From f1ca50ef7cbc780b0c4c3be3ab8e7372f84c24eb Mon Sep 17 00:00:00 2001
From: Nikita Pivkin <nikita.pivkin@smartforce.io>
Date: Thu, 5 Dec 2024 17:15:12 +0600
Subject: [PATCH] fix checks related to security groups

Signed-off-by: Nikita Pivkin <nikita.pivkin@smartforce.io>
---
 ...add_description_to_security_group_rule.rego | 18 +++++++++++++++++-
 .../add_description_for_security_group.rego    | 11 +++++++++++
 .../add_description_to_security_group.rego     | 14 +++++++++++++-
 .../add_description_to_security_group.rego     |  8 +++++++-
 ...add_description_to_security_group_rule.rego |  7 ++++++-
 .../add_description_to_nas_security_group.rego | 13 +++++++++++--
 .../add_description_to_db_security_group.rego  |  2 ++
 .../add_description_to_security_group.rego     |  7 ++++++-
 8 files changed, 73 insertions(+), 7 deletions(-)

diff --git a/checks/cloud/aws/ec2/add_description_to_security_group_rule.rego b/checks/cloud/aws/ec2/add_description_to_security_group_rule.rego
index 07da5d95..fdd01338 100644
--- a/checks/cloud/aws/ec2/add_description_to_security_group_rule.rego
+++ b/checks/cloud/aws/ec2/add_description_to_security_group_rule.rego
@@ -41,12 +41,18 @@ import rego.v1
 import data.lib.cloud.metadata
 import data.lib.cloud.value
 
-deny contains res if {
+rules := [
+rule |
 	some group in input.aws.ec2.securitygroups
 	some rule in array.concat(
 		object.get(group, "egressrules", []),
 		object.get(group, "ingressrules", []),
 	)
+]
+
+deny contains res if {
+	some rule in rules
+	isManaged(rule)
 	without_description(rule)
 	res := result.new(
 		"Security group rule does not have a description.",
@@ -54,6 +60,16 @@ deny contains res if {
 	)
 }
 
+deny contains res if {
+	some rule in rules
+	isManaged(rule)
+	rule.description.value == "Managed by Terraform"
+	res := result.new(
+		"Security group explicitly uses the default description.",
+		rule.description,
+	)
+}
+
 without_description(rule) if value.is_empty(rule.description)
 
 without_description(rule) if not rule.description
diff --git a/checks/cloud/aws/elasticache/add_description_for_security_group.rego b/checks/cloud/aws/elasticache/add_description_for_security_group.rego
index befa300f..91c20f4f 100644
--- a/checks/cloud/aws/elasticache/add_description_for_security_group.rego
+++ b/checks/cloud/aws/elasticache/add_description_for_security_group.rego
@@ -39,6 +39,7 @@ import data.lib.cloud.value
 
 deny contains res if {
 	some secgroup in input.aws.elasticache.securitygroups
+	isManaged(secgroup)
 	without_description(secgroup)
 	res := result.new(
 		"Security group does not have a description.",
@@ -46,6 +47,16 @@ deny contains res if {
 	)
 }
 
+deny contains res if {
+	some secgroup in input.aws.elasticache.securitygroups
+	isManaged(secgroup)
+	secgroup.description.value == "Managed by Terraform"
+	res := result.new(
+		"Security group explicitly uses the default description.",
+		secgroup.description,
+	)
+}
+
 without_description(sg) if value.is_empty(sg.description)
 
 without_description(sg) if not sg.description
diff --git a/checks/cloud/aws/redshift/add_description_to_security_group.rego b/checks/cloud/aws/redshift/add_description_to_security_group.rego
index 4e6319d2..3c431851 100644
--- a/checks/cloud/aws/redshift/add_description_to_security_group.rego
+++ b/checks/cloud/aws/redshift/add_description_to_security_group.rego
@@ -29,14 +29,26 @@ package builtin.aws.redshift.aws0083
 
 import rego.v1
 
+import data.lib.cloud.metadata
 import data.lib.cloud.value
 
 deny contains res if {
 	some group in input.aws.redshift.securitygroups
+	isManaged(group)
 	without_description(group)
 	res := result.new(
 		"Security group has no description.",
-		object.get(group, "description", group),
+		metadata.obj_by_path(group, ["description"]),
+	)
+}
+
+deny contains res if {
+	some group in input.aws.redshift.securitygroups
+	isManaged(group)
+	group.description.value == "Managed by Terraform"
+	res := result.new(
+		"Security group explicitly uses the default description.",
+		group.description,
 	)
 }
 
diff --git a/checks/cloud/nifcloud/computing/add_description_to_security_group.rego b/checks/cloud/nifcloud/computing/add_description_to_security_group.rego
index 1f75460d..fab8ca2f 100644
--- a/checks/cloud/nifcloud/computing/add_description_to_security_group.rego
+++ b/checks/cloud/nifcloud/computing/add_description_to_security_group.rego
@@ -34,16 +34,22 @@ package builtin.nifcloud.computing.nifcloud0002
 
 import rego.v1
 
+import data.lib.cloud.metadata
 import data.lib.cloud.value
 
 deny contains res if {
 	some sg in input.nifcloud.computing.securitygroups
+	isManaged(sg)
 	without_description(sg)
-	res := result.new("Security group does not have a description.", sg.description)
+	res := result.new(
+		"Security group does not have a description.",
+		metadata.obj_by_path(sg, ["description"]),
+	)
 }
 
 deny contains res if {
 	some sg in input.nifcloud.computing.securitygroups
+	isManaged(sg)
 	sg.description.value == "Managed by Terraform"
 	res := result.new("Security group explicitly uses the default description.", sg.description)
 }
diff --git a/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.rego b/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.rego
index b285ca0a..972393b7 100644
--- a/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.rego
+++ b/checks/cloud/nifcloud/computing/add_description_to_security_group_rule.rego
@@ -37,13 +37,18 @@ import rego.v1
 import data.lib.cloud.metadata
 import data.lib.cloud.value
 
-deny contains res if {
+rules := [
+rule |
 	some sg in input.nifcloud.computing.securitygroups
 	some rule in array.concat(
 		object.get(sg, "ingressrules", []),
 		object.get(sg, "egressrules", []),
 	)
+]
 
+deny contains res if {
+	some rule in rules
+	isManaged(rule)
 	without_description(rule)
 	res := result.new(
 		"Security group rule does not have a description.",
diff --git a/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.rego b/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.rego
index 031532d7..66cbb1d4 100644
--- a/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.rego
+++ b/checks/cloud/nifcloud/nas/add_description_to_nas_security_group.rego
@@ -34,18 +34,27 @@ package builtin.nifcloud.nas.nifcloud0015
 
 import rego.v1
 
+import data.lib.cloud.metadata
 import data.lib.cloud.value
 
 deny contains res if {
 	some sg in input.nifcloud.nas.nassecuritygroups
+	isManaged(sg)
 	without_description(sg)
-	res := result.new("NAS security group does not have a description.", sg.description)
+	res := result.new(
+		"NAS security group does not have a description.",
+		metadata.obj_by_path(sg, ["description"]),
+	)
 }
 
 deny contains res if {
 	some sg in input.nifcloud.nas.nassecuritygroups
+	isManaged(sg)
 	sg.description.value == "Managed by Terraform"
-	res := result.new("NAS security group explicitly uses the default description.", sg.description)
+	res := result.new(
+		"NAS security group explicitly uses the default description.",
+		sg.description,
+	)
 }
 
 without_description(sg) if value.is_empty(sg.description)
diff --git a/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.rego b/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.rego
index 745ccb38..75baa479 100644
--- a/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.rego
+++ b/checks/cloud/nifcloud/rdb/add_description_to_db_security_group.rego
@@ -38,12 +38,14 @@ import data.lib.cloud.value
 
 deny contains res if {
 	some sg in input.nifcloud.rdb.dbsecuritygroups
+	isManaged(sg)
 	without_description(sg)
 	res := result.new("DB security group does not have a description.", sg.description)
 }
 
 deny contains res if {
 	some sg in input.nifcloud.rdb.dbsecuritygroups
+	isManaged(sg)
 	sg.description.value == "Managed by Terraform"
 	res := result.new("DB security group explicitly uses the default description.", sg.description)
 }
diff --git a/checks/cloud/openstack/networking/add_description_to_security_group.rego b/checks/cloud/openstack/networking/add_description_to_security_group.rego
index 833bc8b0..474ba0ca 100644
--- a/checks/cloud/openstack/networking/add_description_to_security_group.rego
+++ b/checks/cloud/openstack/networking/add_description_to_security_group.rego
@@ -26,12 +26,17 @@ package builtin.openstack.networking.openstack0005
 
 import rego.v1
 
+import data.lib.cloud.metadata
 import data.lib.cloud.value
 
 deny contains res if {
 	some sg in input.openstack.networking.securitygroups
+	isManaged(sg)
 	without_description(sg)
-	res := result.new("Network security group does not have a description.", sg.description)
+	res := result.new(
+		"Network security group does not have a description.",
+		metadata.obj_by_path(sg, ["description"]),
+	)
 }
 
 without_description(sg) if value.is_empty(sg.description)