[8.x](backport #2857) Upgrade to opa v1.0.0 (#2858)

Upgrade to opa v1.0.0 (#2857) * Upgrade to opa v1.0.0 * Fix opa fmt * Add unnecessary lint comment (cherry picked from commit 5200ab0) Co-authored-by: Rômulo Farias <romulo.farias@elastic.co>
elastic · Dec 23, 2024 · 91c27e0 · 91c27e0
1 parent cf50ee9
commit 91c27e0
Show file tree

Hide file tree

Showing 629 changed files with 1,281 additions and 1,289 deletions.
diff --git a/bin/.opa-0.70.0.pkg → bin/.opa-1.0.0.pkg b/bin/.opa-0.70.0.pkg → bin/.opa-1.0.0.pkg
diff --git a/bin/opa b/bin/opa
@@ -1 +1 @@
-.opa-0.70.0.pkg
+.opa-1.0.0.pkg
diff --git a/go.mod b/go.mod
@@ -68,7 +68,7 @@ require (
 	github.com/mikefarah/yq/v4 v4.44.6
 	github.com/mitchellh/gox v1.0.1
 	github.com/mitchellh/mapstructure v1.5.0
-	github.com/open-policy-agent/opa v0.70.0
+	github.com/open-policy-agent/opa v1.0.0
 	github.com/pierrre/gotestcover v0.0.0-20160517101806-924dca7d15f0
 	github.com/samber/lo v1.47.0
 	github.com/spf13/viper v1.19.0
@@ -186,8 +186,6 @@ require (
 	go.opentelemetry.io/collector/pdata v1.15.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.33.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.33.0 // indirect
 	golang.org/x/exp v0.0.0-20241215155358-4a5509556b9e // indirect
 	golang.org/x/tools v0.28.0 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
@@ -522,7 +520,7 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/crypto v0.31.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.32.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.28.0 // indirect
 	golang.org/x/term v0.27.0 // indirect
@@ -532,7 +530,7 @@ require (
 	google.golang.org/genproto v0.0.0-20241209162323-e6fa225c2576 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20241209162323-e6fa225c2576 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20241209162323-e6fa225c2576 // indirect
-	google.golang.org/grpc v1.69.0
+	google.golang.org/grpc v1.69.2
 	google.golang.org/protobuf v1.35.2
 	gopkg.in/cheggaaa/pb.v1 v1.0.28 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect

diff --git a/go.sum b/go.sum
@@ -1390,8 +1390,8 @@ github.com/onsi/gomega v1.17.0/go.mod h1:HnhC7FXeEQY45zxNK3PPoIUhzk/80Xly9PcubAl
 github.com/onsi/gomega v1.19.0/go.mod h1:LY+I3pBVzYsTBU1AnDwOSxaYi9WoWiqgwooUqq9yPro=
 github.com/onsi/gomega v1.35.1 h1:Cwbd75ZBPxFSuZ6T+rN/WCb/gOc6YgFBXLlZLhC7Ds4=
 github.com/onsi/gomega v1.35.1/go.mod h1:PvZbdDc8J6XJEpDK4HCuRBm8a6Fzp9/DmhC9C7yFlog=
-github.com/open-policy-agent/opa v0.70.0 h1:B3cqCN2iQAyKxK6+GI+N40uqkin+wzIrM7YA60t9x1U=
-github.com/open-policy-agent/opa v0.70.0/go.mod h1:Y/nm5NY0BX0BqjBriKUiV81sCl8XOjjvqQG7dXrggtI=
+github.com/open-policy-agent/opa v1.0.0 h1:fZsEwxg1knpPvUn0YDJuJZBcbVg4G3zKpWa3+CnYK+I=
+github.com/open-policy-agent/opa v1.0.0/go.mod h1:+JyoH12I0+zqyC1iX7a2tmoQlipwAEGvOhVJMhmy+rM=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -1919,8 +1919,8 @@ golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
-golang.org/x/net v0.32.0 h1:ZqPmj8Kzc+Y6e0+skZsuACbx+wzMgo5MQsJh9Qd6aYI=
-golang.org/x/net v0.32.0/go.mod h1:CwU0IoeOlnQQWJ6ioyFrfRuomB8GKF6KbYXZVyeXNfs=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -2373,8 +2373,8 @@ google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACu
 google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/grpc v1.50.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
-google.golang.org/grpc v1.69.0 h1:quSiOM1GJPmPH5XtU+BCoVXcDVJJAzNcoyfC2cCjGkI=
-google.golang.org/grpc v1.69.0/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
+google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU=
+google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=

diff --git a/internal/evaluator/debug_logger/factory.go b/internal/evaluator/debug_logger/factory.go
@@ -20,8 +20,8 @@ package dlogger
 import (
 	"sync"
 
-	"github.com/open-policy-agent/opa/plugins"
-	"github.com/open-policy-agent/opa/util"
+	"github.com/open-policy-agent/opa/v1/plugins"
+	"github.com/open-policy-agent/opa/v1/util"
 )
 
 type Factory struct{}

diff --git a/internal/evaluator/debug_logger/factory_test.go b/internal/evaluator/debug_logger/factory_test.go
@@ -20,8 +20,8 @@ package dlogger
 import (
 	"testing"
 
-	"github.com/open-policy-agent/opa/plugins"
-	"github.com/open-policy-agent/opa/storage/inmem"
+	"github.com/open-policy-agent/opa/v1/plugins"
+	"github.com/open-policy-agent/opa/v1/storage/inmem"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )

diff --git a/internal/evaluator/debug_logger/plugin.go b/internal/evaluator/debug_logger/plugin.go
@@ -22,15 +22,14 @@ import (
 	"encoding/json"
 	"sync"
 
-	"github.com/open-policy-agent/opa/plugins"
-	"github.com/open-policy-agent/opa/plugins/logs"
-	"github.com/open-policy-agent/opa/util"
+	"github.com/open-policy-agent/opa/v1/plugins"
+	"github.com/open-policy-agent/opa/v1/plugins/logs"
+	"github.com/open-policy-agent/opa/v1/util"
 )
 
 const PluginName = "debug_decision_logs"
 
-type config struct {
-}
+type config struct{}
 
 type plugin struct {
 	manager *plugins.Manager

diff --git a/internal/evaluator/logger.go b/internal/evaluator/logger.go
@@ -19,7 +19,7 @@ package evaluator
 
 import (
 	"github.com/elastic/elastic-agent-libs/logp"
-	"github.com/open-policy-agent/opa/logging"
+	"github.com/open-policy-agent/opa/v1/logging"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
 )

diff --git a/internal/evaluator/logger_test.go b/internal/evaluator/logger_test.go
@@ -21,7 +21,7 @@ import (
 	"testing"
 
 	"github.com/elastic/elastic-agent-libs/logp"
-	"github.com/open-policy-agent/opa/logging"
+	"github.com/open-policy-agent/opa/v1/logging"
 	"github.com/stretchr/testify/suite"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"

diff --git a/internal/evaluator/opa.go b/internal/evaluator/opa.go
@@ -25,8 +25,8 @@ import (
 
 	"github.com/elastic/elastic-agent-libs/logp"
 	"github.com/mitchellh/mapstructure"
-	"github.com/open-policy-agent/opa/plugins"
-	"github.com/open-policy-agent/opa/sdk"
+	"github.com/open-policy-agent/opa/v1/plugins"
+	"github.com/open-policy-agent/opa/v1/sdk"
 
 	"github.com/elastic/cloudbeat/internal/config"
 	dlogger "github.com/elastic/cloudbeat/internal/evaluator/debug_logger"
@@ -84,7 +84,6 @@ func NewOpaEvaluator(ctx context.Context, log *logp.Logger, cfg *config.Config)
 			dlogger.PluginName: &dlogger.Factory{},
 		},
 	})
-
 	if err != nil {
 		return nil, fmt.Errorf("fail to init opa: %s", err.Error())
 	}
@@ -123,7 +122,6 @@ func (o *OpaEvaluator) Eval(ctx context.Context, resourceInfo fetching.ResourceI
 		Result:    fetcherResult,
 		Benchmark: o.benchmark,
 	})
-
 	if err != nil {
 		return EventData{}, fmt.Errorf("error running the policy: %v", err)
 	}

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/rule.rego
@@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_enabled_mfa as audit
 import future.keywords.if
 
 # Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password.
-finding = result if {
+finding := result if {
 	# filter
 	data_adapter.is_iam_user
 

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_10/test.rego
@@ -19,7 +19,7 @@ test_not_evaluated if {
 	not_eval with input as test_data.not_evaluated_iam_user
 }
 
-rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
+rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
 
 eval_fail if {
 	test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/rule.rego
@@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.ensure_access_keys_use as audit
 import future.keywords.if
 
 # Do not setup access keys during initial user setup for all IAM users that have a console password.
-finding = result if {
+finding := result if {
 	# filter
 	data_adapter.is_iam_user
 

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_11/test.rego
@@ -22,7 +22,7 @@ test_not_evaluated if {
 	not_eval with input as test_data.not_evaluated_iam_user
 }
 
-rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
+rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
 
 eval_fail if {
 	test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/rule.rego
@@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.validate_credentials as audit
 import future.keywords.if
 
 # Ensure credentials unused for 45 days or greater are disabled
-finding = result if {
+finding := result if {
 	# filter
 	data_adapter.is_iam_user
 

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_12/test.rego
@@ -29,7 +29,7 @@ test_not_evaluated if {
 	not_eval with input as test_data.not_evaluated_iam_user
 }
 
-rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
+rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
 
 eval_fail if {
 	test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/rule.rego
@@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
 import future.keywords.if
 
 # Ensure that there is only a single active access key per user.
-finding = result if {
+finding := result if {
 	# filter
 	data_adapter.is_iam_user
 

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_13/test.rego
@@ -20,7 +20,7 @@ test_not_evaluated if {
 	not_eval with input as test_data.not_evaluated_iam_user
 }
 
-rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
+rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
 
 eval_fail if {
 	test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/rule.rego
@@ -6,7 +6,7 @@ import data.compliance.policy.aws_iam.verify_keys_rotation as audit
 import future.keywords.if
 
 # Ensure access keys are rotated every 90 days or less
-finding = result if {
+finding := result if {
 	# filter
 	data_adapter.is_iam_user
 

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_14/test.rego
@@ -21,7 +21,7 @@ test_not_evaluated if {
 	not_eval with input as test_data.not_evaluated_iam_user
 }
 
-rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) = test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
+rule_input(access_keys, mfa_active, password_enabled, last_access, password_last_changed) := test_data.generate_iam_user(access_keys, mfa_active, password_enabled, last_access, password_last_changed)
 
 eval_fail if {
 	test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/rule.rego
@@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
 import future.keywords.if
 
 # Ensure IAM Users Receive Permissions Only Through Groups
-finding = result if {
+finding := result if {
 	# filter
 	data_adapter.is_iam_user
 

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_15/test.rego
@@ -19,7 +19,7 @@ test_not_evaluated if {
 	not_eval with input as test_data.not_evaluated_iam_user
 }
 
-rule_input(inline_policies, attached_policies) = test_data.generate_iam_user_with_policies(inline_policies, attached_policies)
+rule_input(inline_policies, attached_policies) := test_data.generate_iam_user_with_policies(inline_policies, attached_policies)
 
 eval_fail if {
 	test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/rule.rego
@@ -22,4 +22,4 @@ policy_is_permissive if {
 	statement.Effect == "Allow"
 	"*" in common.ensure_array(statement.Action)
 	"*" in common.ensure_array(statement.Resource)
-} else = false
+} else := false
diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_16/test.rego
@@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter
 import data.lib.test
 import future.keywords.if
 
-generate_input(statements) = {
+generate_input(statements) := {
 	"subType": "aws-policy",
 	"resource": {"document": {"Statement": statements}},
 }

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/rule.rego
@@ -6,7 +6,7 @@ import future.keywords.if
 import future.keywords.in
 
 # Ensure a support role has been created to manage incidents with AWS Support
-finding = result if {
+finding := result if {
 	# filter
 	data_adapter.is_aws_support_access
 
@@ -22,4 +22,4 @@ aws_support_has_attached_roles if {
 	# a sanity test.
 	some role in data_adapter.roles
 	role.RoleId != ""
-} else = false
+} else := false
diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_17/test.rego
@@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter
 import data.lib.test
 import future.keywords.if
 
-generate_input(roles) = {
+generate_input(roles) := {
 	"subType": "aws-policy",
 	"resource": {
 		"Arn": "arn:aws:iam::aws:policy/AWSSupportAccess",

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/rule.rego
@@ -5,9 +5,9 @@ import data.compliance.policy.aws_iam.data_adapter
 import future.keywords.every
 import future.keywords.if
 
-default rule_evaluation = false
+default rule_evaluation := false
 
-finding = result if {
+finding := result if {
 	data_adapter.is_server_certificate
 
 	result := common.generate_result_without_expected(

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_19/test.rego
@@ -5,16 +5,16 @@ import data.compliance.lib.common
 import data.lib.test
 import future.keywords.if
 
-generate_certificate_resource(certificates) = {
+generate_certificate_resource(certificates) := {
 	"subType": "aws-iam-server-certificate",
 	"resource": {"certificates": certificates},
 }
 
-generate_expiration(expiration) = {"Expiration": expiration}
+generate_expiration(expiration) := {"Expiration": expiration}
 
-last_year = common.create_date_from_ns(time.add_date(time.now_ns(), -1, 0, 0))
+last_year := common.create_date_from_ns(time.add_date(time.now_ns(), -1, 0, 0))
 
-next_year = common.create_date_from_ns(time.add_date(time.now_ns(), 1, 0, 0))
+next_year := common.create_date_from_ns(time.add_date(time.now_ns(), 1, 0, 0))
 
 test_violation if {
 	# fails when an expired certificate exists

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/rule.rego
@@ -7,7 +7,7 @@ import future.keywords.if
 import future.keywords.in
 
 # Ensure that IAM Access analyzer is enabled for all regions
-finding = result if {
+finding := result if {
 	# filter
 	data_adapter.is_access_analyzers
 
@@ -24,4 +24,4 @@ analyzer_exists if {
 		analyzer.Region == region
 		analyzer.Status == "ACTIVE"
 	}
-} else = false
+} else := false
diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_20/test.rego
@@ -4,7 +4,7 @@ import data.compliance.cis_aws.data_adapter
 import data.lib.test
 import future.keywords.if
 
-generate_input(analyzers, regions) = {
+generate_input(analyzers, regions) := {
 	"type": "identity-management",
 	"subType": "aws-access-analyzers",
 	"resource": {
@@ -13,7 +13,7 @@ generate_input(analyzers, regions) = {
 	},
 }
 
-analyzer(arn, status, region) = {
+analyzer(arn, status, region) := {
 	"Arn": arn,
 	"CreatedAt": "2023-01-09T15:06:39Z",
 	"Name": "Analyzer",

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/rule.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/rule.rego
@@ -5,7 +5,7 @@ import data.compliance.policy.aws_iam.data_adapter
 import future.keywords.if
 
 # Ensure no 'root' user account access key exists.
-finding = result if {
+finding := result if {
 	# filter
 	data_adapter.is_root_user
 

diff --git a/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/test.rego b/security-policies/bundle/compliance/cis_aws/rules/cis_1_4/test.rego
@@ -20,7 +20,7 @@ test_not_evaluated if {
 	not_eval with input as test_data.not_evaluated_iam_user
 }
 
-rule_input(access_keys, mfa_active, last_access, mfa_devices) = test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)
+rule_input(access_keys, mfa_active, last_access, mfa_devices) := test_data.generate_root_user(access_keys, mfa_active, last_access, mfa_devices)
 
 eval_fail if {
 	test.assert_fail(finding) with data.benchmark_data_adapter as data_adapter