Initial Commit on fine-grained excludes

Author: moredhel

examples/exceptions2/main.tf

@@ -0,0 +1,8 @@
+
+
+
+resource "null_resource" "exception-name" {}
+
+resource "null_resource" "invalid-name" {}
+
+resource "invalid_type" "valid_name" {}

examples/exceptions2/policy/deny.rego

@@ -0,0 +1,29 @@
+package main
+
+exceptions = {"exception-name"}
+
+func_name_msg(name) = ret {
+	ret := sprintf("Resource Name '%s' contains dashes", [name])
+}
+
+deny_name[msg] {
+	input.resource[_][name]
+	contains(name, "-")
+	msg := func_name_msg(name)
+}
+
+deny_resource_type[msg] {
+	input.resource[type]
+	type == "invalid_type"
+	msg := sprintf("Resource Type '%s' is invalid", [type])
+}
+
+exclude_name[rules] {
+	input.resource[_][name]
+	exceptions[name]
+	rules := [func_name_msg(name)]
+}
+
+exception[rules] {
+	rules := ["resource_type"]
+}

output/result.go

@@ -77,6 +77,7 @@ type CheckResult struct {
 	Warnings   []Result      `json:"warnings,omitempty"`
 	Failures   []Result      `json:"failures,omitempty"`
 	Exceptions []Result      `json:"exceptions,omitempty"`
+	Excludes   []Result      `json:"excludes,omitempty"`
 	Queries    []QueryResult `json:"queries,omitempty"`
 }
 

output/standard.go

@@ -89,6 +89,10 @@ func (s *Standard) Output(results []CheckResult) error {
 			}
 		}
 
+		for _, exclude := range result.Excludes {
+			fmt.Fprintln(s.Writer, colorizer.Colorize("EXCL", aurora.BlueFg), indicator, namespace, exclude.Message)
+		}
+
 		totalFailures += len(result.Failures)
 		totalExceptions += len(result.Exceptions)
 		totalWarnings += len(result.Warnings)

policy/engine.go

@@ -298,6 +298,7 @@ func (e *Engine) check(ctx context.Context, path string, config interface{}, nam
 
 		var failures []output.Result
 		var warnings []output.Result
+		var excludes []output.Result
 		for _, ruleResult := range ruleQueryResult.Results {
 
 			// Exceptions have already been accounted for in the exception query so
@@ -311,6 +312,21 @@ func (e *Engine) check(ctx context.Context, path string, config interface{}, nam
 				continue
 			}
 
+			localExcludeQuery := fmt.Sprintf("data.%s.exclude_%s[_][_] = %q", namespace, removeRulePrefix(rule), ruleResult.Message)
+			localExcludeQueryResult, err := e.query(ctx, config, localExcludeQuery)
+			if err != nil {
+				return output.CheckResult{}, fmt.Errorf("query exception: %w", err)
+			}
+
+			// If the query was a failure, let's have a look & see if an exception was written for it.
+			if len(localExcludeQueryResult.Results) > 0 {
+				// append an exception & continue
+				localExcludeResult := localExcludeQueryResult.Results[0]
+				localExcludeResult.Message = localExcludeQuery
+				excludes = append(excludes, localExcludeResult)
+				continue
+			}
+
 			if isFailure(rule) {
 				failures = append(failures, ruleResult)
 			} else {
@@ -321,6 +337,7 @@ func (e *Engine) check(ctx context.Context, path string, config interface{}, nam
 		checkResult.Failures = append(checkResult.Failures, failures...)
 		checkResult.Warnings = append(checkResult.Warnings, warnings...)
 		checkResult.Exceptions = append(checkResult.Exceptions, exceptions...)
+		checkResult.Excludes = append(checkResult.Excludes, excludes...)
 
 		checkResult.Queries = append(checkResult.Queries, exceptionQueryResult)
 		checkResult.Queries = append(checkResult.Queries, ruleQueryResult)