fix: update comment to clarify network_rule scope and public_network_access_enabled distinction

Author: cx-antero-silva

assets/queries/terraform/azure/azure_elastic_san_public_access_enabled/query.rego

@@ -3,8 +3,11 @@ package Cx
 import data.generic.common as common_lib
 import data.generic.terraform as tf_lib
 
-# RULE 1: The 'network_rule' block is not defined.
-# In azurerm_elastic_san_volume_group, the absence of the block allows public access.
+# RULE 1: The 'network_rule' block is missing from an azurerm_elastic_san_volume_group.
+# network_rule defines a subnet whitelist; its absence means no subnet-level access
+# restriction is applied to the volume group.
+# Note: public_network_access_enabled is a separate attribute on azurerm_elastic_san
+# (the SAN resource itself) and is not present on azurerm_elastic_san_volume_group.
 CxPolicy[result] {
     doc := input.document[i]
     vg := doc.resource.azurerm_elastic_san_volume_group[name]
@@ -18,7 +21,7 @@ CxPolicy[result] {
         "searchKey": sprintf("azurerm_elastic_san_volume_group[%s]", [name]),
         "searchLine": common_lib.build_search_line(["resource", "azurerm_elastic_san_volume_group", name], []),
         "issueType": "MissingAttribute",
-        "keyExpectedValue": sprintf("'azurerm_elastic_san_volume_group.%s' should have a 'network_rule' block to restrict public access", [name]),
-        "keyActualValue": sprintf("'azurerm_elastic_san_volume_group.%s' is missing the 'network_rule' block", [name]),
+        "keyExpectedValue": sprintf("'azurerm_elastic_san_volume_group.%s' should have a 'network_rule' block to restrict access to approved subnets only", [name]),
+        "keyActualValue": sprintf("'azurerm_elastic_san_volume_group.%s' has no 'network_rule' block; no subnet-level access restriction is applied", [name]),
     }
 }