Control: Ensure VCN inbound security lists are stateless

powerpipe control run terraform_oci_compliance.control.vcn_inbound_security_lists_are_stateless

powerpipe login
powerpipe control run terraform_oci_compliance.control.vcn_inbound_security_lists_are_stateless --share

with all_security_rules as (
  select
    *
  from
    terraform_resource
  where
    type = 'oci_core_security_list'
), non_complaint as (
  select
    name,
    count(name) as count
  from
    all_security_rules,
    jsonb_array_elements(
    case jsonb_typeof(attributes_std -> 'ingress_security_rules')
        when 'array' then (attributes_std -> 'ingress_security_rules')
        else null end
    ) as p
  where
    p ->> 'stateless' is not null and (p ->> 'stateless')::bool is not true
    group by name
)
select
  a.address as resource,
  case
    when b.count > 0 or (a.attributes_std -> 'ingress_security_rules' ->> 'stateless' is not null and (a.attributes_std -> 'ingress_security_rules' ->> 'stateless')::bool is not true) then 'alarm'
    when (a.attributes_std ->> 'ingress_security_rules' is null) then 'skip'
    else 'ok'
  end as status,
  split_part(a.address, '.', 2) || case
    when b.count > 0 or (a.attributes_std -> 'ingress_security_rules' ->> 'stateless' is not null and (a.attributes_std -> 'ingress_security_rules' ->> 'stateless')::bool is not true) then ' has stateful ingress security rules'
    when (a.attributes_std ->> 'ingress_security_rules' is null) then ' has no ingress security rules'
    else ' has stateless ingress security rules'
  end || '.' reason
  
  , path || ':' || start_line
from
  all_security_rules as a
  left join non_complaint as b on a.name = b.name;