--- policy: /ce/ca/aws/dms/endpoint-ssl logic: /ce/ca/aws/dms/endpoint-ssl/prod.logic.yaml executionTime: 2026-06-06T12:02:37.701170551Z generationMs: 54 executionMs: 1136 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10A1__disappearanceTime__c) actual: isDisappeared(CA10A1__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: "not(setOfText(['mysql', 'oracle', 'postgres', 'mariadb', 'aurora',\ \ 'aurora-postgresql', 'db2', 'db2-zos', 'mongodb', 'sqlserver']).contains(extract('CA10A1__engineName__c')))" actual: "not(setOfText(['mysql', 'oracle', 'postgres', 'mariadb', 'aurora',\ \ 'aurora-postgresql', 'db2', 'db2-zos', 'mongodb', 'sqlserver']).contains(extract('CA10A1__engineName__c')))" runtimeError: {} - id: test3 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10A1__sslMode__c') == 'none' actual: extract('CA10A1__sslMode__c') == 'none' runtimeError: {} - id: test4 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: "setOfText(['require', 'verify-ca', 'verify-full']).contains(extract('CA10A1__sslMode__c'))" actual: "setOfText(['require', 'verify-ca', 'verify-full']).contains(extract('CA10A1__sslMode__c'))" runtimeError: {} usedFiles: - path: /ce/ca/aws/dms/endpoint-ssl/policy.yaml md5Hash: E81C5250F3F759A9C76A5949CC137F02 content: "---\nnames:\n full: AWS DMS Endpoint doesn't use SSL\n contextual:\ \ Endpoint doesn't use SSL\ndescription: >\n Ensure that AWS DMS Endpoints\ \ use Secure Sockets Layer (SSL) to encrypt \n connections between the DMS\ \ replication instance and your database endpoints.\ntype: COMPLIANCE_POLICY\n\ categories:\n - SECURITY\nframeworkMappings:\n - \"/frameworks/cloudaware/resource-security/data-encryption\"\ \n - \"/frameworks/aws-fsbp-v1.0.0/dms/09\"\nsimilarPolicies:\n awsSecurityHub:\n\ \ - name: \"[DMS.9] DMS endpoints should use SSL\"\n url: \"https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-9\"\ \n internal:\n - \"dec-x-a4e03389\"" - path: /ce/ca/aws/dms/endpoint-ssl/prod.logic.yaml md5Hash: CC16BB4C55EB108990F3989E08B77915 content: | --- inputType: "CA10A1__CaAwsDmsEndpoint__c" importExtracts: - file: /types/CA10A1__CaAwsDmsEndpoint__c/object.extracts.yaml testData: - file: "test-data.json" conditions: - status: "INAPPLICABLE" currentStateMessage: "Endpoint SSL mode doesn't apply to this DMS endpoint engine." check: NOT: arg: CONTAINS: arg: SET: itemType: TEXT items: - "mysql" - "oracle" - "postgres" - "mariadb" - "aurora" - "aurora-postgresql" - "db2" - "db2-zos" - "mongodb" - "sqlserver" search: EXTRACT: "CA10A1__engineName__c" - status: "INCOMPLIANT" currentStateMessage: "The DMS endpoint connection is not encrypted with SSL." remediationMessage: "Configure the DMS endpoint SSL mode." check: IS_EQUAL: left: EXTRACT: "CA10A1__sslMode__c" right: TEXT: "none" - status: "COMPLIANT" currentStateMessage: "The DMS endpoint connection is encrypted with SSL." check: CONTAINS: arg: SET: itemType: TEXT items: - "require" - "verify-ca" - "verify-full" search: EXTRACT: "CA10A1__sslMode__c" otherwise: status: "UNDETERMINED" currentStateMessage: "Unexpected values in the fields." - path: /ce/ca/aws/dms/endpoint-ssl/test-data.json md5Hash: 591879C4E2DCA2A87DB859F0A0DFD49D content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10A1__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2025-07-10T21:20:17Z" }, "Id": "test1", "CA10A1__disappearanceTime__c": "2025-07-01T18:49:13Z", "CA10A1__engineName__c": "oracle", "CA10A1__sslMode__c": "none" }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "not(setOfText(['mysql', 'oracle', 'postgres', 'mariadb', 'aurora', 'aurora-postgresql', 'db2', 'db2-zos', 'mongodb', 'sqlserver']).contains(extract('CA10A1__engineName__c')))", "runtimeError": null }, "context": { "snapshotTime": "2025-07-10T21:20:17Z" }, "Id": "test2", "CA10A1__disappearanceTime__c": null, "CA10A1__engineName__c": "kafka", "CA10A1__sslMode__c": "none" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10A1__sslMode__c') == 'none'", "runtimeError": null }, "context": { "snapshotTime": "2025-07-10T21:20:17Z" }, "Id": "test3", "CA10A1__disappearanceTime__c": null, "CA10A1__engineName__c": "aurora", "CA10A1__sslMode__c": "none" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "399", "conditionText": "setOfText(['require', 'verify-ca', 'verify-full']).contains(extract('CA10A1__sslMode__c'))", "runtimeError": null }, "context": { "snapshotTime": "2025-07-10T21:20:17Z" }, "Id": "test4", "CA10A1__disappearanceTime__c": null, "CA10A1__engineName__c": "aurora-postgresql", "CA10A1__sslMode__c": "require" } ] - path: /types/CA10A1__CaAwsDmsEndpoint__c/object.extracts.yaml md5Hash: DC5412ACE13F77AA62F29DFAC7D4A357 content: "---\nextracts:\n# Values: none | require | verify-ca | verify-full.\ \ Not Nullable. Can't have no access, retrieved via dms:DescribeEndpoints\n\ \ - name: CA10A1__sslMode__c\n value: \n FIELD:\n path: CA10A1__sslMode__c\n\ # Values: \n# \"mysql\", \"oracle\", \"postgres\", \"mariadb\", \"aurora\",\ \ \"aurora-postgresql\", \"redshift\", \n# \"redshift-serverless\", \"s3\",\ \ \"db2\", \"db2-zos\", \"azuredb\", \"sybase\", \"dynamodb\", \n# \"mongodb\"\ , \"kinesis\", \"kafka\", \"elasticsearch\", \"documentdb\", \"sqlserver\",\ \ \n# \"neptune\", and \"babelfish\". \n# Not Nullable.\n# Can't have no access,\ \ retrieved via dms:DescribeEndpoints\n - name: CA10A1__engineName__c\n \ \ value: \n FIELD:\n path: CA10A1__engineName__c\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10A1__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "not(setOfText(['mysql', 'oracle', 'postgres', 'mariadb', 'aurora', 'aurora-postgresql', 'db2', 'db2-zos', 'mongodb', 'sqlserver']).contains(extract('CA10A1__engineName__c')))", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10A1__sslMode__c') == 'none'", "runtimeError" : null } }, { "Id" : "test4", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "399", "conditionText" : "setOfText(['require', 'verify-ca', 'verify-full']).contains(extract('CA10A1__sslMode__c'))", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10A1__CaAwsDmsEndpoint__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-07-10T21:20:17Z") }, "CA10A1__disappearanceTime__c" : new Date("2025-07-01T18:49:13Z"), "CA10A1__engineName__c" : "oracle", "CA10A1__sslMode__c" : "none", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2025-07-10T21:20:17Z") }, "CA10A1__engineName__c" : "kafka", "CA10A1__sslMode__c" : "none", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2025-07-10T21:20:17Z") }, "CA10A1__engineName__c" : "aurora", "CA10A1__sslMode__c" : "none", "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2025-07-10T21:20:17Z") }, "CA10A1__engineName__c" : "aurora-postgresql", "CA10A1__sslMode__c" : "require", "Id" : "test4" } ]; """; CREATE TEMP FUNCTION process_CA10A1__CaAwsDmsEndpoint__c( obj STRUCT< CA10A1__disappearanceTime__c TIMESTAMP, CA10A1__engineName__c STRING, CA10A1__sslMode__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var CollectionLib = new function () { this.parse = function(arg, separator, skipEmpty, skipDuplicates, sort, normalize) { if (arg == null) return []; let parts = arg.split(separator); return this.fromArray(parts, skipEmpty, skipDuplicates, sort, normalize); }; this.fromArray = function(arr, skipEmpty, skipDuplicates, sort, normalize) { if (arr == null) return []; let result = []; let seen = new Set(); arr.forEach(el => { let normalized = normalize ? TextLib.normalize(el) : BytesLib.normalize(el); if (!skipEmpty || (normalize ? TextLib.isNotEmpty(el) : BytesLib.isNotEmpty(el))) { if (!skipDuplicates || !seen.has(normalized)) { if (skipDuplicates) seen.add(normalized); result.push(normalized); } } }); if (sort) result.sort(); return result; }; this.equal = function(left, right) { left = left == null ? [] : left; right = right == null ? [] : right; if (left.length !== right.length) return false; for (let i = 0; i < left.length; i++) { if (left[i] !== right[i]) return false; } return true; }; this.notEqual = function(left, right) { return !this.equal(left, right); }; this.size = function(collection) { return collection == null ? 0 : collection.length; }; this.startsWith = function(collection, search, normalize) { if (collection == null || collection.length === 0) return false; let normalizedSearch = normalize ? TextLib.normalize(search) : BytesLib.normalize(search); return collection[0] === normalizedSearch; }; this.endsWith = function(collection, search, normalize) { if (collection == null || collection.length === 0) return false; let normalizedSearch = normalize ? TextLib.normalize(search) : BytesLib.normalize(search); return collection[collection.length - 1] === normalizedSearch; }; this.contains = function(collection, search, normalize) { if (collection == null || collection.length === 0) return false; return collection.includes(normalize ? TextLib.normalize(search) : BytesLib.normalize(search)); }; this.containsAll = function(collection, searchArray, normalize) { if (collection == null || collection.length === 0 || searchArray == null || searchArray.length === 0) return false; return searchArray.every(search => collection.includes(normalize ? TextLib.normalize(search) : BytesLib.normalize(search))); }; this.containsAny = function(collection, searchArray, normalize) { if (collection == null || collection.length === 0 || searchArray == null || searchArray.length === 0) return false; return searchArray.some(search => collection.includes(normalize ? TextLib.normalize(search) : BytesLib.normalize(search))); }; }(); var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10A1__disappearanceTime__c]: ' + obj.CA10A1__disappearanceTime__c); if (obj.CA10A1__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10A1__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10A1__engineName__c; } return this.out; }; references1.push('Engine Name [obj.CA10A1__engineName__c]: ' + obj.CA10A1__engineName__c); if (!CollectionLib.contains(CollectionLib.fromArray(['mysql', 'oracle', 'postgres', 'mariadb', 'aurora', 'aurora-postgresql', 'db2', 'db2-zos', 'mongodb', 'sqlserver'], true, true, true, true), extract3.call(extract3), true)) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "not(setOfText(['mysql', 'oracle', 'postgres', 'mariadb', 'aurora', 'aurora-postgresql', 'db2', 'db2-zos', 'mongodb', 'sqlserver']).contains(extract('CA10A1__engineName__c')))", currentStateMessage: "Endpoint SSL mode doesn't apply to this DMS endpoint engine.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[2], conditionIndex:[200..299] function extract6() { if (!this.out) { this.out = obj.CA10A1__sslMode__c; } return this.out; }; references1.push('SSL Mode [obj.CA10A1__sslMode__c]: ' + obj.CA10A1__sslMode__c); if (TextLib.equal(extract6.call(extract6), 'none')) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10A1__sslMode__c') == 'none'", currentStateMessage: "The DMS endpoint connection is not encrypted with SSL.", currentStateReferences: references1.join('\n'), remediation: "Configure the DMS endpoint SSL mode.", runtimeError: null}; } // condition[3], conditionIndex:[300..399] function extract9() { if (!this.out) { this.out = obj.CA10A1__sslMode__c; } return this.out; }; if (CollectionLib.contains(CollectionLib.fromArray(['require', 'verify-ca', 'verify-full'], true, true, true, true), extract9.call(extract9), true)) { return {status: 'COMPLIANT', conditionIndex: 399, conditionText: "setOfText(['require', 'verify-ca', 'verify-full']).contains(extract('CA10A1__sslMode__c'))", currentStateMessage: "The DMS endpoint connection is encrypted with SSL.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'UNDETERMINED', conditionIndex: 400, conditionText: "otherwise", currentStateMessage: "Unexpected values in the fields.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10A1__disappearanceTime__c AS CA10A1__disappearanceTime__c, sObject.CA10A1__engineName__c AS CA10A1__engineName__c, sObject.CA10A1__sslMode__c AS CA10A1__sslMode__c, sObject.Id AS Id, process_CA10A1__CaAwsDmsEndpoint__c( STRUCT( sObject.CA10A1__disappearanceTime__c AS CA10A1__disappearanceTime__c, sObject.CA10A1__engineName__c AS CA10A1__engineName__c, sObject.CA10A1__sslMode__c AS CA10A1__sslMode__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10A1__CaAwsDmsEndpoint__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;