search

turbot / steampipe-mod-aws-compliance

Run individual controls or full compliance benchmarks for CIS, PCI, NIST, HIPAA and more across all of your AWS accounts using Powerpipe and Steampipe.
https://hub.steampipe.io/mods/turbot/aws_compliance
Apache License 2.0
372 stars 61 forks source link

"select distinct arn ..." (and similar) should be "select distinct on (arn) arn ..." #493

Open e-gineer opened 2 years ago

e-gineer commented 2 years ago

Many queries in this mod use distinct to prevent duplicates. For example:

https://github.com/turbot/steampipe-mod-aws-compliance/blob/56d5f70aae65698cb8d1b73f41bb238c8d38e879/query/vpc/vpc_flow_logs_enabled.sql#L1-L3

Distinct checks all elements in the tuple (row), as opposed to ensuring the specific arn or name (common ones) is actually distinct.

So, queries like this:

select
  distinct arn as resource,

should actually be:

select distinct on (arn)
  arn,

A an example to see the difference, please try these two queries:

select distinct region, name from aws_s3_bucket order by region, name;

select distinct on (region) region, name from aws_s3_bucket order by region, name;
github-actions[bot] commented 1 year ago

'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'

github-actions[bot] commented 1 year ago

'This issue was closed because it has been stalled for 90 days with no activity.'

github-actions[bot] commented 1 year ago

'This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.'