---
inputType: "CA10__CaAwsSecurityGroup__c"
testData:
  - file: "test-data.json"
conditions:
  - status: "INCOMPLIANT"
    currentStateMessage: "This security group allows ingress from ::/0 to remote administration ports."
    remediationMessage: "Change the security group source to a range other than ::/0 or delete the offending inbound rule."
    check:
      RELATED_LIST_HAS:
        status: "INCOMPLIANT"
        relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "This security group does not allow ingress from ::/0."
relatedLists: 
  - relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
    importExtracts:
    - file: "/types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml"
    conditions:
      - status: "INAPPLICABLE"
        currentStateMessage: "This is an outbound security group rule."
        check:
          NOT_EQUAL:
            left:
              EXTRACT: "CA10__direction__c"
            right:
              TEXT: "Inbound"
      - status: "INAPPLICABLE"
        currentStateMessage: "This security group rule does not allow unrestricted access."
        check:
          NOT_EQUAL:
            left:
              EXTRACT: "CA10__sourceIpRange__c"
            right:
              TEXT: "::/0"
      - status: "INAPPLICABLE"
        currentStateMessage: "This security group rule protocol is not All, TCP, or UDP."
        check:
# check that protocol is neither all, tcp, or udp
          NOT:
            arg:
              OR:
                args:
                  - IS_EQUAL:
                      left:
                        EXTRACT: "CA10__protocol__c"
                      right:
                        TEXT: "All"
                  - IS_EQUAL:
                      left:
                        EXTRACT: "CA10__protocol__c"
                      right:
                        TEXT: "tcp"
                  - IS_EQUAL:
                      left:
                        EXTRACT: "CA10__protocol__c"
                      right:
                        TEXT: "udp"
      - status: "INCOMPLIANT"
        currentStateMessage: "This security group allows ingress from ::/0."
        remediationMessage: "Change the source field to a range other than ::/0 or delete the offending inbound rule."
        check:
# check that port range either includes port 22 or port 3389, or the range is empty (all ports)
          OR:
            args:
              - AND:
                  args:
                    - LESS_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10__fromPort__c"
                        right:
                          NUMBER: 22.0
                    - GREATER_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10__toPort__c"
                        right:
                          NUMBER: 22.0
              - AND:
                  args:
                    - LESS_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10__fromPort__c"
                        right:
                          NUMBER: 3389.0
                    - GREATER_THAN_EQUAL:
                        left:
                          EXTRACT: "CA10__toPort__c"
                        right:
                          NUMBER: 3389.0
              - IS_EMPTY:
                  arg:
                    EXTRACT: "CA10__fromPort__c"
              - IS_EMPTY:
                  arg:
                    EXTRACT: "CA10__toPort__c"
    otherwise:
      status: "COMPLIANT"
      currentStateMessage: "This security group does not allow ingress from ::/0."