Issue Statement:
Policy built using one block with multiple 'Or' conditions. Each condition reports on assets that are missing a particular tag.
The issue is that only first rule is executed and the following rules are not evaluated.
Cause Notification:
The reason why only first rule would get executed in this Policy is because the first rule runs against the entire list of assets in the assets report and if only one asset is missing the tag, then the following rules don't get evaluated. The multiple 'or' conditions do not execute in a row for each asset.
Standard policy execution works the following way:
- All the assets in question are evaluated against rules in the order they are defined i.e. Rule 1 is executed first, Rule 2 is executed second and so on.
- If any of the assets return true for the rule’s condition, violators are identified and rest of the rules are not evaluated at all.
- Rule 2 is executed only if none of the assets match Rule 1 (meaning return true for Rule 1), Rule 2 would have been executed if all assets contained the tag mentioned in Rule 1.
Recommended Solution:
Solution is to build a separate policy block for each condition. Each block containing a rule with the condition of the respective tag missing; for eg: Block 1 can contain a rule about 'A' tag missing, Block 2 can contain a rule about 'B' tag missing and so on.