rego_parse_error: no match found error for gcp_compute_block_ssh_keys_v1 and gcp_compute_enable_oslogin_project_v1

[xingao267]

When running CFT Scorecard 0.3.4 with the latest policies, I got the following errors.

Generating CFT scorecard
Error: initializing gcv validator: failed to load resource /tmp/xingao-tmp.tFpgKV/generated/forseti_policies/policies/templates/gcp_compute_block_ssh_keys_v1.yaml gcp-compute-block-ssh-keys-v1: failed to convert legacy forseti ConstraintTemplate to ConstraintFramework format, this is likely due to an issue in the spec.crd.spec.validation field: failed to add source: 1 error occurred: template-rego:40: rego_parse_error: no match found
    default metadata_blocks_project_keys(meta) = false
                                        ^, failed to load resource /tmp/xingao-tmp.tFpgKV/generated/forseti_policies/policies/templates/gcp_compute_enable_oslogin_project_v1.yaml gcp-compute-enable-oslogin-project-v1: failed to convert legacy forseti ConstraintTemplate to ConstraintFramework format, this is likely due to an issue in the spec.crd.spec.validation field: failed to add source: 1 error occurred: template-rego:41: rego_parse_error: no match found
    default metadata_enable_oslogin(meta) = false
                                   ^
Usage:
  cft scorecard [flags]

Flags:
      --bucket string                    GCS bucket name for storing inventory (conflicts with --dir-path or --stdin)
      --dir-path string                  Local directory path for storing inventory (conflicts with --bucket or --stdin)
  -h, --help                             help for scorecard
      --output-format string             Format of scorecard outputs, can be txt, json or csv (default "txt")
      --output-metadata-fields strings   List of comma delimited violation metadata fields to include in output. By default no metadata fields in output when --output-format is txt or csv. All metadata will be in output when --output-format is json.
      --output-path string               Path to directory to contain scorecard outputs. Output to console if not specified
      --policy-path string               Path to directory containing validation policies
      --refresh                          Refresh Cloud Asset Inventory export files in GCS bucket. If set, Application Default Credentials must be a service account (Works with --bucket)
      --stdin                            Passed Cloud Asset Inventory json string as standard input (conflicts with --dir-path or --bucket)
      --target-folder string             Folder ID to analyze (Works with --bucket and --refresh; conflicts with --target-project or --target--organization)
      --target-organization string       Organization ID to analyze (Works with --bucket and --refresh; conflicts with --target-project or --target--folder)
      --target-project string            Project ID to analyze (Works with --bucket and --refresh; conflicts with --target-folder or --target--organization)

Global Flags:
      --verbose   Log output to stdout

It looks like the errors are from the two new compute related policies: gcp-compute-block-ssh-keys-v1 and gcp-compute-enable-oslogin-project-v1. Any idea how to fix this?

[morgante]

Can you try upgrading the version of OPA used in the CFT scorecard?

For the time being I'm going to revert those two features. @palani-ram-google-partner Please help with testing and confirming that your new templates are compatible.

[xingao267]

Can you try upgrading the version of OPA used in the CFT scorecard?

@morgante I've tried the latest (v0.4.0) version of the CFT Scorecard binary but it gives me the same error. How do I update the OPA version in it?

For the time being I'm going to revert those two features. @palani-ram-google-partner Please help with testing and confirming that your new templates are compatible.

Thanks!

[palani-ram-google-partner]

@morgante This issue is fixed for the failed files and created a new PR https://github.com/GoogleCloudPlatform/policy-library/pull/411