---
inputType: "CA10__CaAwsSecurityGroup__c"
testData:
  - file: "test-data.json"
conditions:
  - status: "INCOMPLIANT"
    currentStateMessage: "At least one rule opens common ports to inbound connections."
    remediationMessage: "Remove these rules or narrow them to specific CIDRs."
    check:
      RELATED_LIST_HAS:
        relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
        status: "INCOMPLIANT"
otherwise:
  status: "COMPLIANT"
  currentStateMessage: "The security group has no rules that open common ports to the internet."
relatedLists:
  - relationshipName: "CA10__AWS_EC2_Security_Group_Rules__r"
    importExtracts:
    - file: "/types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml"
    conditions:
      - status: "INAPPLICABLE"
        currentStateMessage: "This is an outbound security group rule."
        check:
          NOT_EQUAL:
            left:
              EXTRACT: "CA10__direction__c"
            right:
              TEXT: "Inbound"
      - status: "INAPPLICABLE"
        currentStateMessage: "This is not an IP-based security group rule."
        check:
          NOT_EQUAL:
            left:
              EXTRACT: "CA10__source__c"
            right:
              TEXT: "IP"
      - status: "INAPPLICABLE"
        currentStateMessage: "This security group rule does not allow unrestricted access."
        check:
          AND:
            args:
              - NOT_EQUAL:
                  left:
                    EXTRACT: "CA10__sourceIpRange__c"
                  right:
                    TEXT: "0.0.0.0/0"
              - NOT_EQUAL:
                  left:
                    EXTRACT: "CA10__sourceIpRange__c"
                  right:
                    TEXT: "::/0"
      - status: "INCOMPLIANT"
        currentStateMessage: "This rule opens all protocols and all ports to the internet."
        remediationMessage: "Remove the rule or narrow it to a specific port, protocol, and CIDR."
        check:
          AND:
            args:
              - IS_EQUAL:
                  left:
                    EXTRACT: "CA10__protocol__c"
                  right:
                    TEXT: "All"
              - IS_EMPTY:
                  arg:
                    EXTRACT: "CA10__fromPort__c"
              - IS_EMPTY:
                  arg:
                    EXTRACT: "CA10__toPort__c"
      - status: "INCOMPLIANT"
        currentStateMessage: "This rule opens all protocols and all ports to the internet."
        remediationMessage: "Remove the rule or narrow it to a specific port, protocol, and CIDR."
        check:
          AND:
            args:
              - IS_EQUAL:
                  left:
                    EXTRACT: "CA10__protocol__c"
                  right:
                    TEXT: "tcp"
              - IS_EQUAL:
                  left:
                    EXTRACT: "CA10__fromPort__c"
                  right:
                    NUMBER: 0.0
              - IS_EQUAL:
                  left:
                    EXTRACT: "CA10__toPort__c"
                  right:
                    NUMBER: 65535.0
    otherwise:
      status: "COMPLIANT"
      currentStateMessage: "This security group does not allow unrestricted access."