsecuritygroups
+	isManaged(sg)
 	without_description(sg)
 	res := result.new("DB security group does not have a description.", sg.description)
 }
 
 deny contains res if {
 	some sg in input.nifcloud.rdb.dbsecuritygroups
+	isManaged(sg)
 	sg.description.value == "Managed by Terraform"
 	res := result.new("DB security group explicitly uses the default description.", sg.description)
 }

checks/cloud/openstack/networking/add_description_to_security_group.rego

@@ -26,12 +26,17 @@ package builtin.openstack.networking.openstack0005
 
 import rego.v1
 
+import data.lib.cloud.metadata
 import data.lib.cloud.value
 
 deny contains res if {
 	some sg in input.openstack.networking.securitygroups
+	isManaged(sg)
 	without_description(sg)
-	res := result.new("Network security group does not have a description.", sg.description)
+	res := result.new(
+		"Network security group does not have a description.",
+		metadata.obj_by_path(sg, ["description"]),
+	)
 }
 
 without_description(sg) if value.is_empty(sg.description)