np-guard · ShiriMoran · Sep 9, 2024 · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024
diff --git a/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt b/cmd/analyzer/expected_out/acl_testing3_detailed_explain.txt
@@ -15,25 +15,25 @@ Details:
 Path is enabled; The relevant rules are:
 	Egress:
 		security group sg1-ky allows connection with the following allow rules
-			direction: outbound, id: id:152, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all
+			id: id:152, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all
 		network ACL acl1-ky allows connection with the following allow and deny rules
-			direction: outbound, name: acl1-out-1, priority: 1, action: deny, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: protocol: icmp
-			direction: outbound, name: acl1-out-3, priority: 3, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all
+			name: acl1-out-1, priority: 1, action: deny, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: protocol: icmp
+			name: acl1-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all
 
 	Ingress:
 		network ACL acl2-ky allows connection with the following allow rules
-			direction: inbound, name: acl2-in-4, priority: 4, action: allow, source: 10.240.10.0/24 , destination: 10.240.20.0/24, conn: all
+			name: acl2-in-4, priority: 4, action: allow, direction: inbound, source: 10.240.10.0/24, destination: 10.240.20.0/24, conn: all
 		security group sg1-ky allows connection with the following allow rules
-			direction: inbound, id: id:154, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all
+			id: id:154, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all
 
 TCP response is enabled; The relevant rules are:
 	Egress:
 		network ACL acl2-ky allows connection with the following allow rules
-			direction: outbound, name: acl2-out-3, priority: 3, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all
+			name: acl2-out-3, priority: 3, action: allow, direction: outbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all
 
 	Ingress:
 		network ACL acl1-ky allows connection with the following allow rules
-			direction: inbound, name: acl1-in-2, priority: 2, action: allow, source: 10.240.20.0/24 , destination: 10.240.10.0/24, conn: all
+			name: acl1-in-2, priority: 2, action: allow, direction: inbound, source: 10.240.20.0/24, destination: 10.240.10.0/24, conn: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
diff --git a/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/from_external_public_subnet_all_vpcs_explain_detail.txt
@@ -17,8 +17,8 @@ Details:
 Path is enabled; The relevant rules are:
 	Ingress:
 		network ACL acl1 allows connection with the following allow and deny rules
-			ruleNumber: 10, direction: inbound ,cidr: 147.235.0.0/16, action: allow, conn: protocol: tcp, dstPorts: 9080-9080
-			ruleNumber: 32767, direction: inbound ,cidr: 0.0.0.0/0, action: deny, conn: all
+			ruleNumber: 10, action: allow, direction: inbound, cidr: 147.235.0.0/16, conn: protocol: tcp, dstPorts: 9080-9080
+			ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, conn: all
 		security group GroupId:35 allows connection with the following allow rules
 			Inbound index: 0, direction: inbound, target: 147.0.0.0/8, conns: protocol: tcp, dstPorts: 0-65535
 		security group GroupId:9 has no relevant allow rules
@@ -27,8 +27,8 @@ Path is enabled; The relevant rules are:
 TCP response is partly enabled; The relevant rules are:
 	Egress:
 		network ACL acl1 allows connection with the following allow and deny rules
-			ruleNumber: 10, direction: outbound ,cidr: 147.235.0.0/16, action: allow, conn: protocol: tcp, dstPorts: 1025-5000
-			ruleNumber: 32767, direction: outbound ,cidr: 0.0.0.0/0, action: deny, conn: all
+			ruleNumber: 10, action: allow, direction: outbound, cidr: 147.235.0.0/16, conn: protocol: tcp, dstPorts: 1025-5000
+			ruleNumber: 32767, action: deny, direction: outbound, cidr: 0.0.0.0/0, conn: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
diff --git a/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/ip_to_ip_all_vpcs_explain_detail.txt
@@ -17,22 +17,22 @@ Path is enabled; The relevant rules are:
 		security group GroupId:50 allows connection with the following allow rules
 			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all
 
 	Ingress:
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, conn: all
 		security group GroupId:42 allows connection with the following allow rules
 			Inbound index: 0, direction: inbound, target: 10.240.40.0/24, conns: protocol: all
 
 TCP response is enabled; The relevant rules are:
 	Egress:
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all
 
 	Ingress:
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, conn: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
diff --git a/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/nacl_blocking_all_vpcs_explain_detail.txt
@@ -21,11 +21,11 @@ Path is disabled; The relevant rules are:
 		security group GroupId:9 allows connection with the following allow rules
 			Outbound index: 0, direction: outbound, target: 10.240.0.0/18, conns: protocol: all
 		network ACL acl1 allows connection with the following allow rules
-			ruleNumber: 20, direction: outbound ,cidr: 10.240.32.0/19, action: allow, conn: all
+			ruleNumber: 20, action: allow, direction: outbound, cidr: 10.240.32.0/19, conn: all
 
 	Ingress:
 		network ACL acl1 blocks connection with the following deny rules:
-			ruleNumber: 32767, direction: inbound ,cidr: 0.0.0.0/0, action: deny, conn: all
+			ruleNumber: 32767, action: deny, direction: inbound, cidr: 0.0.0.0/0, conn: all
 		security group GroupId:9 allows connection with the following allow rules
 			Inbound index: 0, direction: inbound, target: 10.240.0.0/18, conns: protocol: all
 

diff --git a/...mples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt b/...mples/out/explain_out/to_external_blocked_only_private_subnet_all_vpcs_explain_detail.txt
@@ -22,7 +22,7 @@ Path is disabled; The relevant rules are:
 			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all
 		security group GroupId:42 has no relevant allow rules
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_private_subnet_all_vpcs_explain_detail.txt
@@ -20,7 +20,7 @@ Path is disabled; The relevant rules are:
 		Egress to public internet is blocked since subnet application is private
 		security group GroupId:42 has no relevant allow rules
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
diff --git a/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt b/pkg/awsvpc/examples/out/explain_out/to_external_public_subnet_all_vpcs_explain_detail.txt
@@ -19,12 +19,12 @@ Path is enabled; The relevant rules are:
 		security group GroupId:35 allows connection with the following allow rules
 			Outbound index: 0, direction: outbound, target: 0.0.0.0/0, conns: protocol: all
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: outbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: outbound, cidr: 0.0.0.0/0, conn: all
 
 TCP response is enabled; The relevant rules are:
 	Ingress:
 		network ACL NetworkAclId:65 allows connection with the following allow rules
-			ruleNumber: 100, direction: inbound ,cidr: 0.0.0.0/0, action: allow, conn: all
+			ruleNumber: 100, action: allow, direction: inbound, cidr: 0.0.0.0/0, conn: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
diff --git a/pkg/awsvpc/nacl_analysis.go b/pkg/awsvpc/nacl_analysis.go
@@ -99,8 +99,8 @@ func (na *AWSNACLAnalyzer) GetNACLRule(index int) (ruleStr string, ruleRes *comm
 		direction = commonvpc.Inbound
 	}
 	ruleRes = &commonvpc.NACLRule{Src: src, Dst: dst, Connections: conns, Action: action}
-	ruleStr = fmt.Sprintf("ruleNumber: %d, direction: %s ,cidr: %s, action: %s, conn: %s\n",
-		ruleNumber, direction, ip, action, connStr)
+	ruleStr = fmt.Sprintf("ruleNumber: %d, action: %s, direction: %s, cidr: %s, conn: %s\n",
+		ruleNumber, action, direction, ip, connStr)
 	return ruleStr, ruleRes, isIngress, nil
 }
 

diff --git a/pkg/ibmvpc/analysis_output_test.go b/pkg/ibmvpc/analysis_output_test.go
@@ -440,12 +440,13 @@ var tests = []*commonvpc.VpcGeneralTest{
 		Grouping:    true,
 		Format:      vpcmodel.ARCHSVG,
 	},
-	{
-		InputConfig: "iks_workers_large",
-		UseCases:    []vpcmodel.OutputUseCase{vpcmodel.AllEndpoints},
-		Grouping:    true,
-		Format:      vpcmodel.DRAWIO,
-	},
+	// commented until https://github.com/np-guard/vpc-network-config-analyzer/issues/847 is fixed
+	// {
+	//	InputConfig: "iks_workers_large",
+	//	UseCases:    []vpcmodel.OutputUseCase{vpcmodel.AllEndpoints},
+	//	Grouping:    true,
+	//	Format:      vpcmodel.DRAWIO,
+	// },
 	// Grouping test of identical names different resources and thus different UIDs that should not be merged
 	{
 		InputConfig: "sg_testing1_new_dup_subnets_names",

diff --git a/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/GroupingExternalSG1_all_vpcs_explain_detail.txt
@@ -16,9 +16,9 @@ Details:
 Path is enabled; The relevant rules are:
 	Egress:
 		security group sg1-ky allows connection with the following allow rules
-			direction: outbound, id: id:133, remote: 161.26.0.0/16, local: 0.0.0.0/0, conns: protocol: udp,  dstPorts: 1-65535
+			id: id:133, direction: outbound, local: 0.0.0.0/0, remote: 161.26.0.0/16, conns: protocol: udp,  dstPorts: 1-65535
 		network ACL acl1-ky allows connection with the following allow rules
-			direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
+			name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
@@ -38,7 +38,7 @@ Path is disabled; The relevant rules are:
 	Egress:
 		security group sg1-ky has no relevant allow rules
 		network ACL acl1-ky allows connection with the following allow rules
-			direction: outbound, name: outbound, priority: 1, action: allow, source: 0.0.0.0/0 , destination: 0.0.0.0/0, conn: all
+			name: outbound, priority: 1, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 0.0.0.0/0, conn: all
 
 ------------------------------------------------------------------------------------------------------------------------
 
diff --git a/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt b/pkg/ibmvpc/examples/out/explain_out/IksNodeToIksNode_all_vpcs_explain_detail.txt
@@ -15,32 +15,32 @@ Details:
 Path is enabled; The relevant rules are:
 	Egress:
 		security group kube-clusterid:1 allows connection with the following allow rules
-			direction: outbound, id: id:304, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, conns: protocol: all
+			id: id:304, direction: outbound, local: 0.0.0.0/0, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), conns: protocol: all
 		security group ky-test-default-sg allows connection with the following allow rules
-			direction: outbound, id: id:318, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all
+			id: id:318, direction: outbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all
 		network ACL ky-test-private-2-others-acl allows connection with the following allow rules
-			direction: outbound, name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, source: 0.0.0.0/0 , destination: 192.168.0.0/20, conn: all
+			name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all
 
 	Ingress:
 		network ACL ky-test-private-2-others-acl allows connection with the following allow rules
-			direction: inbound, name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, source: 192.168.0.0/20 , destination: 0.0.0.0/0, conn: all
+			name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all
 		security group kube-clusterid:1 allows connection with the following allow rules
-			direction: inbound, id: id:294, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: tcp,  dstPorts: 30000-32767
-			direction: inbound, id: id:296, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: udp,  dstPorts: 30000-32767
-			direction: inbound, id: id:300, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8
-			direction: inbound, id: id:302, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, conns: protocol: all
+			id: id:294, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: tcp,  dstPorts: 30000-32767
+			id: id:296, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: udp,  dstPorts: 30000-32767
+			id: id:300, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: ICMP icmp-type: 8
+			id: id:302, direction: inbound, local: 0.0.0.0/0, remote: kube-clusterid:1 (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), conns: protocol: all
 		security group ky-test-default-sg allows connection with the following allow rules
-			direction: inbound, id: id:320, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), local: 0.0.0.0/0, conns: protocol: all
-			direction: inbound, id: id:322, remote: 0.0.0.0/0, local: 0.0.0.0/0, conns: protocol: all
+			id: id:320, direction: inbound, local: 0.0.0.0/0, remote: ky-test-default-sg (192.168.0.4/32,192.168.4.4/32,192.168.8.4/32,192.168.16.4/32,192.168.20.4/32,192.168.24.4/32,192.168.32.4/32,192.168.36.4/32,192.168.40.4/32), conns: protocol: all
+			id: id:322, direction: inbound, local: 0.0.0.0/0, remote: 0.0.0.0/0, conns: protocol: all
 
 TCP response is enabled; The relevant rules are:
 	Egress:
 		network ACL ky-test-private-2-others-acl allows connection with the following allow rules
-			direction: outbound, name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, source: 0.0.0.0/0 , destination: 192.168.0.0/20, conn: all
+			name: allow-traffic-subnet-private-outbound, priority: 3, action: allow, direction: outbound, source: 0.0.0.0/0, destination: 192.168.0.0/20, conn: all
 
 	Ingress:
 		network ACL ky-test-private-2-others-acl allows connection with the following allow rules
-			direction: inbound, name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, source: 192.168.0.0/20 , destination: 0.0.0.0/0, conn: all
+			name: allow-traffic-subnet-private-inbound, priority: 3, action: allow, direction: inbound, source: 192.168.0.0/20, destination: 0.0.0.0/0, conn: all
 
 ------------------------------------------------------------------------------------------------------------------------