Query: lambda_function_variables_no_sensitive_data

with function_vaiable_with_sensitive_data as (
  select
    distinct arn,
    name
  from
    aws_lambda_function
    join jsonb_each_text(environment_variables) d on true
  where
    d.key ilike any (array [ '%pass%', '%secret%', '%token%', '%key%' ])
    or d.key ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]'
    or d.value ilike any (array [ '%pass%', '%secret%', '%token%', '%key%' ])
    or d.value ~ '(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]'
)
select
  f.arn as resource,
  case
    when b.arn is null then 'ok'
    else 'alarm'
  end as status,
  case
    when b.arn is null then f.title || ' has no sensitive data.'
    else f.title || ' has potential sensitive data.'
  end as reason,
  region,
  account_id
from
  aws_lambda_function as f
  left join function_vaiable_with_sensitive_data b on f.arn = b.arn;