--- policy: /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic logic: /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/prod.logic.yaml executionTime: 2026-05-09T12:02:31.124593506Z generationMs: 83 executionMs: 2970 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('Name') != 'default' actual: extract('Name') != 'default' runtimeError: {} - id: test3 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) && CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT) actual: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) && CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT) runtimeError: {} - id: test4 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) actual: CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) runtimeError: {} - id: test5 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 499 actual: 499 conditionText: expected: CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT) actual: CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT) runtimeError: {} - id: test6 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 500 actual: 500 conditionText: expected: otherwise actual: otherwise runtimeError: {} - id: test7 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('Name') != 'default' actual: extract('Name') != 'default' runtimeError: {} usedFiles: - path: /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/policy.yaml md5Hash: FBC6F183DD8D6B5AFC37567ABB23939B content: | --- names: full: AWS EC2 Default Security Group does not restrict all traffic contextual: Default Security Group does not restrict all traffic description: "VPC comes with a default security group whose initial settings deny\ \ all inbound traffic, allow all outbound traffic, and allow all traffic between\ \ instances assigned to the security group. If you don't specify a security group\ \ when you launch an instance, the instance is automatically assigned to this default\ \ security group. Security groups provide stateful filtering of ingress/egress network\ \ traffic to AWS resources. It is recommended that the default security group restrict\ \ all traffic." type: COMPLIANCE_POLICY categories: - SECURITY frameworkMappings: - "/frameworks/cis-aws-v7.0.0/06/05" - "/frameworks/cloudaware/resource-security/network-exposure" - "/frameworks/aws-fsbp-v1.0.0/ec2/02" similarPolicies: internal: - dec-x-ecd99f88 cloudConformity: - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/EC2/default-security-group-unrestricted.html name: Default Security Group Unrestricted - path: /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/prod.logic.yaml md5Hash: 515C1ABC6336891AD01210F80ED2084F content: "---\ninputType: \"CA10__CaAwsSecurityGroup__c\"\ntestData:\n - file:\ \ \"test-data.json\"\nimportExtracts:\n - file: \"/types/CA10__CaAwsSecurityGroup__c/object.extracts.yaml\"\ \nconditions:\n - status: \"INAPPLICABLE\"\n currentStateMessage: \"This\ \ is not a default security group.\"\n check:\n NOT_EQUAL:\n \ \ left:\n EXTRACT: \"Name\"\n right:\n TEXT: \"default\"\ \n - status: \"INCOMPLIANT\"\n currentStateMessage: \"This default security\ \ group doesn't restrict all traffic and is attached to an EC2 instance.\"\n\ \ remediationMessage: \"Remove all rules from this security group and detach\ \ it from all EC2 instances to restrict all traffic.\"\n check:\n AND:\n\ \ args:\n - RELATED_LIST_HAS:\n status: \"INCOMPLIANT\"\ \n relationshipName: \"CA10__AWS_EC2_Security_Group_Rules__r\"\n\ \ - RELATED_LIST_HAS:\n status: \"INCOMPLIANT\"\n \ \ relationshipName: \"CA10__AWS_EC2_Instance_FWs__r\"\n - status:\ \ \"INCOMPLIANT\"\n currentStateMessage: \"This default security group doesn't\ \ restrict all traffic.\"\n remediationMessage: \"Remove all rules from this\ \ security group to restrict all traffic.\"\n check:\n RELATED_LIST_HAS:\n\ \ status: \"INCOMPLIANT\"\n relationshipName: \"CA10__AWS_EC2_Security_Group_Rules__r\"\ \n - status: \"INCOMPLIANT\"\n currentStateMessage: \"This default security\ \ group is attached to an EC2 instance.\"\n remediationMessage: \"Remove\ \ the default security group from all EC2 instances.\"\n check:\n RELATED_LIST_HAS:\n\ \ status: \"INCOMPLIANT\"\n relationshipName: \"CA10__AWS_EC2_Instance_FWs__r\"\ \notherwise:\n status: \"COMPLIANT\"\n currentStateMessage: \"The default\ \ security group restricts all traffic.\"\nrelatedLists: \n - relationshipName:\ \ \"CA10__AWS_EC2_Security_Group_Rules__r\"\n conditions: []\n otherwise:\n\ \ status: \"INCOMPLIANT\"\n currentStateMessage: \"This is a security\ \ group rule.\"\n remediationMessage: \"Remove this rule.\"\n - relationshipName:\ \ \"CA10__AWS_EC2_Instance_FWs__r\"\n conditions: []\n otherwise:\n \ \ status: \"INCOMPLIANT\"\n currentStateMessage: \"This security group\ \ is attached to an EC2 instance.\"\n remediationMessage: \"Remove the\ \ default security group from the EC2 instance.\"\n" - path: /ce/ca/aws/ec2/default-security-group-does-not-restrict-all-traffic/test-data.json md5Hash: 37B04986D084BE0C7061311BAC7AE919 content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-29T17:32:24Z" }, "Id": "test1", "CA10__disappearanceTime__c": "2024-05-22T14:54:33Z", "Name": "default", "CA10__AWS_EC2_Security_Group_Rules__r": [], "CA10__AWS_EC2_Instance_FWs__r": [] }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('Name') != 'default'", "runtimeError": null }, "context": { "snapshotTime": "2024-05-29T17:32:24Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "Name": "security-group-1", "CA10__AWS_EC2_Security_Group_Rules__r": [ { "Id": "test2_1", "CA10__disappearanceTime__c": null, "CA10__securityGroup__c": "test2" } ], "CA10__AWS_EC2_Instance_FWs__r": [ { "Id": "test2_2", "CA10__disappearanceTime__c": null, "CA10__securityGroup__c": "test2" } ] }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) && CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-29T17:32:24Z" }, "Id": "test3", "CA10__disappearanceTime__c": null, "Name": "default", "CA10__AWS_EC2_Security_Group_Rules__r": [ { "Id": "test3_1", "CA10__disappearanceTime__c": null, "CA10__securityGroup__c": "test3" } ], "CA10__AWS_EC2_Instance_FWs__r": [ { "Id": "test3_2", "CA10__disappearanceTime__c": null, "CA10__securityGroup__c": "test3" } ] }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "399", "conditionText": "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-29T17:32:24Z" }, "Id": "test4", "CA10__disappearanceTime__c": null, "Name": "default", "CA10__AWS_EC2_Security_Group_Rules__r": [ { "Id": "test4_1", "CA10__disappearanceTime__c": null, "CA10__securityGroup__c": "test4" } ], "CA10__AWS_EC2_Instance_FWs__r": [] }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "499", "conditionText": "CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT)", "runtimeError": null }, "context": { "snapshotTime": "2024-05-29T17:32:24Z" }, "Id": "test5", "CA10__disappearanceTime__c": null, "Name": "default", "CA10__AWS_EC2_Security_Group_Rules__r": [], "CA10__AWS_EC2_Instance_FWs__r": [ { "Id": "test5_1", "CA10__disappearanceTime__c": null, "CA10__securityGroup__c": "test5" } ] }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "500", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-05-29T17:32:24Z" }, "Id": "test6", "CA10__disappearanceTime__c": null, "Name": "default", "CA10__AWS_EC2_Security_Group_Rules__r": [], "CA10__AWS_EC2_Instance_FWs__r": [] }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('Name') != 'default'", "runtimeError": null }, "context": { "snapshotTime": "2024-05-29T17:32:24Z" }, "Id": "test7", "CA10__disappearanceTime__c": null, "Name": "security-group-1", "CA10__AWS_EC2_Security_Group_Rules__r": [], "CA10__AWS_EC2_Instance_FWs__r": [] } ] - path: /types/CA10__CaAwsSecurityGroup__c/object.extracts.yaml md5Hash: A2471F2057DC88C21DECC644AE04DF58 content: "---\nextracts:\n# Not nullable. Can't have no access, retrieved via\ \ ec2:DescribeSecurityGroups\n - name: \"Name\"\n value: \n FIELD:\n\ \ path: \"Name\"\n undeterminedIf:\n isEmpty: \"Corrupted\ \ data. Security Group name cannot be empty.\"" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('Name') != 'default'", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) && CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT)", "runtimeError" : null } }, { "Id" : "test4", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "399", "conditionText" : "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)", "runtimeError" : null } }, { "Id" : "test5", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "499", "conditionText" : "CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT)", "runtimeError" : null } }, { "Id" : "test6", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "500", "conditionText" : "otherwise", "runtimeError" : null } }, { "Id" : "test7", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('Name') != 'default'", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsSecurityGroup__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "CA10__disappearanceTime__c" : new Date("2024-05-22T14:54:33Z"), "Name" : "default", "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "Name" : "security-group-1", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "Name" : "default", "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "Name" : "default", "Id" : "test4" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "Name" : "default", "Id" : "test5" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "Name" : "default", "Id" : "test6" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "Name" : "security-group-1", "Id" : "test7" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsSecurityGroupRule2__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "CA10__securityGroup__c" : "test2", "Id" : "test2_1" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "CA10__securityGroup__c" : "test3", "Id" : "test3_1" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "CA10__securityGroup__c" : "test4", "Id" : "test4_1" } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsInstanceSecurityGroupLink2__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "CA10__securityGroup__c" : "test2", "Id" : "test2_2" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "CA10__securityGroup__c" : "test3", "Id" : "test3_2" }, { "context" : { "snapshotTime" : new Date("2024-05-29T17:32:24Z") }, "CA10__securityGroup__c" : "test5", "Id" : "test5_1" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsSecurityGroup__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, Name STRING, Id STRING, CA10__AWS_EC2_Security_Group_Rules__r ARRAY >>, CA10__AWS_EC2_Instance_FWs__r ARRAY >> >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (TextLib.isEmpty(obj.Name)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "Name.isEmpty()", currentStateMessage: "Corrupted data. Security Group name cannot be empty.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.Name; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; references1.push('Security Group Name [obj.Name]: ' + obj.Name); try { if (TextLib.notEqual(extract3.call(extract3), 'default')) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('Name') != 'default'", currentStateMessage: "This is not a default security group.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } var count_CA10__AWS_EC2_Instance_FWs__r_INCOMPLIANT6 = 0; if (obj.CA10__AWS_EC2_Instance_FWs__r != null) { for (var i7 = 0; i7 < obj.CA10__AWS_EC2_Instance_FWs__r.length; i7++) { if (typeof(obj.CA10__AWS_EC2_Instance_FWs__r[i7].status) !== 'undefined') { if (obj.CA10__AWS_EC2_Instance_FWs__r[i7].status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Instance_FWs__r_INCOMPLIANT6 += obj.CA10__AWS_EC2_Instance_FWs__r[i7].count; } } else { if (obj.CA10__AWS_EC2_Instance_FWs__r[i7].result.status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Instance_FWs__r_INCOMPLIANT6 += 1; } } } } var count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT5 = 0; if (obj.CA10__AWS_EC2_Security_Group_Rules__r != null) { for (var i8 = 0; i8 < obj.CA10__AWS_EC2_Security_Group_Rules__r.length; i8++) { if (typeof(obj.CA10__AWS_EC2_Security_Group_Rules__r[i8].status) !== 'undefined') { if (obj.CA10__AWS_EC2_Security_Group_Rules__r[i8].status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT5 += obj.CA10__AWS_EC2_Security_Group_Rules__r[i8].count; } } else { if (obj.CA10__AWS_EC2_Security_Group_Rules__r[i8].result.status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT5 += 1; } } } } // condition[2], conditionIndex:[200..299] references1.push('Related list [CA10__AWS_EC2_Security_Group_Rules__r] ' + (count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT5 > 0 ? 'has' : 'does not have') + ' objects in INCOMPLIANT status'); references1.push('Related list [CA10__AWS_EC2_Instance_FWs__r] ' + (count_CA10__AWS_EC2_Instance_FWs__r_INCOMPLIANT6 > 0 ? 'has' : 'does not have') + ' objects in INCOMPLIANT status'); if (count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT5 > 0 && count_CA10__AWS_EC2_Instance_FWs__r_INCOMPLIANT6 > 0) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT) && CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT)", currentStateMessage: "This default security group doesn't restrict all traffic and is attached to an EC2 instance.", currentStateReferences: references1.join('\n'), remediation: "Remove all rules from this security group and detach it from all EC2 instances to restrict all traffic.", runtimeError: null}; } var count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT5 = 0; if (obj.CA10__AWS_EC2_Security_Group_Rules__r != null) { for (var i9 = 0; i9 < obj.CA10__AWS_EC2_Security_Group_Rules__r.length; i9++) { if (typeof(obj.CA10__AWS_EC2_Security_Group_Rules__r[i9].status) !== 'undefined') { if (obj.CA10__AWS_EC2_Security_Group_Rules__r[i9].status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT5 += obj.CA10__AWS_EC2_Security_Group_Rules__r[i9].count; } } else { if (obj.CA10__AWS_EC2_Security_Group_Rules__r[i9].result.status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT5 += 1; } } } } // condition[3], conditionIndex:[300..399] if (count_CA10__AWS_EC2_Security_Group_Rules__r_INCOMPLIANT5 > 0) { return {status: 'INCOMPLIANT', conditionIndex: 399, conditionText: "CA10__AWS_EC2_Security_Group_Rules__r.has(INCOMPLIANT)", currentStateMessage: "This default security group doesn't restrict all traffic.", currentStateReferences: references1.join('\n'), remediation: "Remove all rules from this security group to restrict all traffic.", runtimeError: null}; } var count_CA10__AWS_EC2_Instance_FWs__r_INCOMPLIANT6 = 0; if (obj.CA10__AWS_EC2_Instance_FWs__r != null) { for (var i10 = 0; i10 < obj.CA10__AWS_EC2_Instance_FWs__r.length; i10++) { if (typeof(obj.CA10__AWS_EC2_Instance_FWs__r[i10].status) !== 'undefined') { if (obj.CA10__AWS_EC2_Instance_FWs__r[i10].status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Instance_FWs__r_INCOMPLIANT6 += obj.CA10__AWS_EC2_Instance_FWs__r[i10].count; } } else { if (obj.CA10__AWS_EC2_Instance_FWs__r[i10].result.status == 'INCOMPLIANT') { count_CA10__AWS_EC2_Instance_FWs__r_INCOMPLIANT6 += 1; } } } } // condition[4], conditionIndex:[400..499] if (count_CA10__AWS_EC2_Instance_FWs__r_INCOMPLIANT6 > 0) { return {status: 'INCOMPLIANT', conditionIndex: 499, conditionText: "CA10__AWS_EC2_Instance_FWs__r.has(INCOMPLIANT)", currentStateMessage: "This default security group is attached to an EC2 instance.", currentStateReferences: references1.join('\n'), remediation: "Remove the default security group from all EC2 instances.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 500, conditionText: "otherwise", currentStateMessage: "The default security group restricts all traffic.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__AWS_EC2_Instance_FWs__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__securityGroup__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'INCOMPLIANT', conditionIndex: 100, conditionText: "otherwise", currentStateMessage: "This security group is attached to an EC2 instance.", currentStateReferences: references1.join('\n'), remediation: "Remove the default security group from the EC2 instance.", runtimeError: null}; """; CREATE TEMP FUNCTION process_CA10__AWS_EC2_Security_Group_Rules__r( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__securityGroup__c STRING, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'INCOMPLIANT', conditionIndex: 100, conditionText: "otherwise", currentStateMessage: "This is a security group rule.", currentStateReferences: references1.join('\n'), remediation: "Remove this rule.", runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.Name AS Name, sObject.Id AS Id, `CA10__AWS_EC2_Security_Group_Rules__r`.arr AS CA10__AWS_EC2_Security_Group_Rules__r, `CA10__AWS_EC2_Instance_FWs__r`.arr AS CA10__AWS_EC2_Instance_FWs__r, process_CA10__CaAwsSecurityGroup__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.Name AS Name, sObject.Id AS Id, `CA10__AWS_EC2_Security_Group_Rules__r`.arr AS CA10__AWS_EC2_Security_Group_Rules__r, `CA10__AWS_EC2_Instance_FWs__r`.arr AS CA10__AWS_EC2_Instance_FWs__r ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsSecurityGroup__c()) AS sObject LEFT JOIN ( SELECT sObject.CA10__securityGroup__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__securityGroup__c AS CA10__securityGroup__c, sObject.Id AS Id, process_CA10__AWS_EC2_Security_Group_Rules__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__securityGroup__c AS CA10__securityGroup__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsSecurityGroupRule2__c()) AS sObject GROUP BY sObject.CA10__securityGroup__c ) AS `CA10__AWS_EC2_Security_Group_Rules__r` ON sObject.Id = `CA10__AWS_EC2_Security_Group_Rules__r`.CA10__securityGroup__c LEFT JOIN ( SELECT sObject.CA10__securityGroup__c, ARRAY_AGG( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__securityGroup__c AS CA10__securityGroup__c, sObject.Id AS Id, process_CA10__AWS_EC2_Instance_FWs__r( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__securityGroup__c AS CA10__securityGroup__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result ) ) AS arr FROM UNNEST(mock_CA10__CaAwsInstanceSecurityGroupLink2__c()) AS sObject GROUP BY sObject.CA10__securityGroup__c ) AS `CA10__AWS_EC2_Instance_FWs__r` ON sObject.Id = `CA10__AWS_EC2_Instance_FWs__r`.CA10__securityGroup__c ) sObject ON sObject.Id = expectedResult.Id;