feat: update rego controls to policy format

Mahanmmi · Mahanmmi · commit ad644e1adbe5 · 2025-01-21T17:47:39.000+04:00
diff --git a/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days_rego.yaml b/compliance/controls/aws/aws_ec2_ami_not_older_than_90_days_rego.yaml
@@ -5,8 +5,42 @@ integration_type:
   - aws_cloud_account
 parameters: []
 policy:
-    language: sql
+    language: rego
     primary_resource: aws_ec2_ami
+    rego_policies:
+      - |
+        package aws_ec2_ami_not_older_than_90_days_rego
+        import future.keywords.in
+
+          # Define the result rule
+        result[obj] {
+          some ami in opencomply.aws_ec2_ami({})
+
+          # Populate the fields in the result object
+          obj := {
+            "resource": ami.image_id,
+            "platform_integration_id": ami.platform_integration_id,
+            "platform_resource_id": ami.platform_resource_id,
+            "status": status(ami.creation_date),
+            "reason": sprintf("%s created %s (%d days).", [
+              ami.title,
+              time.format(ami.creation_date),
+              days_since_creation(ami.creation_date)
+            ])
+          }
+        }
+
+        # Determine the status based on the creation_date
+        status(creation_date) = "ok" {
+          creation_date >= time.now_ns() - (90 * 24 * 60 * 60 * 1e9)  # 90 days in nanoseconds
+        }
+        status(creation_date) = "alarm" {
+          creation_date < time.now_ns() - (90 * 24 * 60 * 60 * 1e9)
+        }
+        days_since_creation(creation_date) = days {
+          now := time.now_ns()
+          days := floor((now - creation_date) / (24 * 60 * 60 * 1e9))  # Convert nanoseconds to days
+        }
     definition: |
         data.aws_ec2_ami_not_older_than_90_days_rego.result
 severity: low
diff --git a/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled_rego.yaml b/compliance/controls/aws/aws_ec2_classic_lb_connection_draining_enabled_rego.yaml
@@ -1,14 +1,13 @@
-Description: This control checks whether Classic Load Balancers have connection draining enabled.
-ID: aws_ec2_classic_lb_connection_draining_enabled_rego
-IntegrationType:
+id: aws_ec2_classic_lb_connection_draining_enabled_rego
+title: Classic Load Balancers should have connection draining enabled
+description: This control checks whether Classic Load Balancers have connection draining enabled.
+integration_type:
   - aws_cloud_account
-Query:
-  Engine: cloudql-rego
-  ListOfTables:
-    - aws_ec2_classic_load_balancer
-  Parameters: []
-  PrimaryTable: aws_ec2_classic_load_balancer
-  RegoPolicies:
+parameters: []
+policy:
+  language: rego
+  primary_resource: aws_ec2_classic_load_balancer
+  rego_policies:
     - |
       package aws_ec2_classic_lb_connection_draining_enabled_rego
       import future.keywords.in
@@ -40,10 +39,10 @@ Query:
           "account_id": lb.account_id,
         }
       }
-  QueryToExecute: |
+  definition: |
     data.aws_ec2_classic_lb_connection_draining_enabled_rego.result
-Severity: medium
-Tags:
+severity: medium
+tags:
   aws_foundational_security:
     - "true"
   category:
@@ -56,4 +55,3 @@ Tags:
     - aws
   service:
     - AWS/ELB
-Title: Classic Load Balancers should have connection draining enabled
