---
policy: /ce/ca/aws/ec2/security-group-allows-public-ipv6-to-admin-ports
logic: /ce/ca/aws/ec2/security-group-allows-public-ipv6-to-admin-ports/prod.logic.yaml
executionTime: 2026-02-10T22:32:44.833467628Z
generationMs: 84
executionMs: 1138
rows:
  - id: test1
    match: true
    status:
      expected: DISAPPEARED
      actual: DISAPPEARED
    conditionIndex:
      expected: 99
      actual: 99
    conditionText:
      expected: isDisappeared(CA10__disappearanceTime__c)
      actual: isDisappeared(CA10__disappearanceTime__c)
    runtimeError: {}
  - id: test2
    match: true
    status:
      expected: INCOMPLIANT
      actual: INCOMPLIANT
    conditionIndex:
      expected: 199
      actual: 199
    conditionText:
      expected: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)
      actual: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)
    runtimeError: {}
  - id: test3
    match: true
    status:
      expected: INCOMPLIANT
      actual: INCOMPLIANT
    conditionIndex:
      expected: 199
      actual: 199
    conditionText:
      expected: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)
      actual: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)
    runtimeError: {}
  - id: test4
    match: true
    status:
      expected: INCOMPLIANT
      actual: INCOMPLIANT
    conditionIndex:
      expected: 199
      actual: 199
    conditionText:
      expected: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)
      actual: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)
    runtimeError: {}
  - id: test5
    match: true
    status:
      expected: COMPLIANT
      actual: COMPLIANT
    conditionIndex:
      expected: 200
      actual: 200
    conditionText:
      expected: otherwise
      actual: otherwise
    runtimeError: {}
  - id: test6
    match: true
    status:
      expected: COMPLIANT
      actual: COMPLIANT
    conditionIndex:
      expected: 200
      actual: 200
    conditionText:
      expected: otherwise
      actual: otherwise
    runtimeError: {}
  - id: test7
    match: true
    status:
      expected: COMPLIANT
      actual: COMPLIANT
    conditionIndex:
      expected: 200
      actual: 200
    conditionText:
      expected: otherwise
      actual: otherwise
    runtimeError: {}
  - id: test8
    match: true
    status:
      expected: COMPLIANT
      actual: COMPLIANT
    conditionIndex:
      expected: 200
      actual: 200
    conditionText:
      expected: otherwise
      actual: otherwise
    runtimeError: {}
usedFiles:
  - path: /ce/ca/aws/ec2/security-group-allows-public-ipv6-to-admin-ports/policy.yaml
    md5Hash: B474F936C392B32D644A49FB0D5870AE
    content: |
      ---
      names:
        full: AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports
        contextual: Security Group allows public IPv6 (::/0) access to admin ports
      description: "Security groups provide stateful filtering of ingress and egress network\
        \ traffic to AWS resources. It is recommended that no security group allows unrestricted\
        \ ingress access to remote server administration ports, such as SSH to port 22 and\
        \ RDP to port 3389."
      type: COMPLIANCE_POLICY
      categories:
        - SECURITY
      frameworkMappings:
        - "/frameworks/cis-aws-v6.0.0/06/04"
        - "/frameworks/cloudaware/resource-security/public-and-anonymous-access"
        - "/frameworks/aws-fsbp-v1.0.0/ec2/19"
      frameworkIgnoreMappings:
        - /frameworks/cis-aws-v1.3.0/05/02
        - /frameworks/cis-aws-v1.4.0/05/02
        - /frameworks/cis-aws-v1.5.0/05/02
        - /frameworks/cis-aws-v2.0.0/05/02
        - /frameworks/cis-aws-v3.0.0/05/02
      similarPolicies:
        internal:
          - dec-x-bcae85fb
  - path: /ce/ca/aws/ec2/security-group-allows-public-ipv6-to-admin-ports/prod.logic.yaml
    md5Hash: 2D2987565C3C87E410B7DDF6D05ED724
    content: "---\ninputType: \"CA10__CaAwsSecurityGroup__c\"\ntestData:\n  - file:\
      \ \"test-data.json\"\nconditions:\n  - status: \"INCOMPLIANT\"\n    currentStateMessage:\
      \ \"This security group allows ingress from ::/0 to remote administration ports.\"\
      \n    remediationMessage: \"Change the security group source to a range other\
      \ than ::/0 or delete the offending inbound rule.\"\n    check:\n      RELATED_LIST_HAS:\n\
      \        status: \"INCOMPLIANT\"\n        relationshipName: \"CA10__AWS_EC2_Security_Group_Rules__r\"\
      \notherwise:\n  status: \"COMPLIANT\"\n  currentStateMessage: \"This security\
      \ group does not allow ingress from ::/0.\"\nrelatedLists: \n  - relationshipName:\
      \ \"CA10__AWS_EC2_Security_Group_Rules__r\"\n    importExtracts:\n    - file:\
      \ \"/types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml\"\n    conditions:\n\
      \      - status: \"INAPPLICABLE\"\n        currentStateMessage: \"This is an\
      \ outbound security group rule.\"\n        check:\n          NOT_EQUAL:\n  \
      \          left:\n              EXTRACT: \"CA10__direction__c\"\n          \
      \  right:\n              TEXT: \"Inbound\"\n      - status: \"INAPPLICABLE\"\
      \n        currentStateMessage: \"This security group rule does not allow unrestricted\
      \ access.\"\n        check:\n          NOT_EQUAL:\n            left:\n     \
      \         EXTRACT: \"CA10__sourceIpRange__c\"\n            right:\n        \
      \      TEXT: \"::/0\"\n      - status: \"INAPPLICABLE\"\n        currentStateMessage:\
      \ \"This security group rule protocol is not All, TCP, or UDP.\"\n        check:\n\
      # check that protocol is neither all, tcp, or udp\n          NOT:\n        \
      \    arg:\n              OR:\n                args:\n                  - IS_EQUAL:\n\
      \                      left:\n                        EXTRACT: \"CA10__protocol__c\"\
      \n                      right:\n                        TEXT: \"All\"\n    \
      \              - IS_EQUAL:\n                      left:\n                  \
      \      EXTRACT: \"CA10__protocol__c\"\n                      right:\n      \
      \                  TEXT: \"tcp\"\n                  - IS_EQUAL:\n          \
      \            left:\n                        EXTRACT: \"CA10__protocol__c\"\n\
      \                      right:\n                        TEXT: \"udp\"\n     \
      \ - status: \"INCOMPLIANT\"\n        currentStateMessage: \"This security group\
      \ allows ingress from ::/0.\"\n        remediationMessage: \"Change the source\
      \ field to a range other than ::/0 or delete the offending inbound rule.\"\n\
      \        check:\n# check that port range either includes port 22 or port 3389,\
      \ or the range is empty (all ports)\n          OR:\n            args:\n    \
      \          - AND:\n                  args:\n                    - LESS_THAN_EQUAL:\n\
      \                        left:\n                          EXTRACT: \"CA10__fromPort__c\"\
      \n                        right:\n                          NUMBER: 22.0\n \
      \                   - GREATER_THAN_EQUAL:\n                        left:\n \
      \                         EXTRACT: \"CA10__toPort__c\"\n                   \
      \     right:\n                          NUMBER: 22.0\n              - AND:\n\
      \                  args:\n                    - LESS_THAN_EQUAL:\n         \
      \               left:\n                          EXTRACT: \"CA10__fromPort__c\"\
      \n                        right:\n                          NUMBER: 3389.0\n\
      \                    - GREATER_THAN_EQUAL:\n                        left:\n\
      \                          EXTRACT: \"CA10__toPort__c\"\n                  \
      \      right:\n                          NUMBER: 3389.0\n              - IS_EMPTY:\n\
      \                  arg:\n                    EXTRACT: \"CA10__fromPort__c\"\n\
      \              - IS_EMPTY:\n                  arg:\n                    EXTRACT:\
      \ \"CA10__toPort__c\"\n    otherwise:\n      status: \"COMPLIANT\"\n      currentStateMessage:\
      \ \"This security group does not allow ingress from ::/0.\"\n"
  - path: /ce/ca/aws/ec2/security-group-allows-public-ipv6-to-admin-ports/test-data.json
    md5Hash: DEC16A0F25C083E387BC5B0C43807634
    content: |-
      [
          {
              "expectedResult": {
                  "status": "DISAPPEARED",
                  "conditionIndex": "99",
                  "conditionText": "isDisappeared(CA10__disappearanceTime__c)",
                  "runtimeError": null
              },
              "context": {
                  "snapshotTime": "2024-05-30T02:23:36Z"
              },
              "Id": "test1",
              "CA10__disappearanceTime__c": "2024-05-27T17:37:28Z",
              "CA10__AWS_EC2_Security_Group_Rules__r": []
          },
          {
              "expectedResult": {
                  "status": "INCOMPLIANT",
                  "conditionIndex": "199",
                  "conditionText": "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)",
                  "runtimeError": null
              },
              "context": {
                  "snapshotTime": "2024-05-30T02:23:36Z"
              },
              "Id": "test2",
              "CA10__disappearanceTime__c": null,
              "CA10__AWS_EC2_Security_Group_Rules__r": [
                  {
                      "Id": "test2_1",
                      "CA10__disappearanceTime__c": null,
                      "CA10__direction__c": "Inbound",
                      "CA10__sourceIpRange__c": "::/0",
                      "CA10__protocol__c": "All",
                      "CA10__fromPort__c": null,
                      "CA10__toPort__c": null,
                      "CA10__securityGroup__c": "test2"
                  }
              ]
          },
          {
              "expectedResult": {
                  "status": "INCOMPLIANT",
                  "conditionIndex": "199",
                  "conditionText": "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)",
                  "runtimeError": null
              },
              "context": {
                  "snapshotTime": "2024-05-30T02:23:36Z"
              },
              "Id": "test3",
              "CA10__disappearanceTime__c": null,
              "CA10__AWS_EC2_Security_Group_Rules__r": [
                  {
                      "Id": "test3_1",
                      "CA10__disappearanceTime__c": null,
                      "CA10__direction__c": "Inbound",
                      "CA10__sourceIpRange__c": "::/0",
                      "CA10__protocol__c": "tcp",
                      "CA10__fromPort__c": 21.0,
                      "CA10__toPort__c": 23.0,
                      "CA10__securityGroup__c": "test3"
                  }
              ]
          },
          {
              "expectedResult": {
                  "status": "INCOMPLIANT",
                  "conditionIndex": "199",
                  "conditionText": "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)",
                  "runtimeError": null
              },
              "context": {
                  "snapshotTime": "2024-05-30T02:23:36Z"
              },
              "Id": "test4",
              "CA10__disappearanceTime__c": null,
              "CA10__AWS_EC2_Security_Group_Rules__r": [
                  {
                      "Id": "test4_1",
                      "CA10__disappearanceTime__c": null,
                      "CA10__direction__c": "Inbound",
                      "CA10__sourceIpRange__c": "::/0",
                      "CA10__protocol__c": "udp",
                      "CA10__fromPort__c": 3380.0,
                      "CA10__toPort__c": 3390.0,
                      "CA10__securityGroup__c": "test4"
                  }
              ]
          },
          {
              "expectedResult": {
                  "status": "COMPLIANT",
                  "conditionIndex": "200",
                  "conditionText": "otherwise",
                  "runtimeError": null
              },
              "context": {
                  "snapshotTime": "2024-05-30T02:23:36Z"
              },
              "Id": "test5",
              "CA10__disappearanceTime__c": null,
              "CA10__AWS_EC2_Security_Group_Rules__r": [
                  {
                      "Id": "test5_1",
                      "CA10__disappearanceTime__c": null,
                      "CA10__direction__c": "Outbound",
                      "CA10__sourceIpRange__c": "::/0",
                      "CA10__protocol__c": "tcp",
                      "CA10__fromPort__c": null,
                      "CA10__toPort__c": null,
                      "CA10__securityGroup__c": "test5"
                  }
              ]
          },
          {
              "expectedResult": {
                  "status": "COMPLIANT",
                  "conditionIndex": "200",
                  "conditionText": "otherwise",
                  "runtimeError": null
              },
              "context": {
                  "snapshotTime": "2024-05-30T02:23:36Z"
              },
              "Id": "test6",
              "CA10__disappearanceTime__c": null,
              "CA10__AWS_EC2_Security_Group_Rules__r": [
                  {
                      "Id": "test6_1",
                      "CA10__disappearanceTime__c": null,
                      "CA10__direction__c": "Inbound",
                      "CA10__sourceIpRange__c": "0.0.0.0/0",
                      "CA10__protocol__c": "tcp",
                      "CA10__fromPort__c": null,
                      "CA10__toPort__c": null,
                      "CA10__securityGroup__c": "test6"
                  }
              ]
          },
          {
              "expectedResult": {
                  "status": "COMPLIANT",
                  "conditionIndex": "200",
                  "conditionText": "otherwise",
                  "runtimeError": null
              },
              "context": {
                  "snapshotTime": "2024-05-30T02:23:36Z"
              },
              "Id": "test7",
              "CA10__disappearanceTime__c": null,
              "CA10__AWS_EC2_Security_Group_Rules__r": [
                  {
                      "Id": "test7_1",
                      "CA10__disappearanceTime__c": null,
                      "CA10__direction__c": "Inbound",
                      "CA10__sourceIpRange__c": "::/0",
                      "CA10__protocol__c": "tcp",
                      "CA10__fromPort__c": 1111.0,
                      "CA10__toPort__c": 1111.0,
                      "CA10__securityGroup__c": "test7"
                  }
              ]
          },
          {
              "expectedResult": {
                  "status": "COMPLIANT",
                  "conditionIndex": "200",
                  "conditionText": "otherwise",
                  "runtimeError": null
              },
              "context": {
                  "snapshotTime": "2024-05-30T02:23:36Z"
              },
              "Id": "test8",
              "CA10__disappearanceTime__c": null,
              "CA10__AWS_EC2_Security_Group_Rules__r": []
          }
      ]
  - path: /types/CA10__CaAwsSecurityGroupRule2__c/object.extracts.yaml
    md5Hash: 58DC1872D7462985D50972C65C61C237
    content: "---\nextracts:\n# Values: IP, Group, PrefixList. Nullable, it can be\
      \ prefix list if empty. Can't have no access, retrieved via ec2:DescribeSecurityGroups\n\
      \  - name: \"CA10__source__c\"\n    value: \n      FIELD:\n        path: \"\
      CA10__source__c\"\n# Values: IPv4, IPv6. Nullable it is not the IP source if\
      \ empty. Can't have no access, retrieved via ec2:DescribeSecurityGroups\n  -\
      \ name: \"CA10__sourceIpVersion__c\"\n    value: \n      FIELD:\n        path:\
      \ \"CA10__sourceIpVersion__c\"\n# Nullable. Can't have no access, retrieved\
      \ via ec2:DescribeSecurityGroups\n  - name: \"CA10__sourceIpRange__c\"\n   \
      \ value: \n      FIELD:\n        path: \"CA10__sourceIpRange__c\"\n# Values:\
      \ Inbound, Outbound. Not nullable. Can't have no access, retrieved via ec2:DescribeSecurityGroups\n\
      \  - name: \"CA10__direction__c\"\n    value: \n      FIELD:\n        path:\
      \ \"CA10__direction__c\"\n        undeterminedIf:\n          isEmpty: \"Corrupted\
      \ data. Rule Action cannot be empty.\"\n# Not nullable. Can't have no access,\
      \ retrieved via ec2:DescribeSecurityGroups\n  - name: \"CA10__protocol__c\"\n\
      \    value: \n      FIELD:\n        path: \"CA10__protocol__c\"\n        undeterminedIf:\n\
      \          isEmpty: \"Corrupted data. Protocol cannot be empty.\"\n# Nullable.\
      \ Can't have no access, retrieved via ec2:DescribeSecurityGroups\n  - name:\
      \ \"CA10__fromPort__c\"\n    value: \n      FIELD:\n        path: \"CA10__fromPort__c\"\
      \n# Nullable. Can't have no access, retrieved via ec2:DescribeSecurityGroups\n\
      \  - name: \"CA10__toPort__c\"\n    value: \n      FIELD:\n        path: \"\
      CA10__toPort__c\"\n"
script: |-
  CREATE TEMP FUNCTION mock_ExpectedResult()
  RETURNS ARRAY<STRUCT<
          Id STRING,
          expectedResult STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, runtimeError STRING>
      >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "Id" : "test1",
    "expectedResult" : {
      "status" : "DISAPPEARED",
      "conditionIndex" : "99",
      "conditionText" : "isDisappeared(CA10__disappearanceTime__c)",
      "runtimeError" : null
    }
  }, {
    "Id" : "test2",
    "expectedResult" : {
      "status" : "INCOMPLIANT",
      "conditionIndex" : "199",
      "conditionText" : "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)",
      "runtimeError" : null
    }
  }, {
    "Id" : "test3",
    "expectedResult" : {
      "status" : "INCOMPLIANT",
      "conditionIndex" : "199",
      "conditionText" : "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)",
      "runtimeError" : null
    }
  }, {
    "Id" : "test4",
    "expectedResult" : {
      "status" : "INCOMPLIANT",
      "conditionIndex" : "199",
      "conditionText" : "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)",
      "runtimeError" : null
    }
  }, {
    "Id" : "test5",
    "expectedResult" : {
      "status" : "COMPLIANT",
      "conditionIndex" : "200",
      "conditionText" : "otherwise",
      "runtimeError" : null
    }
  }, {
    "Id" : "test6",
    "expectedResult" : {
      "status" : "COMPLIANT",
      "conditionIndex" : "200",
      "conditionText" : "otherwise",
      "runtimeError" : null
    }
  }, {
    "Id" : "test7",
    "expectedResult" : {
      "status" : "COMPLIANT",
      "conditionIndex" : "200",
      "conditionText" : "otherwise",
      "runtimeError" : null
    }
  }, {
    "Id" : "test8",
    "expectedResult" : {
      "status" : "COMPLIANT",
      "conditionIndex" : "200",
      "conditionText" : "otherwise",
      "runtimeError" : null
    }
  } ];
  """;

  CREATE TEMP FUNCTION mock_CA10__CaAwsSecurityGroup__c()
  RETURNS ARRAY<STRUCT<
      CA10__disappearanceTime__c TIMESTAMP,
      Id STRING,
      context STRUCT<
          snapshotTime TIMESTAMP
      >
  >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "CA10__disappearanceTime__c" : new Date("2024-05-27T17:37:28Z"),
    "Id" : "test1"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "Id" : "test2"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "Id" : "test3"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "Id" : "test4"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "Id" : "test5"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "Id" : "test6"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "Id" : "test7"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "Id" : "test8"
  } ];
  """;

  CREATE TEMP FUNCTION mock_CA10__CaAwsSecurityGroupRule2__c()
  RETURNS ARRAY<STRUCT<
      CA10__disappearanceTime__c TIMESTAMP,
      CA10__direction__c STRING,
      CA10__sourceIpRange__c STRING,
      CA10__protocol__c STRING,
      CA10__fromPort__c FLOAT64,
      CA10__toPort__c FLOAT64,
      CA10__securityGroup__c STRING,
      Id STRING,
      context STRUCT<
          snapshotTime TIMESTAMP
      >
  >>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
    return [ {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "CA10__direction__c" : "Inbound",
    "CA10__sourceIpRange__c" : "::/0",
    "CA10__protocol__c" : "All",
    "CA10__fromPort__c" : null,
    "CA10__toPort__c" : null,
    "CA10__securityGroup__c" : "test2",
    "Id" : "test2_1"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "CA10__direction__c" : "Inbound",
    "CA10__sourceIpRange__c" : "::/0",
    "CA10__protocol__c" : "tcp",
    "CA10__fromPort__c" : 21.0,
    "CA10__toPort__c" : 23.0,
    "CA10__securityGroup__c" : "test3",
    "Id" : "test3_1"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "CA10__direction__c" : "Inbound",
    "CA10__sourceIpRange__c" : "::/0",
    "CA10__protocol__c" : "udp",
    "CA10__fromPort__c" : 3380.0,
    "CA10__toPort__c" : 3390.0,
    "CA10__securityGroup__c" : "test4",
    "Id" : "test4_1"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "CA10__direction__c" : "Outbound",
    "CA10__sourceIpRange__c" : "::/0",
    "CA10__protocol__c" : "tcp",
    "CA10__fromPort__c" : null,
    "CA10__toPort__c" : null,
    "CA10__securityGroup__c" : "test5",
    "Id" : "test5_1"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "CA10__direction__c" : "Inbound",
    "CA10__sourceIpRange__c" : "0.0.0.0/0",
    "CA10__protocol__c" : "tcp",
    "CA10__fromPort__c" : null,
    "CA10__toPort__c" : null,
    "CA10__securityGroup__c" : "test6",
    "Id" : "test6_1"
  }, {
    "context" : {
      "snapshotTime" : new Date("2024-05-30T02:23:36Z")
    },
    "CA10__direction__c" : "Inbound",
    "CA10__sourceIpRange__c" : "::/0",
    "CA10__protocol__c" : "tcp",
    "CA10__fromPort__c" : 1111.0,
    "CA10__toPort__c" : 1111.0,
    "CA10__securityGroup__c" : "test7",
    "Id" : "test7_1"
  } ];
  """;

  CREATE TEMP FUNCTION process_CA10__CaAwsSecurityGroup__c(
      obj STRUCT<
          CA10__disappearanceTime__c TIMESTAMP,
          Id STRING,
          CA10__AWS_EC2_Security_Group_Rules__r ARRAY<STRUCT<
              CA10__disappearanceTime__c TIMESTAMP,
              CA10__direction__c STRING,
              CA10__sourceIpRange__c STRING,
              CA10__protocol__c STRING,
              CA10__fromPort__c FLOAT64,
              CA10__toPort__c FLOAT64,
              CA10__securityGroup__c STRING,
              Id STRING,
              result STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, currentStateMessage STRING, currentStateReferences STRING, remediation STRING, runtimeError STRING>
          >>
      >,
      snapshotTime TIMESTAMP
  )
  RETURNS STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, currentStateMessage STRING, currentStateReferences STRING, remediation STRING, runtimeError STRING>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
      var references1 = [];
      // condition[0], conditionIndex:[0..99]
      references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c);
      if (obj.CA10__disappearanceTime__c != null) {
          return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
      }
      var count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 = 0;
      if (obj.CA10__AWS_EC2_Security_Group_Rules__r != null) {
          for (var i3 = 0; i3 < obj.CA10__AWS_EC2_Security_Group_Rules__r.length; i3++) {
              if (typeof(obj.CA10__AWS_EC2_Security_Group_Rules__r[i3].status) !== 'undefined') {
                  if (obj.CA10__AWS_EC2_Security_Group_Rules__r[i3].status == 'INCOMPLIANT') {
                      count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 += obj.CA10__AWS_EC2_Security_Group_Rules__r[i3].count;
                  }
              } else  {
                  if (obj.CA10__AWS_EC2_Security_Group_Rules__r[i3].result.status == 'INCOMPLIANT') {
                      count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 += 1;
                  }
              }
          }
      }
      // condition[1], conditionIndex:[100..199]
      references1.push('Related list [CA10__AWS_EC2_Security_Group_Rules__r] ' + (count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 > 0 ? 'has' : 'does not have') + ' objects in INCOMPLIANT status');
      if (count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT2 > 0) {
          return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)", currentStateMessage: "This security group allows ingress from ::/0 to remote administration ports.", currentStateReferences: references1.join('\n'), remediation: "Change the security group source to a range other than ::/0 or delete the offending inbound rule.", runtimeError: null};
      }
      return {status: 'COMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "This security group does not allow ingress from ::/0.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
  """;

  CREATE TEMP FUNCTION process_CA10__AWS_EC2_Security_Group_Rules__r(
      obj STRUCT<
          CA10__disappearanceTime__c TIMESTAMP,
          CA10__direction__c STRING,
          CA10__sourceIpRange__c STRING,
          CA10__protocol__c STRING,
          CA10__fromPort__c FLOAT64,
          CA10__toPort__c FLOAT64,
          CA10__securityGroup__c STRING,
          Id STRING
      >,
      snapshotTime TIMESTAMP
  )
  RETURNS STRUCT<status STRING, conditionIndex DECIMAL, conditionText STRING, currentStateMessage STRING, currentStateReferences STRING, remediation STRING, runtimeError STRING>
  DETERMINISTIC
  LANGUAGE js
  AS r"""
  var IsEmptyLib = new function () {
      this.simpleIsEmpty = function(arg) {
          return arg == null;
      };
      this.simpleIsNotEmpty = function(arg) {
          return arg != null;
      };
  }();
  var TextLib = new function () {
      this.normalize = function(arg) {
          return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase();
      };
      this.isEmpty = function(arg) {
          return this.normalize(arg) == '';
      };
      this.isNotEmpty = function(arg) {
          return this.normalize(arg) != '';
      };
      this.equal = function(left, right) {
          return this.normalize(left) == this.normalize(right);
      };
      this.notEqual = function(left, right) {
          return this.normalize(left) != this.normalize(right);
      };
      this.startsWith = function(arg, substring) {
          return this.normalize(arg).startsWith(this.normalize(substring));
      };
      this.endsWith = function(arg, substring) {
          return this.normalize(arg).endsWith(this.normalize(substring));
      };
      this.contains = function(arg, substring) {
          return this.normalize(arg).includes(this.normalize(substring));
      };
      this.containsAll = function(arg, substrings) {
          if (substrings == null || substrings.length === 0) return false;
          let normalizedArg = this.normalize(arg);
          return substrings.every(sub => normalizedArg.includes(this.normalize(sub)));
      };
      this.containsAny = function(arg, substrings) {
          if (substrings == null || substrings.length === 0) return false;
          let normalizedArg = this.normalize(arg);
          return substrings.some(sub => normalizedArg.includes(this.normalize(sub)));
      };
  }();
      var references1 = [];
      // condition[0], conditionIndex:[0..99]
      references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c);
      if (obj.CA10__disappearanceTime__c != null) {
          return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
      }
      // condition[1], conditionIndex:[100..199]
      function fieldChecked4() {
          if (TextLib.isEmpty(obj.CA10__direction__c)) {
              throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__direction__c.isEmpty()", currentStateMessage: "Corrupted data. Rule Action cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}});
          }
          return obj.CA10__direction__c;
      }
      function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; };
      references1.push('Direction [obj.CA10__direction__c]: ' + obj.CA10__direction__c);
      try {
          if (TextLib.notEqual(extract3.call(extract3), 'Inbound')) {
              return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__direction__c') != 'Inbound'", currentStateMessage: "This is an outbound security group rule.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
          }
      } catch (err) {
          if (err.cause && err.cause.status) { return err.cause; } else { throw err; }
      }
      // condition[2], conditionIndex:[200..299]
      function extract6() { if (!this.out) { this.out = obj.CA10__sourceIpRange__c; } return this.out; };
      references1.push('Source IP Range [obj.CA10__sourceIpRange__c]: ' + obj.CA10__sourceIpRange__c);
      if (TextLib.notEqual(extract6.call(extract6), '::/0')) {
          return {status: 'INAPPLICABLE', conditionIndex: 299, conditionText: "extract('CA10__sourceIpRange__c') != '::/0'", currentStateMessage: "This security group rule does not allow unrestricted access.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
      }
      // condition[3], conditionIndex:[300..399]
      function fieldChecked10() {
          if (TextLib.isEmpty(obj.CA10__protocol__c)) {
              throw new Error("UNDETERMINED condition:301", {cause: {status: 'UNDETERMINED', conditionIndex: 301, conditionText: "CA10__protocol__c.isEmpty()", currentStateMessage: "Corrupted data. Protocol cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}});
          }
          return obj.CA10__protocol__c;
      }
      function extract9() { if (!this.out) { this.out = fieldChecked10(); } return this.out; };
      references1.push('Protocol [obj.CA10__protocol__c]: ' + obj.CA10__protocol__c);
      try {
          if (!(TextLib.equal(extract9.call(extract9), 'All') || TextLib.equal(extract9.call(extract9), 'tcp') || TextLib.equal(extract9.call(extract9), 'udp'))) {
              return {status: 'INAPPLICABLE', conditionIndex: 399, conditionText: "not(extract('CA10__protocol__c') == 'All' || extract('CA10__protocol__c') == 'tcp' || extract('CA10__protocol__c') == 'udp')", currentStateMessage: "This security group rule protocol is not All, TCP, or UDP.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
          }
      } catch (err) {
          if (err.cause && err.cause.status) { return err.cause; } else { throw err; }
      }
      // condition[4], conditionIndex:[400..499]
      function extract15() { if (!this.out) { this.out = obj.CA10__fromPort__c; } return this.out; };
      function extract19() { if (!this.out) { this.out = obj.CA10__toPort__c; } return this.out; };
      references1.push('From Port [obj.CA10__fromPort__c]: ' + obj.CA10__fromPort__c);
      references1.push('To Port [obj.CA10__toPort__c]: ' + obj.CA10__toPort__c);
      if (((extract15.call(extract15) != null && 22.0 != null && extract15.call(extract15) <= 22.0) && (extract19.call(extract19) != null && 22.0 != null && extract19.call(extract19) >= 22.0)) || ((extract15.call(extract15) != null && 3389.0 != null && extract15.call(extract15) <= 3389.0) && (extract19.call(extract19) != null && 3389.0 != null && extract19.call(extract19) >= 3389.0)) || IsEmptyLib.simpleIsEmpty(extract15.call(extract15)) || IsEmptyLib.simpleIsEmpty(extract19.call(extract19))) {
          return {status: 'INCOMPLIANT', conditionIndex: 499, conditionText: "(extract('CA10__fromPort__c') <= number(22.0) && extract('CA10__toPort__c') >= number(22.0)) || (extract('CA10__fromPort__c') <= number(3389.0) && extract('CA10__toPort__c') >= number(3389.0)) || extract('CA10__fromPort__c').isEmpty() || extract('CA10__toPort__c').isEmpty()", currentStateMessage: "This security group allows ingress from ::/0.", currentStateReferences: references1.join('\n'), remediation: "Change the source field to a range other than ::/0 or delete the offending inbound rule.", runtimeError: null};
      }
      return {status: 'COMPLIANT', conditionIndex: 500, conditionText: "otherwise", currentStateMessage: "This security group does not allow ingress from ::/0.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null};
  """;


  SELECT
    expectedResult.Id as Id,
    IF (
      IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '')
      AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1)
      AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '')
      AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''),
      "MATCH",
      "FAIL"
    ) as match,
    expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus,
    expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex,
    expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText,
    expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError
  FROM UNNEST(mock_ExpectedResult()) expectedResult
  LEFT JOIN (
      SELECT
          sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
          sObject.Id AS Id,
          `CA10__AWS_EC2_Security_Group_Rules__r`.arr AS CA10__AWS_EC2_Security_Group_Rules__r,
          process_CA10__CaAwsSecurityGroup__c(
              STRUCT(
                  sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
                  sObject.Id AS Id,
                  `CA10__AWS_EC2_Security_Group_Rules__r`.arr AS CA10__AWS_EC2_Security_Group_Rules__r
              ),
              sObject.context.snapshotTime
          ) as result
      FROM UNNEST(mock_CA10__CaAwsSecurityGroup__c()) AS sObject
      LEFT JOIN (
          SELECT
              sObject.CA10__securityGroup__c,
              ARRAY_AGG(
                  STRUCT(
                      sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
                      sObject.CA10__direction__c AS CA10__direction__c,
                      sObject.CA10__sourceIpRange__c AS CA10__sourceIpRange__c,
                      sObject.CA10__protocol__c AS CA10__protocol__c,
                      sObject.CA10__fromPort__c AS CA10__fromPort__c,
                      sObject.CA10__toPort__c AS CA10__toPort__c,
                      sObject.CA10__securityGroup__c AS CA10__securityGroup__c,
                      sObject.Id AS Id,
                      process_CA10__AWS_EC2_Security_Group_Rules__r(
                          STRUCT(
                              sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c,
                              sObject.CA10__direction__c AS CA10__direction__c,
                              sObject.CA10__sourceIpRange__c AS CA10__sourceIpRange__c,
                              sObject.CA10__protocol__c AS CA10__protocol__c,
                              sObject.CA10__fromPort__c AS CA10__fromPort__c,
                              sObject.CA10__toPort__c AS CA10__toPort__c,
                              sObject.CA10__securityGroup__c AS CA10__securityGroup__c,
                              sObject.Id AS Id
                          ),
                          sObject.context.snapshotTime
                      ) as result
                  )
              ) AS arr
          FROM UNNEST(mock_CA10__CaAwsSecurityGroupRule2__c()) AS sObject
          GROUP BY sObject.CA10__securityGroup__c
      ) AS `CA10__AWS_EC2_Security_Group_Rules__r`
          ON sObject.Id = `CA10__AWS_EC2_Security_Group_Rules__r`.CA10__securityGroup__c
  ) sObject ON sObject.Id = expectedResult.Id;