Inline Comment

Insert a comment listing valid values when the correct fix is ambiguous—for example, when several AMIs are acceptable.

Prompt

The following can be used with the gomboc-enterprise-skills.

/gomboc:fix

I want to create an ORL rule that checks that the AMI used for EC2 instances or launch templates is one of the following:

- ami-0a1b2c3d4e5f67890
- ami-0987654321fedcba0
- ami-0ff11223344556677
- ami-0abcdef1234567890
- ami-0123456789abcdef0

If the value is not one of those, then add a comment before the AMI attribute listing the valid values.

**Important**: The rule should be idempotent.  When testing, make sure to run the test on the remediated workspace to ensure it is unchanged on the second run.

Use /gomboc-community:fix if you have the gomboc-community-skills installed.

For this type of rule is important to tell the fix that rule needs to be idempotent becuase the fix and check are different. ORL doesn't normally need this flag since it patches what it checks and idempotency is built in; which is not the case with this type of rule.

Rule Output Example

---
type: Ruleset
version: v1
metadata:
  name: "ensure-approved-ami-for-ec2-and-launch-template"
  display_name: "Ensure EC2 instances and launch templates use an approved AMI"
  description: |
    ## Description

    Ensures that aws_instance and aws_launch_template resources reference only
    approved AMI IDs. When a non-approved AMI is detected, a comment listing the
    valid AMIs is inserted immediately before the attribute to guide the author.
spec:
  template:
    language: terraform
    audit_language: ast
  rules:
    - name: ec2-instance-ami-must-be-approved
      audit: |
        (block
          (identifier) @_keyword (#eq? @_keyword "resource")
          (string_lit (template_literal) @_type (#eq? @_type "aws_instance"))
          (string_lit (template_literal) @name)
          (body
            (attribute
              (identifier) @_key (#eq? @_key "ami")
              (expression
                (literal_value
                  (string_lit
                    (template_literal) @value
                  )
                )
              )
            ) @attribute
          ) @body
        ) @resource
      skip_finding: |
        ($.value in ["ami-0a1b2c3d4e5f67890", "ami-0987654321fedcba0", "ami-0ff11223344556677", "ami-0abcdef1234567890", "ami-0123456789abcdef0"]) or
        ($.resource matches "# Valid AMIs:")
      remediation:
        - command: insert_before
          path: attribute
          flags:
            suffix: "\n  "
          value: "# Valid AMIs: ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0"

    - name: launch-template-image-id-must-be-approved
      audit: |
        (block
          (identifier) @_keyword (#eq? @_keyword "resource")
          (string_lit (template_literal) @_type (#eq? @_type "aws_launch_template"))
          (string_lit (template_literal) @name)
          (body
            (attribute
              (identifier) @_key (#eq? @_key "image_id")
              (expression
                (literal_value
                  (string_lit
                    (template_literal) @value
                  )
                )
              )
            ) @attribute
          ) @body
        ) @resource
      skip_finding: |
        ($.value in ["ami-0a1b2c3d4e5f67890", "ami-0987654321fedcba0", "ami-0ff11223344556677", "ami-0abcdef1234567890", "ami-0123456789abcdef0"]) or
        ($.resource matches "# Valid AMIs:")
      remediation:
        - command: insert_before
          path: attribute
          flags:
            suffix: "\n  "
          value: "# Valid AMIs: ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0"

Each rule matches one resource type and its AMI attribute. skip_finding passes when the value is valid or the comment is already present; otherwise, the comment is inserted before the attribute.

PreviousExamples NextInline Value with Comment

Last updated 2 days ago

---
type: Ruleset
version: v1
metadata:
  name: "ensure-approved-ami-for-ec2-and-launch-template"
  display_name: "Ensure EC2 instances and launch templates use an approved AMI"
  description: |
    ## Description

    Ensures that aws_instance and aws_launch_template resources reference only
    approved AMI IDs. When a non-approved AMI is detected, a comment listing the
    valid AMIs is inserted immediately before the attribute to guide the author.
spec:
  template:
    language: terraform
    audit_language: ast
  rules:
    - name: ec2-instance-ami-must-be-approved
      audit: |
        (block
          (identifier) @_keyword (#eq? @_keyword "resource")
          (string_lit (template_literal) @_type (#eq? @_type "aws_instance"))
          (string_lit (template_literal) @name)
          (body
            (attribute
              (identifier) @_key (#eq? @_key "ami")
              (expression
                (literal_value
                  (string_lit
                    (template_literal) @value
                  )
                )
              )
            ) @attribute
          ) @body
        ) @resource
      skip_finding: |
        ($.value in ["ami-0a1b2c3d4e5f67890", "ami-0987654321fedcba0", "ami-0ff11223344556677", "ami-0abcdef1234567890", "ami-0123456789abcdef0"]) or
        ($.resource matches "# Valid AMIs:")
      remediation:
        - command: insert_before
          path: attribute
          flags:
            suffix: "\n  "
          value: "# Valid AMIs: ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0"

    - name: launch-template-image-id-must-be-approved
      audit: |
        (block
          (identifier) @_keyword (#eq? @_keyword "resource")
          (string_lit (template_literal) @_type (#eq? @_type "aws_launch_template"))
          (string_lit (template_literal) @name)
          (body
            (attribute
              (identifier) @_key (#eq? @_key "image_id")
              (expression
                (literal_value
                  (string_lit
                    (template_literal) @value
                  )
                )
              )
            ) @attribute
          ) @body
        ) @resource
      skip_finding: |
        ($.value in ["ami-0a1b2c3d4e5f67890", "ami-0987654321fedcba0", "ami-0ff11223344556677", "ami-0abcdef1234567890", "ami-0123456789abcdef0"]) or
        ($.resource matches "# Valid AMIs:")
      remediation:
        - command: insert_before
          path: attribute
          flags:
            suffix: "\n  "
          value: "# Valid AMIs: ami-0a1b2c3d4e5f67890, ami-0987654321fedcba0, ami-0ff11223344556677, ami-0abcdef1234567890, ami-0123456789abcdef0"