package aws.transferfamily.m4

# AWS Transfer family server should NOT be publicly accessible over the internet

# Terraform policy resource link
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/transfer_server#endpoint_type

# AWS link to policy definition/explanation
# https://aws.amazon.com/aws-transfer-family/?nc=sn&loc=0

allowed_endpoint_type := "VPC"


is_in_scope(resource) {
	resource.mode == "managed"
	data.utils.is_create_or_update(resource.change.actions)
	resource.type == "aws_transfer_server"
}

is_allowed_endpoint_type_selected(resource) {
	resource.change.after.endpoint_type == allowed_endpoint_type
}

is_internetfacing_type_endpoint(resource){
	is_allowed_endpoint_type_selected(resource)
	endpoint_details := resource.change.after.endpoint_details[_]
	endpoint_details.address_allocation_ids == null 
}

deny[reason] {
	resource := input.resource_changes[_]
	is_in_scope(resource)
	not is_internetfacing_type_endpoint(resource)
	message := "AWS-TRANSFER_FAMILY-M-4:TRANSFER_FAMILY Endpoint Type should be selected as VPC and Public IP must be blocked '%s'"
	reason := sprintf(message, [resource.address])
}