--- policy: /ce/ca/aws/ec2/instance-without-public-ip-in-public-subnet logic: /ce/ca/aws/ec2/instance-without-public-ip-in-public-subnet/prod.logic.yaml executionTime: 2026-02-10T22:32:45.062160555Z generationMs: 132 executionMs: 1590 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: isEmptyLookup('CA10__vpcSubnet__r') actual: isEmptyLookup('CA10__vpcSubnet__r') runtimeError: {} - id: test3 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__publicIpAddress__c').isNotEmpty() actual: extract('CA10__publicIpAddress__c').isNotEmpty() runtimeError: {} - id: test4 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(INCOMPLIANT) actual: CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(INCOMPLIANT) runtimeError: {} - id: test5 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 499 actual: 499 conditionText: expected: CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(COMPLIANT) actual: CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(COMPLIANT) runtimeError: {} - id: test6 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 599 actual: 599 conditionText: expected: CA10__vpc__r.CA10__routeTables__r.has(INCOMPLIANT) actual: CA10__vpc__r.CA10__routeTables__r.has(INCOMPLIANT) runtimeError: {} - id: test7 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 600 actual: 600 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: test8 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 499 actual: 499 conditionText: expected: CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(COMPLIANT) actual: CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(COMPLIANT) runtimeError: {} usedFiles: - path: /ce/ca/aws/ec2/instance-without-public-ip-in-public-subnet/policy.yaml md5Hash: F7C926B7A86887ECDAC8FC8766F6AE1E content: | --- names: full: AWS EC2 Instance without a public IP address is in a public subnet contextual: Instance without a public IP address is in a public subnet description: "Migrate EC2 instances that don't need internet access to a private subnet,\ \ or remove the direct route to an Internet Gateway within the subnet. EC2 Instances\ \ without a public IPv4/IPv6 address are unable to connect to the internet thus\ \ making it a potential misconfiguration that can lead to security breaches, convoluted\ \ network architecture, and unnecessary management overhead. Consider using a bastion\ \ host or NAT device to provide internet access to EC2 instances that do not require\ \ to be public." type: COMPLIANCE_POLICY categories: - SECURITY - RELIABILITY frameworkMappings: - "/frameworks/cloudaware/resource-reliability/system-configuration" - path: /ce/ca/aws/ec2/instance-without-public-ip-in-public-subnet/prod.logic.yaml md5Hash: AB9179F1881D5C1DFBC476B67A49128F content: "---\n# Policy identifies EC2 Instances in a public subnet without public\ \ IP address.\n# If an instance doesn't have a public IP, it can't connect to\ \ the internet and should be in a private subnet\n# Public subnet is a subnet\ \ that has a route to Internet Gateway\n\n# There are 2 cases when a subnet\ \ is public.\n\n# Case A - [EC2 Instance . VPC Subnet -> Route Table Association\ \ . Route Table -> Route]\n# instance subnet has a CUSTOM Route Table with a\ \ Route to Internet Gateway.\n# in this case the EC2 Instance VPC Subnet will\ \ have Route Table Association object that points to Route Table -> Route\n\n\ # Case B - [EC2 Instance . VPC -> Route Table (-> Route Table Association) ->\ \ Route]\n# instance subnet has a MAIN Route Table (which is denoted by Main\ \ field on Route Table Association object, and is created by default in VPCs)\ \ with a Route to Internet Gateway.\n# in this case the EC2 Instance VPC Subnet\ \ will NOT have Route Table Association object and we have to find the MAIN\ \ Route Table before we check the Route\n# after we get to VPC -> Route Table\ \ related list, we have to take 3 steps\n# 1st step: -> Route Table Association\ \ CA10__main__c == true to slice off only the main table in 3 step\n# 2nd step:\ \ -> Route CA10__gatewayId__c starts with \"igw\"\n# 3rd step: finally we mark\ \ as INCOMPLIANT a Route Table that HAS Route Table Association CA10__main__c\ \ == true AND Route CA10__gatewayId__c starts with \"igw\" \ninputType: CA10__CaAwsInstance__c\n\ testData:\n - file: test-data.json\nimportExtracts:\n - file: \"/types/CA10__CaAwsInstance__c/object.extracts.yaml\"\ \nconditions:\n - status: \"INAPPLICABLE\"\n currentStateMessage: \"The\ \ instance does not belong to a subnet.\"\n check:\n IS_EMPTY_LOOKUP:\ \ \"CA10__vpcSubnet__r\"\n - status: \"INAPPLICABLE\"\n currentStateMessage:\ \ \"The instance has a public IP address.\"\n check:\n NOT_EMPTY:\n\ \ arg:\n EXTRACT: \"CA10__publicIpAddress__c\"\n# Case A: 1.\ \ INCOMPLIANT status if EC2 Instance . VPC Subnet -> Route Table Association\ \ has Route Table with a Route to Internet Gateway\n - status: \"INCOMPLIANT\"\ \n currentStateMessage: \"This EC2 instance is in a public subnet.\"\n \ \ remediationMessage: \"Remove the public route or migrate the instance to\ \ a private subnet.\"\n check:\n # Case A: 1.1.\n RELATED_LIST_HAS:\ \ \n status: \"INCOMPLIANT\"\n relationshipName: \"CA10__vpcSubnet__r.CA10__routeTableAssociations__r\"\ \n# Case A: 1. COMPLIANT status if VPC Subnet -> Route Table Association DOESN'T\ \ have Route Table with a Route to Internet Gateway\n - status: \"COMPLIANT\"\ \n currentStateMessage: \"This EC2 instance is in a private subnet.\"\n \ \ check:\n # Case A: 1.1.\n RELATED_LIST_HAS:\n status: \"\ COMPLIANT\"\n relationshipName: \"CA10__vpcSubnet__r.CA10__routeTableAssociations__r\"\ \n# Case B: 2. INCOMPLIANT status if EC2 Instance . VPC -> MAIN Route Table\ \ has a Route to Internet Gateway\n - status: \"INCOMPLIANT\"\n currentStateMessage:\ \ \"This EC2 instance is in a public subnet.\"\n remediationMessage: \"Remove\ \ the public route or migrate the instance to a private subnet.\"\n check:\n\ \ # Case B: 2.1.\n RELATED_LIST_HAS:\n status: \"INCOMPLIANT\"\ \n relationshipName: \"CA10__vpc__r.CA10__routeTables__r\"\notherwise:\n\ \ status: \"COMPLIANT\"\n currentStateMessage: \"This EC2 instance is not\ \ in a private subnet.\"\nrelatedLists:\n - relationshipName: \"CA10__vpcSubnet__r.CA10__routeTableAssociations__r\"\ \n importExtracts:\n - file: \"/types/CA10__CaAwsRoute__c/object.extracts.yaml\"\ \n conditions:\n# Case A: 1.1. INCOMPLIANT status if Route Table -> Route\ \ has Internet Gateway\n - status: \"INCOMPLIANT\"\n currentStateMessage:\ \ \"This subnet route table has an Internet Gateway route.\"\n remediationMessage:\ \ \"Remove Internet Gateway routes.\"\n check:\n # Case A: 1.1.1.\n\ \ RELATED_LIST_HAS:\n status: \"INCOMPLIANT\"\n \ \ relationshipName: \"CA10__routeTable__r.CA10__routes__r\"\n otherwise:\n\ \ status: \"COMPLIANT\"\n currentStateMessage: \"This subnet is compliant.\"\ \n relatedLists:\n - relationshipName: \"CA10__routeTable__r.CA10__routes__r\"\ \n conditions:\n# Case A: 1.1.1. INCOMPLIANT status if Route has Internet\ \ Gateway\n - status: \"INCOMPLIANT\"\n currentStateMessage:\ \ \"This is an Internet Gateway route.\"\n remediationMessage: \"\ Remove this route.\"\n check:\n STARTS_WITH:\n \ \ arg:\n EXTRACT: \"CA10__gatewayId__c\"\n \ \ search:\n TEXT: \"igw\"\n otherwise:\n \ \ status: \"COMPLIANT\"\n currentStateMessage: \"This is not\ \ an Internet Gateway route.\"\n - relationshipName: \"CA10__vpc__r.CA10__routeTables__r\"\ \n importExtracts:\n - file: \"/types/CA10__CaAwsRoute__c/object.extracts.yaml\"\ \n - file: \"/types/CA10__CaAwsRouteTableAssociation__c/object.extracts.yaml\"\ \n conditions:\n# Case B: 2.1. INCOMPLIANT status if VPC -> Route Table HAS\ \ Route Table Association CA10__main__c == true AND Route CA10__gatewayId__c\ \ starts with \"igw\" \n - status: \"INCOMPLIANT\"\n currentStateMessage:\ \ \"This is a Main Route Table with an Internet Gateway route.\"\n remediationMessage:\ \ \"Remove this route.\"\n check:\n AND:\n args:\n\ \ # Case B: 2.1.1.\n - RELATED_LIST_HAS:\n \ \ status: \"COMPLIANT\"\n relationshipName: \"CA10__routeTableAssociations__r\"\ \n # Case B: 2.1.2.\n - RELATED_LIST_HAS:\n \ \ status: \"INCOMPLIANT\"\n relationshipName: \"CA10__routes__r\"\ \n otherwise:\n status: \"INAPPLICABLE\"\n currentStateMessage:\ \ \"Custom Route Tables or Main Route Table without Internet Gateway.\"\n \ \ relatedLists:\n - relationshipName: \"CA10__routeTableAssociations__r\"\ \n conditions:\n# Case B: 2.1.1. COMPLAINT status if Route Table Association\ \ CA10__main__c == true\n - status: \"COMPLIANT\"\n currentStateMessage:\ \ \"This is a Main Route Table.\"\n check:\n IS_EQUAL:\n\ \ left:\n EXTRACT: \"CA10__main__c\"\n \ \ right:\n BOOLEAN: true\n otherwise:\n \ \ status: \"INAPPLICABLE\"\n currentStateMessage: \"This is\ \ not a Main Route Table.\"\n - relationshipName: \"CA10__routes__r\"\n\ \ conditions:\n# Case B: 2.1.2. INCOMPLIANT status if Route CA10__gatewayId__c\ \ starts with \"igw\" \n - status: \"INCOMPLIANT\"\n currentStateMessage:\ \ \"This is an Internet Gateway route.\"\n remediationMessage: \"\ Remove this route.\"\n check:\n STARTS_WITH:\n \ \ arg:\n EXTRACT: \"CA10__gatewayId__c\"\n \ \ search:\n TEXT: \"igw\"\n otherwise:\n \ \ status: \"COMPLIANT\"\n currentStateMessage: \"This is not\ \ an Internet Gateway route.\"\n" - path: /ce/ca/aws/ec2/instance-without-public-ip-in-public-subnet/test-data.json md5Hash: 15F5977FBF2522B1B6312F6B1AF7DEC5 content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-07-04T20:36:39Z" }, "Id": "test1", "CA10__disappearanceTime__c": "2024-06-27T15:46:06Z", "CA10__vpcSubnet__c": "", "CA10__subnetId__c": "", "CA10__publicIpAddress__c": "", "CA10__vpc__c": "", "CA10__vpcSubnet__r": { "Id": null, "CA10__disappearanceTime__c": null, "CA10__routeTableAssociations__r": [] }, "CA10__vpc__r": { "Id": null, "CA10__routeTables__r": [] } }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "isEmptyLookup('CA10__vpcSubnet__r')", "runtimeError": null }, "context": { "snapshotTime": "2024-07-04T20:36:39Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "CA10__vpcSubnet__c": "", "CA10__subnetId__c": "", "CA10__publicIpAddress__c": "", "CA10__vpc__c": "", "CA10__vpcSubnet__r": { "Id": null, "CA10__disappearanceTime__c": null, "CA10__routeTableAssociations__r": [] }, "CA10__vpc__r": { "Id": null, "CA10__routeTables__r": [] } }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "299", "conditionText": "extract('CA10__publicIpAddress__c').isNotEmpty()", "runtimeError": null }, "context": { "snapshotTime": "2024-07-04T20:36:39Z" }, "Id": "test3", "CA10__disappearanceTime__c": null, "CA10__vpcSubnet__c": "vpcSubnet3", "CA10__subnetId__c": "subnetId", "CA10__publicIpAddress__c": "1.1.1.1.", "CA10__vpc__c": "vpc3", "CA10__vpcSubnet__r": { "Id": "vpcSubnet3", "CA10__disappearanceTime__c": null, "CA10__routeTableAssociations__r": [ { "Id": "test3_1", "CA10__disappearanceTime__c": null, "CA10__subnet__c": "vpcSubnet3", "CA10__routeTable__c": "routeTable3", "CA10__routeTable__r": { "Id": "routeTable3", "CA10__routes__r": [ { "Id": "test3_1_1", "CA10__disappearanceTime__c": null, "CA10__gatewayId__c": "igw-3", "CA10__routeTable__c": "routeTable3" } ] } } ] }, "CA10__vpc__r": { "Id": "vpc3", "CA10__routeTables__r": [] } }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "399", "conditionText": "CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(INCOMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-07-04T20:36:39Z" }, "Id": "test4", "CA10__disappearanceTime__c": null, "CA10__vpcSubnet__c": "vpcSubnet4", "CA10__subnetId__c": "subnetId", "CA10__publicIpAddress__c": "", "CA10__vpc__c": "vpc4", "CA10__vpcSubnet__r": { "Id": "vpcSubnet4", "CA10__disappearanceTime__c": null, "CA10__routeTableAssociations__r": [ { "Id": "test4_1", "CA10__disappearanceTime__c": null, "CA10__subnet__c": "vpcSubnet4", "CA10__routeTable__c": "routeTable4", "CA10__routeTable__r": { "Id": "routeTable4", "CA10__routes__r": [ { "Id": "test4_1_1", "CA10__disappearanceTime__c": null, "CA10__gatewayId__c": "igw-4", "CA10__routeTable__c": "routeTable4" } ] } } ] }, "CA10__vpc__r": { "Id": "vpc4", "CA10__routeTables__r": [] } }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "499", "conditionText": "CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(COMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-07-04T20:36:39Z" }, "Id": "test5", "CA10__disappearanceTime__c": null, "CA10__vpcSubnet__c": "vpcSubnet5", "CA10__subnetId__c": "subnetId", "CA10__publicIpAddress__c": "", "CA10__vpc__c": "vpc5", "CA10__vpcSubnet__r": { "Id": "vpcSubnet5", "CA10__disappearanceTime__c": null, "CA10__routeTableAssociations__r": [ { "Id": "test5_1", "CA10__disappearanceTime__c": null, "CA10__subnet__c": "vpcSubnet5", "CA10__routeTable__c": "routeTable5", "CA10__routeTable__r": { "Id": "routeTable5", "CA10__routes__r": [ { "Id": "test5_1_1", "CA10__disappearanceTime__c": null, "CA10__gatewayId__c": "gatewayId5", "CA10__routeTable__c": "routeTable5" } ] } } ] }, "CA10__vpc__r": { "Id": "vpc5", "CA10__routeTables__r": [] } }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "599", "conditionText": "CA10__vpc__r.CA10__routeTables__r.has(INCOMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-07-04T20:36:39Z" }, "Id": "test6", "CA10__disappearanceTime__c": null, "CA10__vpcSubnet__c": "vpcSubnet6", "CA10__subnetId__c": "subnetId", "CA10__publicIpAddress__c": "", "CA10__vpc__c": "vpc6", "CA10__vpcSubnet__r": { "Id": "vpcSubnet6", "CA10__disappearanceTime__c": null, "CA10__routeTableAssociations__r": [] }, "CA10__vpc__r": { "Id": "vpc6", "CA10__routeTables__r": [ { "Id": "routeTable6", "CA10__disappearanceTime__c": null, "CA10__vpc__c": "vpc6", "CA10__routeTableAssociations__r": [ { "Id": "test6_1", "CA10__disappearanceTime__c": null, "CA10__main__c": true, "CA10__routeTable__c": "routeTable6" } ], "CA10__routes__r": [ { "Id": "test6_2", "CA10__disappearanceTime__c": null, "CA10__gatewayId__c": "igw-6", "CA10__routeTable__c": "routeTable6" } ] } ] } }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "600", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-07-04T20:36:39Z" }, "Id": "test7", "CA10__disappearanceTime__c": null, "CA10__vpcSubnet__c": "vpcSubnet7", "CA10__subnetId__c": "subnetId", "CA10__publicIpAddress__c": "", "CA10__vpc__c": "vpc7", "CA10__vpcSubnet__r": { "Id": "vpcSubnet7", "CA10__disappearanceTime__c": null, "CA10__routeTableAssociations__r": [] }, "CA10__vpc__r": { "Id": "vpc7", "CA10__routeTables__r": [ { "Id": "routeTable7", "CA10__disappearanceTime__c": null, "CA10__vpc__c": "vpc7", "CA10__routeTableAssociations__r": [ { "Id": "test7_1", "CA10__disappearanceTime__c": null, "CA10__main__c": true, "CA10__routeTable__c": "routeTable7" } ], "CA10__routes__r": [ { "Id": "test7_2", "CA10__disappearanceTime__c": null, "CA10__gatewayId__c": "", "CA10__routeTable__c": "routeTable7" } ] } ] } }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "499", "conditionText": "CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(COMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-07-04T20:36:39Z" }, "Id": "test8", "CA10__disappearanceTime__c": null, "CA10__vpcSubnet__c": "vpcSubnet8", "CA10__subnetId__c": "subnetId", "CA10__publicIpAddress__c": "", "CA10__vpc__c": "vpc8", "CA10__vpcSubnet__r": { "Id": "vpcSubnet8", "CA10__disappearanceTime__c": null, "CA10__routeTableAssociations__r": [ { "Id": "test8_1", "CA10__disappearanceTime__c": null, "CA10__subnet__c": "vpcSubnet8", "CA10__routeTable__c": "routeTable8", "CA10__routeTable__r": { "Id": "routeTable8", "CA10__routes__r": [ { "Id": "test8_1_1", "CA10__disappearanceTime__c": "2024-07-04T20:36:39Z", "CA10__gatewayId__c": "igw-8", "CA10__routeTable__c": "routeTable8" } ] } } ] }, "CA10__vpc__r": { "Id": "vpc8", "CA10__routeTables__r": [] } } ] - path: /types/CA10__CaAwsRouteTableAssociation__c/object.extracts.yaml md5Hash: A7C7920B6078DD78806ADA0DC37D345B content: "---\nextracts:\n# Checkbox. Can't have no access, retrieved via ec2:DescribeRouteTables\n\ \ - name: \"CA10__main__c\"\n value: \n FIELD:\n path: \"CA10__main__c\"" - path: /types/CA10__CaAwsRoute__c/object.extracts.yaml md5Hash: E4999A9B58375B79BA8254DDA1FC6534 content: "---\nextracts:\n# Nullable. Can't have no access, retrieved via ec2:DescribeRouteTables\n\ \ - name: \"CA10__gatewayId__c\"\n value: \n FIELD:\n path:\ \ \"CA10__gatewayId__c\"\n# Nullable. Can't have no access, retrieved via ec2:DescribeRouteTables\n\ \ - name: \"CA10__destinationIpv6CidrBlock__c\"\n value: \n FIELD:\n\ \ path: \"CA10__destinationIpv6CidrBlock__c\"\n# Nullable. Can't have\ \ no access, retrieved via ec2:DescribeRouteTables\n - name: \"CA10__destinationCidrBlock__c\"\ \n value: \n FIELD:\n path: \"CA10__destinationCidrBlock__c\"" - path: /types/CA10__CaAwsInstance__c/object.extracts.yaml md5Hash: BA4E6733C7AF791FAB57658956CE24DF content: "---\nextracts:\n# Values pending, applied. Not nullable. Can't have\ \ no access, retrieved via ec2:DescribeInstances\n - name: \"CA10__metadataState__c\"\ \n value: \n FIELD:\n path: \"CA10__metadataState__c\"\n \ \ undeterminedIf:\n isEmpty: \"Corrupted data. EC2 Instances Metadata\ \ State cannot be empty.\"\n# Values: optional, required. Not nullable. Can't\ \ have no access, retrieved via ec2:DescribeInstances\n - name: \"CA10__metadataHttpTokens__c\"\ \n value: \n FIELD:\n path: \"CA10__metadataHttpTokens__c\"\n\ \ undeterminedIf:\n isEmpty: \"Corrupted data. EC2 Instances\ \ Metadata Http Token cannot be empty.\"\n - name: CA10__iamInstanceProfileArn__c\n\ \ value:\n FIELD: \n path: CA10__iamInstanceProfileArn__c\n#\ \ Nullable. Can't have no access, retrieved via ec2:DescribeInstances\n - name:\ \ \"CA10__publicIpAddress__c\"\n value: \n FIELD:\n path: \"\ CA10__publicIpAddress__c\"\n# Values: enabled, disabled. Not nullable. Can't\ \ have no access, retrieved via ec2:DescribeInstances\n - name: \"CA10__monitoringState__c\"\ \n value: \n FIELD:\n path: \"CA10__monitoringState__c\"\n \ \ undeterminedIf:\n isEmpty: \"Corrupted data. EC2 Instances Detailed\ \ Monitoring State cannot be empty.\"\n# Values: pending | running | shutting-down\ \ | terminated | stopping | stopped. Not nullable.\n - name: \"CA10__stateName__c\"\ \n value: \n FIELD:\n path: \"CA10__stateName__c\"\n undeterminedIf:\n\ \ noAccessDelegate:\n path: \"CA10__stateName__c\"\n \ \ currentStateMessage: \"Unable to determine EC2 Instances State Name.\ \ Possible permission issue with ec2:DescribeInstanceStatus\"\n# Number of Days.\ \ Nullable. Can't have no access, retrieved via ec2:DescribeInstances\n - name:\ \ \"CA10__currentRunningTime__c\"\n value: \n FIELD:\n path:\ \ \"CA10__currentRunningTime__c\" \n# Nullable.\n - name: \"CA10__averageCpuTwoWeeks__c\"\ \n value: \n FIELD:\n path: \"CA10__averageCpuTwoWeeks__c\" \ \ \n# Nullable.\n - name: \"CA10__maxCpuTwoWeeks__c\"\n value: \n \ \ FIELD:\n path: \"CA10__maxCpuTwoWeeks__c\" \n# Nullable.\n\ \ - name: \"CA10__sumTwoWeekNetworkOutMb__c\"\n value: \n FIELD:\n\ \ path: \"CA10__sumTwoWeekNetworkOutMb__c\" \n# Nullable.\n - name:\ \ \"CA10__sumTwoWeekNetworkInMb__c\"\n value: \n FIELD:\n path:\ \ \"CA10__sumTwoWeekNetworkInMb__c\" \n# Nullable.\n - name: \"CA10__regionName__c\"\ \n value:\n FIELD:\n path: \"CA10__regionName__c\"\n# Values:\ \ paravirtual | hvm. Not nullable. Can't have no access, retrieved via ec2:DescribeInstances\n\ \ - name: \"CA10__virtualizationType__c\"\n value: \n FIELD:\n \ \ path: \"CA10__virtualizationType__c\"\n undeterminedIf:\n \ \ isEmpty: \"Corrupted data. EC2 Instances Virtualization Type cannot be\ \ empty.\"\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "isEmptyLookup('CA10__vpcSubnet__r')", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "299", "conditionText" : "extract('CA10__publicIpAddress__c').isNotEmpty()", "runtimeError" : null } }, { "Id" : "test4", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "399", "conditionText" : "CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(INCOMPLIANT)", "runtimeError" : null } }, { "Id" : "test5", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "499", "conditionText" : "CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(COMPLIANT)", "runtimeError" : null } }, { "Id" : "test6", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "599", "conditionText" : "CA10__vpc__r.CA10__routeTables__r.has(INCOMPLIANT)", "runtimeError" : null } }, { "Id" : "test7", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "600", "conditionText" : "otherwise", "runtimeError" : null } }, { "Id" : "test8", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "499", "conditionText" : "CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(COMPLIANT)", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsInstance__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__disappearanceTime__c" : new Date("2024-06-27T15:46:06Z"), "CA10__vpcSubnet__c" : "", "CA10__subnetId__c" : "", "CA10__publicIpAddress__c" : "", "Id" : "test1", "CA10__vpc__c" : "" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__vpcSubnet__c" : "", "CA10__subnetId__c" : "", "CA10__publicIpAddress__c" : "", "Id" : "test2", "CA10__vpc__c" : "" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__vpcSubnet__c" : "vpcSubnet3", "CA10__subnetId__c" : "subnetId", "CA10__publicIpAddress__c" : "1.1.1.1.", "Id" : "test3", "CA10__vpc__c" : "vpc3" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__vpcSubnet__c" : "vpcSubnet4", "CA10__subnetId__c" : "subnetId", "CA10__publicIpAddress__c" : "", "Id" : "test4", "CA10__vpc__c" : "vpc4" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__vpcSubnet__c" : "vpcSubnet5", "CA10__subnetId__c" : "subnetId", "CA10__publicIpAddress__c" : "", "Id" : "test5", "CA10__vpc__c" : "vpc5" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__vpcSubnet__c" : "vpcSubnet6", "CA10__subnetId__c" : "subnetId", "CA10__publicIpAddress__c" : "", "Id" : "test6", "CA10__vpc__c" : "vpc6" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__vpcSubnet__c" : "vpcSubnet7", "CA10__subnetId__c" : "subnetId", "CA10__publicIpAddress__c" : "", "Id" : "test7", "CA10__vpc__c" : "vpc7" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__vpcSubnet__c" : "vpcSubnet8", "CA10__subnetId__c" : "subnetId", "CA10__publicIpAddress__c" : "", "Id" : "test8", "CA10__vpc__c" : "vpc8" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsSubnet__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : null }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpcSubnet3" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpcSubnet4" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpcSubnet5" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpcSubnet6" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpcSubnet7" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpcSubnet8" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsRouteTableAssociation__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__subnet__c" : "vpcSubnet3", "Id" : "test3_1", "CA10__routeTable__c" : "routeTable3" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__subnet__c" : "vpcSubnet4", "Id" : "test4_1", "CA10__routeTable__c" : "routeTable4" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__subnet__c" : "vpcSubnet5", "Id" : "test5_1", "CA10__routeTable__c" : "routeTable5" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__main__c" : true, "CA10__routeTable__c" : "routeTable6", "Id" : "test6_1" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__main__c" : true, "CA10__routeTable__c" : "routeTable7", "Id" : "test7_1" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__subnet__c" : "vpcSubnet8", "Id" : "test8_1", "CA10__routeTable__c" : "routeTable8" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsRouteTable__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "routeTable3" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "routeTable4" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "routeTable5" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__vpc__c" : "vpc6", "Id" : "routeTable6" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__vpc__c" : "vpc7", "Id" : "routeTable7" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "routeTable8" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsRoute__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__gatewayId__c" : "igw-3", "CA10__routeTable__c" : "routeTable3", "Id" : "test3_1_1" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__gatewayId__c" : "igw-4", "CA10__routeTable__c" : "routeTable4", "Id" : "test4_1_1" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__gatewayId__c" : "gatewayId5", "CA10__routeTable__c" : "routeTable5", "Id" : "test5_1_1" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__gatewayId__c" : "igw-6", "CA10__routeTable__c" : "routeTable6", "Id" : "test6_2" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__gatewayId__c" : "", "CA10__routeTable__c" : "routeTable7", "Id" : "test7_2" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "CA10__disappearanceTime__c" : new Date("2024-07-04T20:36:39Z"), "CA10__gatewayId__c" : "igw-8", "CA10__routeTable__c" : "routeTable8", "Id" : "test8_1_1" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsVpc__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : null }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpc3" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpc4" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpc5" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpc6" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpc7" }, { "context" : { "snapshotTime" : new Date("2024-07-04T20:36:39Z") }, "Id" : "vpc8" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsInstance__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__vpcSubnet__c STRING, CA10__subnetId__c STRING, CA10__publicIpAddress__c STRING, Id STRING, CA10__vpc__c STRING, CA10__vpcSubnet__r STRUCT< Id STRING, CA10__disappearanceTime__c TIMESTAMP, CA10__routeTableAssociations__r ARRAY >> >, result STRUCT >> >, CA10__vpc__r STRUCT< Id STRING, CA10__routeTables__r ARRAY >>, CA10__routes__r ARRAY >>, result STRUCT >> > >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] if (TextLib.isEmpty(obj.CA10__subnetId__c) || TextLib.isEmpty(obj.CA10__vpcSubnet__c) || obj.CA10__vpcSubnet__r.CA10__disappearanceTime__c != null) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "isEmptyLookup('CA10__vpcSubnet__r')", currentStateMessage: "The instance does not belong to a subnet.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[2], conditionIndex:[200..299] function extract3() { if (!this.out) { this.out = obj.CA10__publicIpAddress__c; } return this.out; }; references1.push('Public IP Address [obj.CA10__publicIpAddress__c]: ' + obj.CA10__publicIpAddress__c); if (TextLib.isNotEmpty(extract3.call(extract3))) { return {status: 'INAPPLICABLE', conditionIndex: 299, conditionText: "extract('CA10__publicIpAddress__c').isNotEmpty()", currentStateMessage: "The instance has a public IP address.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } var count_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_INCOMPLIANT5 = 0; if (obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r != null) { for (var i6 = 0; i6 < obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r.length; i6++) { if (typeof(obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r[i6].status) !== 'undefined') { if (obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r[i6].status == 'INCOMPLIANT') { count_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_INCOMPLIANT5 += obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r[i6].count; } } else { if (obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r[i6].result.status == 'INCOMPLIANT') { count_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_INCOMPLIANT5 += 1; } } } } // condition[3], conditionIndex:[300..399] references1.push('Related list [CA10__vpcSubnet__r.CA10__routeTableAssociations__r] ' + (count_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_INCOMPLIANT5 > 0 ? 'has' : 'does not have') + ' objects in INCOMPLIANT status'); if (count_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_INCOMPLIANT5 > 0) { return {status: 'INCOMPLIANT', conditionIndex: 399, conditionText: "CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(INCOMPLIANT)", currentStateMessage: "This EC2 instance is in a public subnet.", currentStateReferences: references1.join('\n'), remediation: "Remove the public route or migrate the instance to a private subnet.", runtimeError: null}; } var count_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_COMPLIANT7 = 0; if (obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r != null) { for (var i8 = 0; i8 < obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r.length; i8++) { if (typeof(obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r[i8].status) !== 'undefined') { if (obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r[i8].status == 'COMPLIANT') { count_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_COMPLIANT7 += obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r[i8].count; } } else { if (obj.CA10__vpcSubnet__r.CA10__routeTableAssociations__r[i8].result.status == 'COMPLIANT') { count_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_COMPLIANT7 += 1; } } } } // condition[4], conditionIndex:[400..499] if (count_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_COMPLIANT7 > 0) { return {status: 'COMPLIANT', conditionIndex: 499, conditionText: "CA10__vpcSubnet__r.CA10__routeTableAssociations__r.has(COMPLIANT)", currentStateMessage: "This EC2 instance is in a private subnet.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } var count_CA10__vpc__r_CA10__routeTables__r_INCOMPLIANT9 = 0; if (obj.CA10__vpc__r.CA10__routeTables__r != null) { for (var i10 = 0; i10 < obj.CA10__vpc__r.CA10__routeTables__r.length; i10++) { if (typeof(obj.CA10__vpc__r.CA10__routeTables__r[i10].status) !== 'undefined') { if (obj.CA10__vpc__r.CA10__routeTables__r[i10].status == 'INCOMPLIANT') { count_CA10__vpc__r_CA10__routeTables__r_INCOMPLIANT9 += obj.CA10__vpc__r.CA10__routeTables__r[i10].count; } } else { if (obj.CA10__vpc__r.CA10__routeTables__r[i10].result.status == 'INCOMPLIANT') { count_CA10__vpc__r_CA10__routeTables__r_INCOMPLIANT9 += 1; } } } } // condition[5], conditionIndex:[500..599] references1.push('Related list [CA10__vpc__r.CA10__routeTables__r] ' + (count_CA10__vpc__r_CA10__routeTables__r_INCOMPLIANT9 > 0 ? 'has' : 'does not have') + ' objects in INCOMPLIANT status'); if (count_CA10__vpc__r_CA10__routeTables__r_INCOMPLIANT9 > 0) { return {status: 'INCOMPLIANT', conditionIndex: 599, conditionText: "CA10__vpc__r.CA10__routeTables__r.has(INCOMPLIANT)", currentStateMessage: "This EC2 instance is in a public subnet.", currentStateReferences: references1.join('\n'), remediation: "Remove the public route or migrate the instance to a private subnet.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 600, conditionText: "otherwise", currentStateMessage: "This EC2 instance is not in a private subnet.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__vpc__r_CA10__routeTables__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__vpc__c STRING, Id STRING, CA10__routeTableAssociations__r ARRAY >>, CA10__routes__r ARRAY >> >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } var count_CA10__routes__r_INCOMPLIANT3 = 0; if (obj.CA10__routes__r != null) { for (var i4 = 0; i4 < obj.CA10__routes__r.length; i4++) { if (typeof(obj.CA10__routes__r[i4].status) !== 'undefined') { if (obj.CA10__routes__r[i4].status == 'INCOMPLIANT') { count_CA10__routes__r_INCOMPLIANT3 += obj.CA10__routes__r[i4].count; } } else { if (obj.CA10__routes__r[i4].result.status == 'INCOMPLIANT') { count_CA10__routes__r_INCOMPLIANT3 += 1; } } } } var count_CA10__routeTableAssociations__r_COMPLIANT2 = 0; if (obj.CA10__routeTableAssociations__r != null) { for (var i5 = 0; i5 < obj.CA10__routeTableAssociations__r.length; i5++) { if (typeof(obj.CA10__routeTableAssociations__r[i5].status) !== 'undefined') { if (obj.CA10__routeTableAssociations__r[i5].status == 'COMPLIANT') { count_CA10__routeTableAssociations__r_COMPLIANT2 += obj.CA10__routeTableAssociations__r[i5].count; } } else { if (obj.CA10__routeTableAssociations__r[i5].result.status == 'COMPLIANT') { count_CA10__routeTableAssociations__r_COMPLIANT2 += 1; } } } } // condition[1], conditionIndex:[100..199] references1.push('Related list [CA10__routeTableAssociations__r] ' + (count_CA10__routeTableAssociations__r_COMPLIANT2 > 0 ? 'has' : 'does not have') + ' objects in COMPLIANT status'); references1.push('Related list [CA10__routes__r] ' + (count_CA10__routes__r_INCOMPLIANT3 > 0 ? 'has' : 'does not have') + ' objects in INCOMPLIANT status'); if (count_CA10__routeTableAssociations__r_COMPLIANT2 > 0 && count_CA10__routes__r_INCOMPLIANT3 > 0) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "CA10__routeTableAssociations__r.has(COMPLIANT) && CA10__routes__r.has(INCOMPLIANT)", currentStateMessage: "This is a Main Route Table with an Internet Gateway route.", currentStateReferences: references1.join('\n'), remediation: "Remove this route.", runtimeError: null}; } return {status: 'INAPPLICABLE', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "Custom Route Tables or Main Route Table without Internet Gateway.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_CA10__routeTable__r_CA10__routes__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__gatewayId__c STRING, CA10__routeTable__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10__gatewayId__c; } return this.out; }; references1.push('Internet Gateway ID [obj.CA10__gatewayId__c]: ' + obj.CA10__gatewayId__c); if (TextLib.startsWith(extract3.call(extract3), 'igw')) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "extract('CA10__gatewayId__c').startsWith('igw')", currentStateMessage: "This is an Internet Gateway route.", currentStateReferences: references1.join('\n'), remediation: "Remove this route.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "This is not an Internet Gateway route.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__vpc__r_CA10__routeTables__r_CA10__routeTableAssociations__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__main__c BOOLEAN, CA10__routeTable__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10__main__c; } return this.out; }; references1.push('Main [obj.CA10__main__c]: ' + obj.CA10__main__c); if (extract3.call(extract3) == true) { return {status: 'COMPLIANT', conditionIndex: 199, conditionText: "extract('CA10__main__c') == true", currentStateMessage: "This is a Main Route Table.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'INAPPLICABLE', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "This is not a Main Route Table.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__vpcSubnet__r_CA10__routeTableAssociations__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__subnet__c STRING, Id STRING, CA10__routeTable__c STRING, CA10__routeTable__r STRUCT< Id STRING, CA10__routes__r ARRAY >> > >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } var count_CA10__routeTable__r_CA10__routes__r_INCOMPLIANT2 = 0; if (obj.CA10__routeTable__r.CA10__routes__r != null) { for (var i3 = 0; i3 < obj.CA10__routeTable__r.CA10__routes__r.length; i3++) { if (typeof(obj.CA10__routeTable__r.CA10__routes__r[i3].status) !== 'undefined') { if (obj.CA10__routeTable__r.CA10__routes__r[i3].status == 'INCOMPLIANT') { count_CA10__routeTable__r_CA10__routes__r_INCOMPLIANT2 += obj.CA10__routeTable__r.CA10__routes__r[i3].count; } } else { if (obj.CA10__routeTable__r.CA10__routes__r[i3].result.status == 'INCOMPLIANT') { count_CA10__routeTable__r_CA10__routes__r_INCOMPLIANT2 += 1; } } } } // condition[1], conditionIndex:[100..199] references1.push('Related list [CA10__routeTable__r.CA10__routes__r] ' + (count_CA10__routeTable__r_CA10__routes__r_INCOMPLIANT2 > 0 ? 'has' : 'does not have') + ' objects in INCOMPLIANT status'); if (count_CA10__routeTable__r_CA10__routes__r_INCOMPLIANT2 > 0) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "CA10__routeTable__r.CA10__routes__r.has(INCOMPLIANT)", currentStateMessage: "This subnet route table has an Internet Gateway route.", currentStateReferences: references1.join('\n'), remediation: "Remove Internet Gateway routes.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "This subnet is compliant.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__vpc__r_CA10__routeTables__r_CA10__routes__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__gatewayId__c STRING, CA10__routeTable__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10__gatewayId__c; } return this.out; }; references1.push('Internet Gateway ID [obj.CA10__gatewayId__c]: ' + obj.CA10__gatewayId__c); if (TextLib.startsWith(extract3.call(extract3), 'igw')) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "extract('CA10__gatewayId__c').startsWith('igw')", currentStateMessage: "This is an Internet Gateway route.", currentStateReferences: references1.join('\n'), remediation: "Remove this route.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 200, conditionText: "otherwise", currentStateMessage: "This is not an Internet Gateway route.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__vpcSubnet__c AS CA10__vpcSubnet__c, sObject.CA10__subnetId__c AS CA10__subnetId__c, sObject.CA10__publicIpAddress__c AS CA10__publicIpAddress__c, sObject.Id AS Id, sObject.CA10__vpc__c AS CA10__vpc__c, STRUCT ( `CA10__vpcSubnet__r`.Id AS Id, `CA10__vpcSubnet__r`.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, `CA10__vpcSubnet__r.CA10__routeTableAssociations__r`.arr AS CA10__routeTableAssociations__r ) AS CA10__vpcSubnet__r, STRUCT ( `CA10__vpc__r`.Id AS Id, `CA10__vpc__r.CA10__routeTables__r`.arr AS CA10__routeTables__r ) AS CA10__vpc__r, process_CA10__CaAwsInstance__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__vpcSubnet__c AS CA10__vpcSubnet__c, sObject.CA10__subnetId__c AS CA10__subnetId__c, sObject.CA10__publicIpAddress__c AS CA10__publicIpAddress__c, sObject.Id AS Id, sObject.CA10__vpc__c AS CA10__vpc__c, STRUCT ( `CA10__vpcSubnet__r`.Id AS Id, `CA10__vpcSubnet__r`.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, `CA10__vpcSubnet__r.CA10__routeTableAssociations__r`.arr AS CA10__routeTableAssociations__r ) AS CA10__vpcSubnet__r, STRUCT ( `CA10__vpc__r`.Id AS Id, `CA10__vpc__r.CA10__routeTables__r`.arr AS CA10__routeTables__r ) AS CA10__vpc__r ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsInstance__c()) AS sObject LEFT JOIN UNNEST(mock_CA10__CaAwsSubnet__c()) AS `CA10__vpcSubnet__r` ON sObject.CA10__vpcSubnet__c = `CA10__vpcSubnet__r`.Id LEFT JOIN UNNEST(mock_CA10__CaAwsVpc__c()) AS `CA10__vpc__r` ON sObject.CA10__vpc__c = `CA10__vpc__r`.Id LEFT JOIN ( SELECT sObject.CA10__subnet__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__subnet__c AS CA10__subnet__c, sObject.Id AS Id, sObject.CA10__routeTable__c AS CA10__routeTable__c, STRUCT ( `CA10__routeTable__r`.Id AS Id, `CA10__routeTable__r.CA10__routes__r`.arr AS CA10__routes__r ) AS CA10__routeTable__r, process_CA10__vpcSubnet__r_CA10__routeTableAssociations__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__subnet__c AS CA10__subnet__c, sObject.Id AS Id, sObject.CA10__routeTable__c AS CA10__routeTable__c, STRUCT ( `CA10__routeTable__r`.Id AS Id, `CA10__routeTable__r.CA10__routes__r`.arr AS CA10__routes__r ) AS CA10__routeTable__r ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsRouteTableAssociation__c()) AS sObject LEFT JOIN UNNEST(mock_CA10__CaAwsRouteTable__c()) AS `CA10__routeTable__r` ON sObject.CA10__routeTable__c = `CA10__routeTable__r`.Id LEFT JOIN ( SELECT sObject.CA10__routeTable__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__gatewayId__c AS CA10__gatewayId__c, sObject.CA10__routeTable__c AS CA10__routeTable__c, sObject.Id AS Id, process_CA10__vpcSubnet__r_CA10__routeTableAssociations__r_CA10__routeTable__r_CA10__routes__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__gatewayId__c AS CA10__gatewayId__c, sObject.CA10__routeTable__c AS CA10__routeTable__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsRoute__c()) AS sObject GROUP BY sObject.CA10__routeTable__c ) AS `CA10__routeTable__r.CA10__routes__r` ON `CA10__routeTable__r`.Id = `CA10__routeTable__r.CA10__routes__r`.CA10__routeTable__c GROUP BY sObject.CA10__subnet__c ) AS `CA10__vpcSubnet__r.CA10__routeTableAssociations__r` ON `CA10__vpcSubnet__r`.Id = `CA10__vpcSubnet__r.CA10__routeTableAssociations__r`.CA10__subnet__c LEFT JOIN ( SELECT sObject.CA10__vpc__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__vpc__c AS CA10__vpc__c, sObject.Id AS Id, `CA10__routeTableAssociations__r`.arr AS CA10__routeTableAssociations__r, `CA10__routes__r`.arr AS CA10__routes__r, process_CA10__vpc__r_CA10__routeTables__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__vpc__c AS CA10__vpc__c, sObject.Id AS Id, `CA10__routeTableAssociations__r`.arr AS CA10__routeTableAssociations__r, `CA10__routes__r`.arr AS CA10__routes__r ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsRouteTable__c()) AS sObject LEFT JOIN ( SELECT sObject.CA10__routeTable__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__main__c AS CA10__main__c, sObject.CA10__routeTable__c AS CA10__routeTable__c, sObject.Id AS Id, process_CA10__vpc__r_CA10__routeTables__r_CA10__routeTableAssociations__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__main__c AS CA10__main__c, sObject.CA10__routeTable__c AS CA10__routeTable__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsRouteTableAssociation__c()) AS sObject GROUP BY sObject.CA10__routeTable__c ) AS `CA10__routeTableAssociations__r` ON sObject.Id = `CA10__routeTableAssociations__r`.CA10__routeTable__c LEFT JOIN ( SELECT sObject.CA10__routeTable__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__gatewayId__c AS CA10__gatewayId__c, sObject.CA10__routeTable__c AS CA10__routeTable__c, sObject.Id AS Id, process_CA10__vpc__r_CA10__routeTables__r_CA10__routes__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__gatewayId__c AS CA10__gatewayId__c, sObject.CA10__routeTable__c AS CA10__routeTable__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsRoute__c()) AS sObject GROUP BY sObject.CA10__routeTable__c ) AS `CA10__routes__r` ON sObject.Id = `CA10__routes__r`.CA10__routeTable__c GROUP BY sObject.CA10__vpc__c ) AS `CA10__vpc__r.CA10__routeTables__r` ON `CA10__vpc__r`.Id = `CA10__vpc__r.CA10__routeTables__r`.CA10__vpc__c ) sObject ON sObject.Id = expectedResult.Id;