Improve YAML Custom Policy for Checking Connection Dependencies

[MatousVondal]

Issue Description: I am trying to create a YAML custom policy to check the connection dependencies for all resources connected with azurerm_monitor_diagnostic_setting and ensure that all possible logs are enabled.

Current Implementation:

terraform

resource "azurerm_monitor_diagnostic_setting" "firewall" {
    name = "${local.project_prefix}-frwllogs${random_string.int[0].result}"
    
    target_resource_id = azurerm_firewall.firewall.id
    
    log_analytics_workspace_id = azurerm_log_analytics_workspace.log_analytics.id
    
    log_analytics_destination_type = "Dedicated"
    
    enabled_log {
        category_group = "allLogs"
    }
    
    metric {
        category = "AllMetrics"
        enabled  = true
    }
}

yaml custom policy

metadata:
  id: "CUSTOM_DISGNOSTIC_SETTINGS_POLICY"
  name: "Audit diagnostic setting for selected resource types id:7f89b1eb-583c-429a-8828-af049802c1d9"
  category: "CONVENTION"
  severity: "HIGH"

scope:
  provider: "azure"

definition:

  and:

    - cond_type: "connection"
      resource_types:
        - "azurerm_monitor_diagnostic_setting"
      connected_resource_types:
        - "azurerm_virtual_network"
        - "azurerm_firewall"
        - "azurerm_network_security_group"
        - "azurerm_virtual_network_gateway"
        - "azurerm_public_ip"
        - "azurerm_linux_virtual_machine"
        - "azurerm_windows_virtual_machine"
        - "azurerm_network_interface"
        - "azurerm_application_gateway"
        - "azurerm_key_vault"
      operator: "exists"

    - cond_type: "attribute"
      resource_types:
        - "azurerm_monitor_diagnostic_setting"
      attribute: enabled_log.category_group
      operator: "equals"
      value: "allLogs"

    - cond_type: "attribute"
      resource_types:
        - "azurerm_monitor_diagnostic_setting"
      attribute: metric.category
      operator: "equals"
      value: "AllMetrics"

Problem: Currently, I have to explicitly define all resources where I want to control the existing connections. A better solution would be to use a negation of the connections for resources I do not want to check if diagnostic settings are enabled.

metadata:
  id: "OHLA_CUSTOM_DISGNOSTIC_SETTINGS_POLICY"
  name: "Audit diagnostic setting for selected resource types id:7f89b1eb-583c-429a-8828-af049802c1d9"
  category: "CONVENTION"
  severity: "HIGH"

scope:
  provider: "azure"

definition:

  and:
    - not:
        - cond_type: "connection"
          resource_types:
            - "azurerm_monitor_diagnostic_setting"
          connected_resource_types:
            - "azurerm_network_interface_security_group_association"
            - "azurerm_subnet_route_table_association"
            - "azurerm_network_security_group_security_rule"
            - "azurerm_network_security_rule"
            - "azurerm_monitor_diagnostic_setting"
            - "azurerm_virtual_network_peering"
            - "azurerm_route"
            - "azurerm_subnet"
            - "azurerm_private_dns_zone_virtual_network_link"
            - "azurerm_subnet_network_security_group_association"
          operator: "exists"

    - cond_type: "attribute"
      resource_types:
        - "azurerm_monitor_diagnostic_setting"
      attribute: enabled_log.category_group
      operator: "equals"
      value: "allLogs"

    - cond_type: "attribute"
      resource_types:
        - "azurerm_monitor_diagnostic_setting"
      attribute: metric.category
      operator: "equals"
      value: "AllMetrics"

Issue: The attempted solution with negation does not work. Is there a way to specify which connections I do not want to check and then check all other resources that fall under "all"?