Rego验证阵列比较
我是Rego的新手,我正在尝试写一个策略,以检查是否已经在某些Azure NSG上创建了一组规则。
输入测试:
{
"name": "<name>",
"id": "<id>",
"etag": "<etag>",
"type": "<resourcetype>",
"location": "<location>",
"properties":
{
"provisioningState": "Succeeded",
"resourceGuid": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"securityRules":
[
{
"name": "<rule name>",
"id": "<id>",
"etag": "<etag",
"type": "<type>",
"properties":
{
"provisioningState": "Succeeded",
"description": "....",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "53",
"sourceAddressPrefix": "*",
"access": "Allow",
"priority": 1,
"direction": "Outbound",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes":
[
"10.0.0.1",
"10.0.0.2",
"10.0.0.3"
]
}
}
]
{
}为了检查值,我编写了一个自定义函数。下面是我正在Rego游乐场测试的代码
existRule(rule) = true
{
input.properties.securityRules[i].name == rule.name
input.properties.securityRules[i].properties.provisioningState == rule.provisioningState
input.properties.securityRules[i].properties.description == rule.description
input.properties.securityRules[i].properties.protocol == rule.protocol
input.properties.securityRules[i].properties.access == rule.access
input.properties.securityRules[i].properties.priority == rule.priority
input.properties.securityRules[i].properties.direction == rule.direction
}
rule = {
"name": "name",
"provisioningState": "Succeeded",
"description": "description",
"protocol": "*",
"sourcePortRange": "*",
"destinationPortRange": "1",
"sourceAddressPrefix": "*",
"access": "Allow",
"priority": 1,
"direction": "Outbound",
"destinationAddressPrefix": "",
"sourcePortRanges": [],
"destinationPortRanges": [],
"sourceAddressPrefixes": [],
"destinationAddressPrefixes": [
"10.0.0.1",
"10.0.0.2",
"10.0.0.3",
"10.0.0.4"
]
}
rules
{
existRule(rule)
}它适用于我在上面定义的属性,但是,在尝试比较数组时(特别是在本例中与destinationAddressPrefixes )比较时,我尝试了以下方法:
test1 { input.properties.securityRules[i].properties.destinationAddressPrefixes == rule.destinationAddressPrefixes }总是返回false
使用下面的行,我可以根据特定的ip检查输入中的一个目标地址,但是我无法将输入的所有地址与示例中定义的规则的地址进行比较。
onerule {input.properties.securityRules[i].properties.destinationAddressPrefixes[_] == "10.0.0.1"}
test2 {input.properties.securityRules[i].properties.destinationAddressPrefixes[_] == rule.destinationAddressPrefixes[j]}
test3 {input.properties.securityRules[i].properties.destinationAddressPrefixes[j] == rule.destinationAddressPrefixes[k]}test2和test3总是返回true,即使在输入中没有规则时也是如此。我也尝试过和数组的区别
x := input.properties.securityRules[i].properties.destinationAddressPrefixes - rule.destinationAddressPrefixes但我得到了以下错误:
rego_type_error:减号:无效参数有:(任意,array,??)需要:(any,any,any)
你知道实现我想要的目标是否可行吗?或者是否有一种不同的方法来查看数组并逐一比较这些值?
回答 1
Stack Overflow用户
发布于 2021-04-07 10:54:34
rule3400.destinationAddressPrefixes是什么样子的?
如果您想比较两个数组之间的完全相等性,那么==就足够了。
如果已知所有元素都是唯一的,并且顺序并不重要(在您的示例中似乎就是这样),您可以使用集合理解将数组转换为集合。这使得从另一个集合中减去一个集合成为可能,就像您试图直接处理数组一样。
to_set(arr) = {x | x := arr[_]}
input_prefixes := to_set(input.properties.securityRules[i].properties.destinationAddressPrefixes)
destination_prefixes := to_set(rule3400.destinationAddressPrefixes)
x := input_prefixes - destination_prefixeshttps://stackoverflow.com/questions/66976413
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号