GoogleCloudPlatform · morgante · Oct 4, 2019 · Jul 23, 2019 · Jul 23, 2019 · Jul 23, 2019
diff --git a/policies/templates/gcp_cmek_settings_v1.yaml b/policies/templates/gcp_cmek_settings_v1.yaml
@@ -53,7 +53,6 @@ spec:
            }] {
            	constraint := input.constraint
            	lib.get_constraint_params(constraint, params)
-           	exempt_list := lib.get_default(params, "exemptions", [])
            	asset := input.asset
            	asset.asset_type == "cloudkms.googleapis.com/CryptoKey"
 

diff --git a/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml b/policies/templates/gcp_sql_allowed_authorized_networks_v1.yaml
@@ -70,7 +70,7 @@ spec:
             	asset := input.asset
             	asset.asset_type == "sqladmin.googleapis.com/Instance"
 
-            	check_ssl(params, asset.resource.settings.ipConfiguration) == false
+            	check_ssl(params, asset.resource.data.settings.ipConfiguration) == false
 
             	message := sprintf("%v has networks with SSL settings in violation of policy", [asset.name])
             	metadata := {"resource": asset.name}
@@ -86,7 +86,7 @@ spec:
             	asset := input.asset
             	asset.asset_type == "sqladmin.googleapis.com/Instance"
 
-            	forbidden := forbidden_networks(params, asset.resource.settings.ipConfiguration)
+            	forbidden := forbidden_networks(params, asset.resource.data.settings.ipConfiguration)
             	count(forbidden) > 0
 
             	message := sprintf("%v has authorized networks that are not allowed: %v", [asset.name, forbidden])

diff --git a/validator/sql_allowed_authorized_networks.rego b/validator/sql_allowed_authorized_networks.rego
@@ -28,7 +28,7 @@ deny[{
 	asset := input.asset
 	asset.asset_type == "sqladmin.googleapis.com/Instance"
 
-	check_ssl(params, asset.resource.settings.ipConfiguration) == false
+	check_ssl(params, asset.resource.data.settings.ipConfiguration) == false
 
 	message := sprintf("%v has networks with SSL settings in violation of policy", [asset.name])
 	metadata := {"resource": asset.name}
@@ -44,7 +44,7 @@ deny[{
 	asset := input.asset
 	asset.asset_type == "sqladmin.googleapis.com/Instance"
 
-	forbidden := forbidden_networks(params, asset.resource.settings.ipConfiguration)
+	forbidden := forbidden_networks(params, asset.resource.data.settings.ipConfiguration)
 	count(forbidden) > 0
 
 	message := sprintf("%v has authorized networks that are not allowed: %v", [asset.name, forbidden])

diff --git a/validator/sql_allowed_authorized_networks_test.rego b/validator/sql_allowed_authorized_networks_test.rego
@@ -37,7 +37,7 @@ test_sql_allowed_authorized_networks_default {
 	violation.details.resource == "//cloudsql.googleapis.com/projects/noble-history-87417/instances/authorized-networks-35"
 }
 
-test_sql_allowed_authorized_networks_ssl_disabled {
+test_sql_allowed_authorized_networks_ssl_enabled {
 	constraints := [fixture_constraints.ssl_enabled]
 	violations := find_violations with data.test_constraints as constraints
 	count(violations) == 1

diff --git a/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json b/validator/test/fixtures/sql_allowed_authorized_networks/assets/data.json
@@ -2,6 +2,7 @@
   "name": "//cloudsql.googleapis.com/projects/noble-history-87417/instances/no-authorized-networks",
   "asset_type": "sqladmin.googleapis.com/Instance",
   "resource": {
+    "data": {
       "settings": {
         "activationPolicy": "ALWAYS",
         "backupConfiguration": {
@@ -35,11 +36,13 @@
       },
       "state": "RUNNABLE"
     }
+  }
 },
 {
   "name": "//cloudsql.googleapis.com/projects/noble-history-87417/instances/authorized-networks-35",
   "asset_type": "sqladmin.googleapis.com/Instance",
   "resource": {
+    "data":{
       "settings": {
         "activationPolicy": "ALWAYS",
         "backupConfiguration": {
@@ -94,4 +97,5 @@
       },
       "state": "RUNNABLE"
     }
+  }
 }]