re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.subnet_id); is incorrect and need to match with resource.id as per document which is impossible or need to find some other way for validation

[rezoan]

In file https://github.com/prancer-io/prancer-compliance-test/blob/master/azure/terraform/vnetsubnets.rego re_match(concat("", ["^.*\\.", resource.name, "\\..*$"]), r.properties.subnet_id); is incorrect and need to match with resource.id as per https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/subnet_network_security_group_association

matching with id is impossible during compile time as id will only available from tf output file.

We need to find some other way to match the subnet association with vnet.

[rezoan]

@farchide just a thought. checking subnet_id and network_security_group_id for empty value under azurerm_subnet_network_security_group_association should work here if you agree.

Which means if subnet_id and network_security_group_id does not have empty value (could have real id or tf variable reference) we can determine the azurerm_subnet_network_security_group_association will have a subnet_id and will be associated with nsg with id from network_security_group_id

Please confirm.

[farchide]

We cannot look for any specific pattern, because the user may use the data provider to get the resource id.
@rezoan I agree with your approach, just make sure network security group is assigned to the subnet by checking azurerm_subnet_network_security_group_association resource
we expect subnet, NSG and (resource or data provider) and azurerm_subnet_network_security_group_association to be available in a single tf file

[rezoan]

issue been fixed.