From a6387443e53c5b1303174d766245efcaed34e80b Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Mon, 30 Oct 2023 15:31:36 +0000 Subject: [PATCH 01/18] upd: split permissions into two files --- ...ermissions.json => All-permissions_1.json} | 6 +----- iam/All-permissions_2.json | 21 +++++++++++++++++++ 2 files changed, 22 insertions(+), 5 deletions(-) rename iam/{All-permissions.json => All-permissions_1.json} (95%) create mode 100644 iam/All-permissions_2.json diff --git a/iam/All-permissions.json b/iam/All-permissions_1.json similarity index 95% rename from iam/All-permissions.json rename to iam/All-permissions_1.json index 4352b768a..29a2c7385 100644 --- a/iam/All-permissions.json +++ b/iam/All-permissions_1.json @@ -221,11 +221,7 @@ "waf-regional:GetWebACL", "waf:GetWebACL", "waf:ListWebACLs", - "workspaces:DescribeWorkspaceDirectories", - "workspaces:DescribeWorkspaceImages", - "workspaces:DescribeWorkspaces", - "workspaces:DescribeWorkspacesConnectionStatus", - "xray:GetEncryptionConfig" + "workspaces:DescribeWorkspaceDirectories" ], "Resource": "*" } diff --git a/iam/All-permissions_2.json b/iam/All-permissions_2.json new file mode 100644 index 000000000..f868313e1 --- /dev/null +++ b/iam/All-permissions_2.json @@ -0,0 +1,21 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "workspaces:DescribeWorkspaceImages", + "workspaces:DescribeWorkspaces", + "workspaces:DescribeWorkspacesConnectionStatus", + "xray:GetEncryptionConfig", + "events:ListRules", + "events:ListTargetsByRule", + "batch:DescribeComputeEnvironments", + "kafka:ListClustersV2", + "cloudformation:ListStacks", + "iam:ListVirtualMFADevices" + ], + "Resource": "*" + } + ] +} \ No newline at end of file From 001a77ff7d7666c9d1194b3fa504994d5e1d62b6 Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Tue, 31 Oct 2023 08:41:27 +0000 Subject: [PATCH 02/18] tf-fix: fixed terraform for policies 052, 127, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 304, 305, 306, 307, 362, 394, 425, 444, 446, 447, 448, 508 --- .../red/cloudtrail.tf | 5 + .../green/rds.tf | 4 +- .../red/rds.tf | 4 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/event_bus.tf | 6 +- .../red/event_bus.tf | 4 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/rds.tf | 2 +- .../red/rds.tf | 2 +- .../green/iam.tf | 109 +++++++++++++----- .../green/mwaa.tf | 14 ++- .../red/iam.tf | 93 ++++++++++----- .../red/mwaa.tf | 12 +- ...68-bucket-file.csv => 394-bucket-file.csv} | 0 ...68-bucket-file.csv => 394-bucket-file.csv} | 0 .../green/iam.tf | 93 ++++++++++----- .../green/mwaa.tf | 14 ++- .../red/iam.tf | 93 ++++++++++----- .../red/mwaa.tf | 14 ++- .../green/iam.tf | 93 ++++++++++----- .../green/mwaa.tf | 14 ++- .../red/iam.tf | 93 ++++++++++----- .../red/mwaa.tf | 14 ++- .../green/iam.tf | 93 ++++++++++----- .../green/mwaa.tf | 14 ++- .../red/iam.tf | 93 ++++++++++----- .../red/mwaa.tf | 14 ++- .../green/iam.tf | 93 ++++++++++----- .../green/mwaa.tf | 14 ++- .../red/iam.tf | 93 ++++++++++----- .../red/mwaa.tf | 13 ++- .../green/iam.tf | 93 ++++++++++----- .../green/mwaa.tf | 14 ++- .../red/mwaa.tf | 13 ++- .../green/iam.tf | 93 ++++++++++----- .../green/mwaa.tf | 13 ++- .../red/iam.tf | 93 ++++++++++----- .../red/mwaa.tf | 13 ++- 70 files changed, 992 insertions(+), 518 deletions(-) rename terraform/ecc-aws-394-app_flow_without_tag_information/green/{568-bucket-file.csv => 394-bucket-file.csv} (100%) rename terraform/ecc-aws-394-app_flow_without_tag_information/red/{568-bucket-file.csv => 394-bucket-file.csv} (100%) diff --git a/terraform/ecc-aws-052-cloudtrail_enabled_in_all_regions/red/cloudtrail.tf b/terraform/ecc-aws-052-cloudtrail_enabled_in_all_regions/red/cloudtrail.tf index 3fa586645..87a8f1b18 100644 --- a/terraform/ecc-aws-052-cloudtrail_enabled_in_all_regions/red/cloudtrail.tf +++ b/terraform/ecc-aws-052-cloudtrail_enabled_in_all_regions/red/cloudtrail.tf @@ -1,5 +1,10 @@ data "aws_caller_identity" "this" {} +resource "random_integer" "this" { + min = 1 + max = 10000000 +} + resource "aws_cloudtrail" "this" { name = "cloudtrail-052-red" s3_bucket_name = aws_s3_bucket.this.id diff --git a/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/green/rds.tf b/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/green/rds.tf index e71f83539..fab13c987 100644 --- a/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/green/rds.tf +++ b/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/green/rds.tf @@ -1,7 +1,7 @@ resource "aws_rds_cluster" "this" { cluster_identifier = "rds-127-green" engine = "aurora-mysql" - engine_version = "5.7.mysql_aurora.2.03.2" + engine_version = "5.7.mysql_aurora.2.11.4" database_name = "rdsgreen" master_username = "root" master_password = random_password.this.result @@ -13,7 +13,7 @@ resource "aws_rds_cluster" "this" { resource "random_password" "this" { length = 12 special = true - number = true + numeric = true override_special = "!#$%*()-_=+[]{}:?" } diff --git a/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/red/rds.tf b/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/red/rds.tf index c213f0154..62a880043 100644 --- a/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/red/rds.tf +++ b/terraform/ecc-aws-127-rds_cluster_storage_is_encrypted/red/rds.tf @@ -1,7 +1,7 @@ resource "aws_rds_cluster" "this" { cluster_identifier = "rds-127-red" engine = "aurora-mysql" - engine_version = "5.7.mysql_aurora.2.03.2" + engine_version = "5.7.mysql_aurora.2.11.4" database_name = "rdsred" master_username = "root" master_password = random_password.this.result @@ -12,6 +12,6 @@ resource "aws_rds_cluster" "this" { resource "random_password" "this" { length = 12 special = true - number = true + numeric = true override_special = "!#$%*()-_=+[]{}:?" } \ No newline at end of file diff --git a/terraform/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60/green/rds.tf b/terraform/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60/green/rds.tf index 3f58d5e59..cec94105e 100644 --- a/terraform/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60/green/rds.tf +++ b/terraform/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-231-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60/red/rds.tf b/terraform/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60/red/rds.tf index aeae051a7..ab7108ab2 100644 --- a/terraform/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60/red/rds.tf +++ b/terraform/ecc-aws-231-postgresql_log_rotation_age_flag_set_to_60/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-231-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly/green/rds.tf b/terraform/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly/green/rds.tf index 8b063dfca..9780abaae 100644 --- a/terraform/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly/green/rds.tf +++ b/terraform/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-232-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly/red/rds.tf b/terraform/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly/red/rds.tf index 97bae09a8..0075320a2 100644 --- a/terraform/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly/red/rds.tf +++ b/terraform/ecc-aws-232-postgresql_log_rotation_size_flag_set_correctly/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-232-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-233-postgresql_debug_print_parse_flag_disabled/green/rds.tf b/terraform/ecc-aws-233-postgresql_debug_print_parse_flag_disabled/green/rds.tf index 53c15d4d1..37df3c5f9 100644 --- a/terraform/ecc-aws-233-postgresql_debug_print_parse_flag_disabled/green/rds.tf +++ b/terraform/ecc-aws-233-postgresql_debug_print_parse_flag_disabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-233-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-233-postgresql_debug_print_parse_flag_disabled/red/rds.tf b/terraform/ecc-aws-233-postgresql_debug_print_parse_flag_disabled/red/rds.tf index 821911be7..d5ec31656 100644 --- a/terraform/ecc-aws-233-postgresql_debug_print_parse_flag_disabled/red/rds.tf +++ b/terraform/ecc-aws-233-postgresql_debug_print_parse_flag_disabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-233-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled/green/rds.tf b/terraform/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled/green/rds.tf index 7670281d1..bf5b7a5b1 100644 --- a/terraform/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled/green/rds.tf +++ b/terraform/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-234-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled/red/rds.tf b/terraform/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled/red/rds.tf index 8be320a45..f8f587841 100644 --- a/terraform/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled/red/rds.tf +++ b/terraform/ecc-aws-234-postgresql_debug_print_rewritten_flag_disabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-234-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-235-postgresql_debug_print_plan_flag_disabled/green/rds.tf b/terraform/ecc-aws-235-postgresql_debug_print_plan_flag_disabled/green/rds.tf index 2db9b94c9..4fb795baa 100644 --- a/terraform/ecc-aws-235-postgresql_debug_print_plan_flag_disabled/green/rds.tf +++ b/terraform/ecc-aws-235-postgresql_debug_print_plan_flag_disabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-235-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-235-postgresql_debug_print_plan_flag_disabled/red/rds.tf b/terraform/ecc-aws-235-postgresql_debug_print_plan_flag_disabled/red/rds.tf index 29d6763b2..3ac8960f1 100644 --- a/terraform/ecc-aws-235-postgresql_debug_print_plan_flag_disabled/red/rds.tf +++ b/terraform/ecc-aws-235-postgresql_debug_print_plan_flag_disabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-235-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled/green/rds.tf b/terraform/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled/green/rds.tf index f96df2e78..c2e18881b 100644 --- a/terraform/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled/green/rds.tf +++ b/terraform/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-236-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled/red/rds.tf b/terraform/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled/red/rds.tf index 95991410c..538fad211 100644 --- a/terraform/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled/red/rds.tf +++ b/terraform/ecc-aws-236-postgresql_debug_pretty_print_flag_enabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-236-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-237-postgresql_log_connections_flag_enabled/green/rds.tf b/terraform/ecc-aws-237-postgresql_log_connections_flag_enabled/green/rds.tf index 777ab56ca..74d66fce3 100644 --- a/terraform/ecc-aws-237-postgresql_log_connections_flag_enabled/green/rds.tf +++ b/terraform/ecc-aws-237-postgresql_log_connections_flag_enabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-237-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-237-postgresql_log_connections_flag_enabled/red/rds.tf b/terraform/ecc-aws-237-postgresql_log_connections_flag_enabled/red/rds.tf index e95739835..fe340e4b3 100644 --- a/terraform/ecc-aws-237-postgresql_log_connections_flag_enabled/red/rds.tf +++ b/terraform/ecc-aws-237-postgresql_log_connections_flag_enabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-237-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-238-postgresql_log_disconnections_flag_enabled/green/rds.tf b/terraform/ecc-aws-238-postgresql_log_disconnections_flag_enabled/green/rds.tf index 3f55a5755..a08a6b66f 100644 --- a/terraform/ecc-aws-238-postgresql_log_disconnections_flag_enabled/green/rds.tf +++ b/terraform/ecc-aws-238-postgresql_log_disconnections_flag_enabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-238-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-238-postgresql_log_disconnections_flag_enabled/red/rds.tf b/terraform/ecc-aws-238-postgresql_log_disconnections_flag_enabled/red/rds.tf index 996097ebd..0b9101b92 100644 --- a/terraform/ecc-aws-238-postgresql_log_disconnections_flag_enabled/red/rds.tf +++ b/terraform/ecc-aws-238-postgresql_log_disconnections_flag_enabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-238-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly/green/rds.tf b/terraform/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly/green/rds.tf index 33dd7f597..a820c5fa6 100644 --- a/terraform/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly/green/rds.tf +++ b/terraform/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-239-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly/red/rds.tf b/terraform/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly/red/rds.tf index 8bf061b83..05e246562 100644 --- a/terraform/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly/red/rds.tf +++ b/terraform/ecc-aws-239-postgresql_log_error_verbosity_flag_set_correctly/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-239-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-240-postgresql_log_hostname_flag_disabled/green/rds.tf b/terraform/ecc-aws-240-postgresql_log_hostname_flag_disabled/green/rds.tf index acce9a8af..a61d89b2d 100644 --- a/terraform/ecc-aws-240-postgresql_log_hostname_flag_disabled/green/rds.tf +++ b/terraform/ecc-aws-240-postgresql_log_hostname_flag_disabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-240-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-240-postgresql_log_hostname_flag_disabled/red/rds.tf b/terraform/ecc-aws-240-postgresql_log_hostname_flag_disabled/red/rds.tf index 371bd381c..7570e0dff 100644 --- a/terraform/ecc-aws-240-postgresql_log_hostname_flag_disabled/red/rds.tf +++ b/terraform/ecc-aws-240-postgresql_log_hostname_flag_disabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-240-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-241-postgresql_log_statement_flag_set_correctly/green/rds.tf b/terraform/ecc-aws-241-postgresql_log_statement_flag_set_correctly/green/rds.tf index 6f1526b00..65b854054 100644 --- a/terraform/ecc-aws-241-postgresql_log_statement_flag_set_correctly/green/rds.tf +++ b/terraform/ecc-aws-241-postgresql_log_statement_flag_set_correctly/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-241-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-241-postgresql_log_statement_flag_set_correctly/red/rds.tf b/terraform/ecc-aws-241-postgresql_log_statement_flag_set_correctly/red/rds.tf index 8956721fb..3e90fc9c2 100644 --- a/terraform/ecc-aws-241-postgresql_log_statement_flag_set_correctly/red/rds.tf +++ b/terraform/ecc-aws-241-postgresql_log_statement_flag_set_correctly/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-241-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog/green/rds.tf b/terraform/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog/green/rds.tf index 4f572534c..d286e271e 100644 --- a/terraform/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog/green/rds.tf +++ b/terraform/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-242-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog/red/rds.tf b/terraform/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog/red/rds.tf index 8c7f43713..b5e76d3d6 100644 --- a/terraform/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog/red/rds.tf +++ b/terraform/ecc-aws-242-postgresql_log_destination_flag_set_to_csvlog/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-242-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-243-postgresql_log_checkpoints_flag_enabled/green/rds.tf b/terraform/ecc-aws-243-postgresql_log_checkpoints_flag_enabled/green/rds.tf index 9fb986901..bfc3fe89a 100644 --- a/terraform/ecc-aws-243-postgresql_log_checkpoints_flag_enabled/green/rds.tf +++ b/terraform/ecc-aws-243-postgresql_log_checkpoints_flag_enabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-243-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-243-postgresql_log_checkpoints_flag_enabled/red/rds.tf b/terraform/ecc-aws-243-postgresql_log_checkpoints_flag_enabled/red/rds.tf index 6aa1582ad..fdbd26780 100644 --- a/terraform/ecc-aws-243-postgresql_log_checkpoints_flag_enabled/red/rds.tf +++ b/terraform/ecc-aws-243-postgresql_log_checkpoints_flag_enabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-243-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-244-postgresql_log_lock_waits_flag_enabled/green/rds.tf b/terraform/ecc-aws-244-postgresql_log_lock_waits_flag_enabled/green/rds.tf index b9c0c443b..3c34cf7b2 100644 --- a/terraform/ecc-aws-244-postgresql_log_lock_waits_flag_enabled/green/rds.tf +++ b/terraform/ecc-aws-244-postgresql_log_lock_waits_flag_enabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-244-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-244-postgresql_log_lock_waits_flag_enabled/red/rds.tf b/terraform/ecc-aws-244-postgresql_log_lock_waits_flag_enabled/red/rds.tf index 77a3d720b..d0d3c2e4d 100644 --- a/terraform/ecc-aws-244-postgresql_log_lock_waits_flag_enabled/red/rds.tf +++ b/terraform/ecc-aws-244-postgresql_log_lock_waits_flag_enabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-244-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-245-postgresql_log_duration_flag_enabled/green/rds.tf b/terraform/ecc-aws-245-postgresql_log_duration_flag_enabled/green/rds.tf index 89120c75e..e200a97cc 100644 --- a/terraform/ecc-aws-245-postgresql_log_duration_flag_enabled/green/rds.tf +++ b/terraform/ecc-aws-245-postgresql_log_duration_flag_enabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-245-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-245-postgresql_log_duration_flag_enabled/red/rds.tf b/terraform/ecc-aws-245-postgresql_log_duration_flag_enabled/red/rds.tf index e2ea5a4c7..db327f223 100644 --- a/terraform/ecc-aws-245-postgresql_log_duration_flag_enabled/red/rds.tf +++ b/terraform/ecc-aws-245-postgresql_log_duration_flag_enabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-245-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-304-event_bus_is_exposed_to_everyone/green/event_bus.tf b/terraform/ecc-aws-304-event_bus_is_exposed_to_everyone/green/event_bus.tf index bfb0d0cde..7405cf1cf 100644 --- a/terraform/ecc-aws-304-event_bus_is_exposed_to_everyone/green/event_bus.tf +++ b/terraform/ecc-aws-304-event_bus_is_exposed_to_everyone/green/event_bus.tf @@ -1,3 +1,5 @@ +data "aws_caller_identity" "current" {} + data "aws_iam_policy_document" "this" { statement { sid = "304_event_bus_policy_green" @@ -6,12 +8,12 @@ data "aws_iam_policy_document" "this" { "events:DescribeEventBus", ] resources = [ - "arn:aws:events:us-east-1:111111111111:event-bus/304_event_bus_green" + "arn:aws:events:us-east-1:${data.aws_caller_identity.current.account_id}:event-bus/304_event_bus_green" ] principals { type = "AWS" - identifiers = ["111111111111"] + identifiers = ["${data.aws_caller_identity.current.account_id}"] } } } diff --git a/terraform/ecc-aws-304-event_bus_is_exposed_to_everyone/red/event_bus.tf b/terraform/ecc-aws-304-event_bus_is_exposed_to_everyone/red/event_bus.tf index c8313b512..a022d5099 100644 --- a/terraform/ecc-aws-304-event_bus_is_exposed_to_everyone/red/event_bus.tf +++ b/terraform/ecc-aws-304-event_bus_is_exposed_to_everyone/red/event_bus.tf @@ -1,3 +1,5 @@ +data "aws_caller_identity" "current" {} + data "aws_iam_policy_document" "this" { statement { sid = "304_event_bus_policy_red" @@ -6,7 +8,7 @@ data "aws_iam_policy_document" "this" { "events:DescribeEventBus", ] resources = [ - "arn:aws:events:us-east-1:111111111111:event-bus/304_event_bus_red" + "arn:aws:events:us-east-1:${data.aws_caller_identity.current.account_id}:event-bus/304_event_bus_red" ] principals { diff --git a/terraform/ecc-aws-305-postgresql_log_planner_stats_flag_disabled/green/rds.tf b/terraform/ecc-aws-305-postgresql_log_planner_stats_flag_disabled/green/rds.tf index e88f3ffe2..93dd2e94a 100644 --- a/terraform/ecc-aws-305-postgresql_log_planner_stats_flag_disabled/green/rds.tf +++ b/terraform/ecc-aws-305-postgresql_log_planner_stats_flag_disabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-305-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-305-postgresql_log_planner_stats_flag_disabled/red/rds.tf b/terraform/ecc-aws-305-postgresql_log_planner_stats_flag_disabled/red/rds.tf index e18d3da71..94bfb9143 100644 --- a/terraform/ecc-aws-305-postgresql_log_planner_stats_flag_disabled/red/rds.tf +++ b/terraform/ecc-aws-305-postgresql_log_planner_stats_flag_disabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-305-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-306-postgresql_log_executor_stats_flag_disabled/green/rds.tf b/terraform/ecc-aws-306-postgresql_log_executor_stats_flag_disabled/green/rds.tf index 773df8640..cdad17a61 100644 --- a/terraform/ecc-aws-306-postgresql_log_executor_stats_flag_disabled/green/rds.tf +++ b/terraform/ecc-aws-306-postgresql_log_executor_stats_flag_disabled/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-306-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-306-postgresql_log_executor_stats_flag_disabled/red/rds.tf b/terraform/ecc-aws-306-postgresql_log_executor_stats_flag_disabled/red/rds.tf index b19c75a07..9c6feb5e6 100644 --- a/terraform/ecc-aws-306-postgresql_log_executor_stats_flag_disabled/red/rds.tf +++ b/terraform/ecc-aws-306-postgresql_log_executor_stats_flag_disabled/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-306-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly/green/rds.tf b/terraform/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly/green/rds.tf index f26b167e9..cfde8c499 100644 --- a/terraform/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly/green/rds.tf +++ b/terraform/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly/green/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-307-green" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly/red/rds.tf b/terraform/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly/red/rds.tf index 53b96d28e..ae8063715 100644 --- a/terraform/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly/red/rds.tf +++ b/terraform/ecc-aws-307-postgresql_log_min_error_statement_flag_set_correctly/red/rds.tf @@ -7,7 +7,7 @@ resource "random_password" "this" { resource "aws_db_instance" "this" { identifier = "database-307-red" engine = "postgres" - engine_version = "13.3" + engine_version = "13.12" instance_class = "db.t3.micro" allocated_storage = 10 storage_type = "gp2" diff --git a/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/green/iam.tf b/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/green/iam.tf index c4d0ab947..dfa34eaee 100644 --- a/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/green/iam.tf +++ b/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/green/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,83 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_362_green" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_362_green" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_362_green-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + }, + { + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey*", + "kms:Encrypt" + ], + "Resource": "arn:aws:kms:${var.default-region}:${data.aws_caller_identity.current.account_id}:key/${aws_kms_key.this.key_id}", + "Condition": { + "StringLike": { + "kms:ViaService": [ + "sqs.us-east-1.amazonaws.com", + "s3.us-east-1.amazonaws.com" + ] } - ] + } + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/green/mwaa.tf b/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/green/mwaa.tf index 7e9522405..555cdc9fd 100644 --- a/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/green/mwaa.tf +++ b/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/green/mwaa.tf @@ -1,8 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn @@ -14,8 +10,16 @@ resource "aws_mwaa_environment" "this" { security_group_ids = [aws_security_group.this.id] subnet_ids = [aws_subnet.private1.id, aws_subnet.private2.id] } + source_bucket_arn = aws_s3_bucket.this.arn + + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} - source_bucket_arn = aws_s3_bucket.this.arn +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_362_green-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/red/iam.tf b/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/red/iam.tf index 9e65b9dcd..9922f9c5f 100644 --- a/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/red/iam.tf +++ b/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/red/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_362_red" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_362_red" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_362_red-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/red/mwaa.tf b/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/red/mwaa.tf index 99d506609..35991cab9 100644 --- a/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/red/mwaa.tf +++ b/terraform/ecc-aws-362-mwaa_encrypted_with_kms_cmk/red/mwaa.tf @@ -1,8 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn @@ -14,9 +10,17 @@ resource "aws_mwaa_environment" "this" { subnet_ids = [aws_subnet.private1.id, aws_subnet.private2.id] } + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] source_bucket_arn = aws_s3_bucket.this.arn } +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_362_red-Task" +} + resource "aws_s3_bucket" "this" { bucket = "362-bucket-${random_integer.this.result}-red" } diff --git a/terraform/ecc-aws-394-app_flow_without_tag_information/green/568-bucket-file.csv b/terraform/ecc-aws-394-app_flow_without_tag_information/green/394-bucket-file.csv similarity index 100% rename from terraform/ecc-aws-394-app_flow_without_tag_information/green/568-bucket-file.csv rename to terraform/ecc-aws-394-app_flow_without_tag_information/green/394-bucket-file.csv diff --git a/terraform/ecc-aws-394-app_flow_without_tag_information/red/568-bucket-file.csv b/terraform/ecc-aws-394-app_flow_without_tag_information/red/394-bucket-file.csv similarity index 100% rename from terraform/ecc-aws-394-app_flow_without_tag_information/red/568-bucket-file.csv rename to terraform/ecc-aws-394-app_flow_without_tag_information/red/394-bucket-file.csv diff --git a/terraform/ecc-aws-425-mwaa_without_tag_information/green/iam.tf b/terraform/ecc-aws-425-mwaa_without_tag_information/green/iam.tf index b9ba40563..2c48107c5 100644 --- a/terraform/ecc-aws-425-mwaa_without_tag_information/green/iam.tf +++ b/terraform/ecc-aws-425-mwaa_without_tag_information/green/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_425_green" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_425_green" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_425_green-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-425-mwaa_without_tag_information/green/mwaa.tf b/terraform/ecc-aws-425-mwaa_without_tag_information/green/mwaa.tf index 6df077695..c13336519 100644 --- a/terraform/ecc-aws-425-mwaa_without_tag_information/green/mwaa.tf +++ b/terraform/ecc-aws-425-mwaa_without_tag_information/green/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_425_green" @@ -15,6 +10,15 @@ resource "aws_mwaa_environment" "this" { } source_bucket_arn = aws_s3_bucket.this.arn + + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_425_green-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-425-mwaa_without_tag_information/red/iam.tf b/terraform/ecc-aws-425-mwaa_without_tag_information/red/iam.tf index 6cb2f39c1..90594dc87 100644 --- a/terraform/ecc-aws-425-mwaa_without_tag_information/red/iam.tf +++ b/terraform/ecc-aws-425-mwaa_without_tag_information/red/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_425_red" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_425_red" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_425_red-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-425-mwaa_without_tag_information/red/mwaa.tf b/terraform/ecc-aws-425-mwaa_without_tag_information/red/mwaa.tf index 212e08d59..745c10e97 100644 --- a/terraform/ecc-aws-425-mwaa_without_tag_information/red/mwaa.tf +++ b/terraform/ecc-aws-425-mwaa_without_tag_information/red/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_425_red" @@ -15,6 +10,15 @@ resource "aws_mwaa_environment" "this" { } source_bucket_arn = aws_s3_bucket.this.arn + + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_425_red-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/green/iam.tf b/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/green/iam.tf index 2d2e81526..150645cde 100644 --- a/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/green/iam.tf +++ b/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/green/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_444_green" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_444_green" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_444_green-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/green/mwaa.tf b/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/green/mwaa.tf index f2449d168..c9694b4d8 100644 --- a/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/green/mwaa.tf +++ b/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/green/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_444_green" @@ -22,6 +17,15 @@ resource "aws_mwaa_environment" "this" { } source_bucket_arn = aws_s3_bucket.this.arn + + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_444_green-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/red/iam.tf b/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/red/iam.tf index 73b7e6cc2..77bb13458 100644 --- a/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/red/iam.tf +++ b/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/red/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_444_red" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_444_red" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_444_red-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/red/mwaa.tf b/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/red/mwaa.tf index 8b511ff9a..9bba15c7b 100644 --- a/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/red/mwaa.tf +++ b/terraform/ecc-aws-444-mwaa_dag_processing_logs_set_correctly/red/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_444_red" @@ -15,6 +10,15 @@ resource "aws_mwaa_environment" "this" { } source_bucket_arn = aws_s3_bucket.this.arn + + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_444_red-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/green/iam.tf b/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/green/iam.tf index 1436a4aff..32be1a9af 100644 --- a/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/green/iam.tf +++ b/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/green/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_446_green" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_446_green" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_446_green-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/green/mwaa.tf b/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/green/mwaa.tf index cf7620b0c..7255481b4 100644 --- a/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/green/mwaa.tf +++ b/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/green/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_446_green" @@ -20,8 +15,15 @@ resource "aws_mwaa_environment" "this" { security_group_ids = [aws_security_group.this.id] subnet_ids = [aws_subnet.private1.id, aws_subnet.private2.id] } - source_bucket_arn = aws_s3_bucket.this.arn + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_446_green-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/red/iam.tf b/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/red/iam.tf index 951d9a8ce..229b7676e 100644 --- a/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/red/iam.tf +++ b/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/red/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_446_red" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_446_red" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_446_red-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/red/mwaa.tf b/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/red/mwaa.tf index 795fecbbe..1ada79c8d 100644 --- a/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/red/mwaa.tf +++ b/terraform/ecc-aws-446-mwaa_task_logs_set_correctly/red/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_446_red" @@ -13,8 +8,15 @@ resource "aws_mwaa_environment" "this" { security_group_ids = [aws_security_group.this.id] subnet_ids = [aws_subnet.private1.id, aws_subnet.private2.id] } - source_bucket_arn = aws_s3_bucket.this.arn + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_446_red-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/green/iam.tf b/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/green/iam.tf index cbb512cb5..15e72320b 100644 --- a/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/green/iam.tf +++ b/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/green/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_447_green" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_447_green" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_447_green-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/green/mwaa.tf b/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/green/mwaa.tf index 536264bfa..15408118f 100644 --- a/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/green/mwaa.tf +++ b/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/green/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_447_green" @@ -20,8 +15,15 @@ resource "aws_mwaa_environment" "this" { security_group_ids = [aws_security_group.this.id] subnet_ids = [aws_subnet.private1.id, aws_subnet.private2.id] } - source_bucket_arn = aws_s3_bucket.this.arn + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_447_green-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/red/iam.tf b/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/red/iam.tf index 52bb5b4d6..a1fc35506 100644 --- a/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/red/iam.tf +++ b/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/red/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_447_red" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_447_red" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_447_red-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/red/mwaa.tf b/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/red/mwaa.tf index deef521d1..8b351b53a 100644 --- a/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/red/mwaa.tf +++ b/terraform/ecc-aws-447-mwaa_webserver_logs_set_correctly/red/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_447_red" @@ -15,6 +10,14 @@ resource "aws_mwaa_environment" "this" { } source_bucket_arn = aws_s3_bucket.this.arn + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_447_red-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/green/iam.tf b/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/green/iam.tf index dad2af309..327fa8db4 100644 --- a/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/green/iam.tf +++ b/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/green/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_448_green" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_448_green" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_448_green-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/green/mwaa.tf b/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/green/mwaa.tf index 8adbaaa58..997e0c1af 100644 --- a/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/green/mwaa.tf +++ b/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/green/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_448_green" @@ -20,8 +15,15 @@ resource "aws_mwaa_environment" "this" { security_group_ids = [aws_security_group.this.id] subnet_ids = [aws_subnet.private1.id, aws_subnet.private2.id] } - source_bucket_arn = aws_s3_bucket.this.arn + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_448_green-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/red/mwaa.tf b/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/red/mwaa.tf index b4fae8095..aa9d95b28 100644 --- a/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/red/mwaa.tf +++ b/terraform/ecc-aws-448-mwaa_worker_logs_set_correctly/red/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_448_red" @@ -15,6 +10,14 @@ resource "aws_mwaa_environment" "this" { } source_bucket_arn = aws_s3_bucket.this.arn + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_448_red-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-508-mwaa_latest_version/green/iam.tf b/terraform/ecc-aws-508-mwaa_latest_version/green/iam.tf index ce500c3a1..72a0b06c4 100644 --- a/terraform/ecc-aws-508-mwaa_latest_version/green/iam.tf +++ b/terraform/ecc-aws-508-mwaa_latest_version/green/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_508_green" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_508_green" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_508_green-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-508-mwaa_latest_version/green/mwaa.tf b/terraform/ecc-aws-508-mwaa_latest_version/green/mwaa.tf index 7d2e3ef39..d6fb27dde 100644 --- a/terraform/ecc-aws-508-mwaa_latest_version/green/mwaa.tf +++ b/terraform/ecc-aws-508-mwaa_latest_version/green/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_508_green" @@ -15,6 +10,14 @@ resource "aws_mwaa_environment" "this" { } source_bucket_arn = aws_s3_bucket.this.arn + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_508_green-Task" } resource "aws_s3_bucket" "this" { diff --git a/terraform/ecc-aws-508-mwaa_latest_version/red/iam.tf b/terraform/ecc-aws-508-mwaa_latest_version/red/iam.tf index 575f1458c..dfa362e64 100644 --- a/terraform/ecc-aws-508-mwaa_latest_version/red/iam.tf +++ b/terraform/ecc-aws-508-mwaa_latest_version/red/iam.tf @@ -11,8 +11,8 @@ resource "aws_iam_role" "this" { "Action": "sts:AssumeRole", "Principal": { "Service": [ - "airflow-env.amazonaws.com", - "airflow.amazonaws.com" + "airflow-env.amazonaws.com", + "airflow.amazonaws.com" ] }, "Effect": "Allow", @@ -29,34 +29,65 @@ resource "aws_iam_role_policy" "this" { policy = <<-EOF { - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "airflow:PublishMetrics" - ], - "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_508_red" - }, - { - "Effect": "Allow", - "Action": [ - "*" - ], - "Resource": [ - "${aws_s3_bucket.this.arn}", - "${aws_s3_bucket.this.arn}/*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": ["*"] - } - ] + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "airflow:PublishMetrics" + ], + "Resource": "arn:aws:airflow:${var.default-region}:${data.aws_caller_identity.current.account_id}:environment/mwaa_508_red" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject*", + "s3:GetBucket*", + "s3:List*" + ], + "Resource": [ + "${aws_s3_bucket.this.arn}", + "${aws_s3_bucket.this.arn}/*" + ] + }, + { + "Effect": "Allow", + "Action": "logs:DescribeLogGroups", + "Resource": ["*"] + }, + { + "Effect": "Allow", + "Action": [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults" + ], + "Resource": [ + "arn:aws:logs:${var.default-region}:${data.aws_caller_identity.current.account_id}:log-group:airflow-mwaa_508_red-*" + ] + }, + { + "Effect": "Allow", + "Action": "cloudwatch:PutMetricData", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage" + ], + "Resource": "arn:aws:sqs:${var.default-region}:*:airflow-celery-*" + } + ] } - EOF +EOF } - diff --git a/terraform/ecc-aws-508-mwaa_latest_version/red/mwaa.tf b/terraform/ecc-aws-508-mwaa_latest_version/red/mwaa.tf index 43ca3f2aa..59cfef248 100644 --- a/terraform/ecc-aws-508-mwaa_latest_version/red/mwaa.tf +++ b/terraform/ecc-aws-508-mwaa_latest_version/red/mwaa.tf @@ -1,9 +1,4 @@ resource "aws_mwaa_environment" "this" { - airflow_configuration_options = { - "core.default_task_retries" = 16 - "core.parallelism" = 1 - } - dag_s3_path = "dags/" execution_role_arn = aws_iam_role.this.arn name = "mwaa_508_red" @@ -15,6 +10,14 @@ resource "aws_mwaa_environment" "this" { } source_bucket_arn = aws_s3_bucket.this.arn + depends_on = [ + aws_route_table_association.route_table_nat_gateway1, + aws_route_table_association.route_table_nat_gateway2 + ] +} + +resource "aws_cloudwatch_log_group" "this" { + name = "airflow-mwaa_508_red-Task" } resource "aws_s3_bucket" "this" { From e0902d1b6c8fd02b74313924fa539e4ce29fd701 Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Wed, 1 Nov 2023 14:20:08 +0000 Subject: [PATCH 03/18] new: added policy ecc-aws-493-ecs_container_insights_enabled --- ...aws-493-ecs_container_insights_enabled.yml | 7 ++-- .../placebo-green/ecs.DescribeClusters_1.json | 37 +++++++++++++++++++ .../placebo-green/ecs.ListClusters_1.json | 9 +++++ .../placebo-red/ecs.DescribeClusters_1.json | 37 +++++++++++++++++++ .../placebo-red/ecs.ListClusters_1.json | 9 +++++ .../red_policy_test.py | 5 +++ 6 files changed, 101 insertions(+), 3 deletions(-) rename {non-compatible-policies => policies}/ecc-aws-493-ecs_container_insights_enabled.yml (77%) create mode 100644 tests/ecc-aws-493-ecs_container_insights_enabled/placebo-green/ecs.DescribeClusters_1.json create mode 100644 tests/ecc-aws-493-ecs_container_insights_enabled/placebo-green/ecs.ListClusters_1.json create mode 100644 tests/ecc-aws-493-ecs_container_insights_enabled/placebo-red/ecs.DescribeClusters_1.json create mode 100644 tests/ecc-aws-493-ecs_container_insights_enabled/placebo-red/ecs.ListClusters_1.json create mode 100644 tests/ecc-aws-493-ecs_container_insights_enabled/red_policy_test.py diff --git a/non-compatible-policies/ecc-aws-493-ecs_container_insights_enabled.yml b/policies/ecc-aws-493-ecs_container_insights_enabled.yml similarity index 77% rename from non-compatible-policies/ecc-aws-493-ecs_container_insights_enabled.yml rename to policies/ecc-aws-493-ecs_container_insights_enabled.yml index 2b9eb7e45..e38a83d31 100644 --- a/non-compatible-policies/ecc-aws-493-ecs_container_insights_enabled.yml +++ b/policies/ecc-aws-493-ecs_container_insights_enabled.yml @@ -11,6 +11,7 @@ policies: ECS container insight is disabled resource: aws.ecs filters: - - type: include-settings-ecs - key: containerInsights - value: disabled + - type: value + key: settings[?(name=='containerInsights')].value + op: contains + value: disabled \ No newline at end of file diff --git a/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-green/ecs.DescribeClusters_1.json b/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-green/ecs.DescribeClusters_1.json new file mode 100644 index 000000000..747dfae75 --- /dev/null +++ b/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-green/ecs.DescribeClusters_1.json @@ -0,0 +1,37 @@ +{ + "status_code": 200, + "data": { + "clusters": [ + { + "clusterArn": "arn:aws:ecs:us-east-1:111111111111:cluster/493_ecs_cluster_green", + "clusterName": "493_ecs_cluster_green", + "status": "ACTIVE", + "registeredContainerInstancesCount": 0, + "runningTasksCount": 0, + "pendingTasksCount": 0, + "activeServicesCount": 0, + "statistics": [], + "tags": [ + { + "key": "CustodianRule", + "value": "ecc-aws-493-ecs_container_insights_enabled" + }, + { + "key": "ComplianceStatus", + "value": "Green" + } + ], + "settings": [ + { + "name": "containerInsights", + "value": "enabled" + } + ], + "capacityProviders": [], + "defaultCapacityProviderStrategy": [] + } + ], + "failures": [], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-green/ecs.ListClusters_1.json b/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-green/ecs.ListClusters_1.json new file mode 100644 index 000000000..3f1840ea2 --- /dev/null +++ b/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-green/ecs.ListClusters_1.json @@ -0,0 +1,9 @@ +{ + "status_code": 200, + "data": { + "clusterArns": [ + "arn:aws:ecs:us-east-1:111111111111:cluster/493_ecs_cluster_green" + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-red/ecs.DescribeClusters_1.json b/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-red/ecs.DescribeClusters_1.json new file mode 100644 index 000000000..13f087b54 --- /dev/null +++ b/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-red/ecs.DescribeClusters_1.json @@ -0,0 +1,37 @@ +{ + "status_code": 200, + "data": { + "clusters": [ + { + "clusterArn": "arn:aws:ecs:us-east-1:111111111111:cluster/493_ecs_cluster_red", + "clusterName": "493_ecs_cluster_red", + "status": "ACTIVE", + "registeredContainerInstancesCount": 0, + "runningTasksCount": 0, + "pendingTasksCount": 0, + "activeServicesCount": 0, + "statistics": [], + "tags": [ + { + "key": "CustodianRule", + "value": "ecc-aws-493-ecs_container_insights_enabled" + }, + { + "key": "ComplianceStatus", + "value": "Red" + } + ], + "settings": [ + { + "name": "containerInsights", + "value": "disabled" + } + ], + "capacityProviders": [], + "defaultCapacityProviderStrategy": [] + } + ], + "failures": [], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-red/ecs.ListClusters_1.json b/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-red/ecs.ListClusters_1.json new file mode 100644 index 000000000..a514faf1d --- /dev/null +++ b/tests/ecc-aws-493-ecs_container_insights_enabled/placebo-red/ecs.ListClusters_1.json @@ -0,0 +1,9 @@ +{ + "status_code": 200, + "data": { + "clusterArns": [ + "arn:aws:ecs:us-east-1:111111111111:cluster/493_ecs_cluster_red" + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-493-ecs_container_insights_enabled/red_policy_test.py b/tests/ecc-aws-493-ecs_container_insights_enabled/red_policy_test.py new file mode 100644 index 000000000..152ea6a04 --- /dev/null +++ b/tests/ecc-aws-493-ecs_container_insights_enabled/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['settings'][0]['value'], 'disabled') \ No newline at end of file From 1e356f7ddbe1b5052023392dbfd10d92e57c2666 Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Thu, 2 Nov 2023 08:42:03 +0000 Subject: [PATCH 04/18] new: added policy ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled --- ...api_and_websocket_api_logs_not_enabled.yml | 20 +++++++++ .../green/provider.tf | 4 +- .../red/provider.tf | 4 +- .../placebo-green/apigateway.GetApis_1.json | 31 +++++++++++++ .../placebo-green/apigateway.GetStages_1.json | 45 +++++++++++++++++++ .../placebo-red/apigateway.GetApis_1.json | 31 +++++++++++++ .../placebo-red/apigateway.GetStages_1.json | 41 +++++++++++++++++ .../red_policy_test.py | 5 +++ 8 files changed, 177 insertions(+), 4 deletions(-) create mode 100644 policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml create mode 100644 tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-green/apigateway.GetApis_1.json create mode 100644 tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-green/apigateway.GetStages_1.json create mode 100644 tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-red/apigateway.GetApis_1.json create mode 100644 tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-red/apigateway.GetStages_1.json create mode 100644 tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/red_policy_test.py diff --git a/policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml b/policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml new file mode 100644 index 000000000..47fff52b5 --- /dev/null +++ b/policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml @@ -0,0 +1,20 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled + comment: '010019022010' + description: | + API Gateway HTTP and WEBSOCKET API does not have logging enabled + resource: aws.apigwv2-stage + filters: + - or: + - type: value + key: AccessLogSettings + value: absent + - type: value + key: DefaultRouteSettings.LoggingLevel + value: "OFF" diff --git a/terraform/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/green/provider.tf b/terraform/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/green/provider.tf index 6274ffc64..88ac0501c 100644 --- a/terraform/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/green/provider.tf +++ b/terraform/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/green/provider.tf @@ -12,8 +12,8 @@ provider "aws" { region = var.default-region default_tags { tags = { - CustodiaRule = "ecc-aws-549-api_gateway_http_api_and_websocket_api_logs_set_correctly" + CustodiaRule = "ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_set_correctly" ComplianceStatus = "Green" } } -} \ No newline at end of file +} diff --git a/terraform/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/red/provider.tf b/terraform/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/red/provider.tf index 6b7a8de63..e54ace614 100644 --- a/terraform/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/red/provider.tf +++ b/terraform/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/red/provider.tf @@ -12,8 +12,8 @@ provider "aws" { region = var.default-region default_tags { tags = { - CustodiaRule = "ecc-aws-549-api_gateway_http_api_and_websocket_api_logs_set_correctly" + CustodiaRule = "ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_set_correctly" ComplianceStatus = "Red" } } -} \ No newline at end of file +} diff --git a/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-green/apigateway.GetApis_1.json b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-green/apigateway.GetApis_1.json new file mode 100644 index 000000000..20751f094 --- /dev/null +++ b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-green/apigateway.GetApis_1.json @@ -0,0 +1,31 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "Items": [ + { + "ApiEndpoint": "https://q29awq9h6l.execute-api.us-east-1.amazonaws.com", + "ApiId": "q29awq9h6l", + "ApiKeySelectionExpression": "$request.header.x-api-key", + "CreatedDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 1, + "hour": 14, + "minute": 9, + "second": 13, + "microsecond": 0 + }, + "DisableExecuteApiEndpoint": false, + "Name": "376_http-api_green", + "ProtocolType": "HTTP", + "RouteSelectionExpression": "$request.method $request.path", + "Tags": { + "CustodiaRule": "ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_set_correctly", + "ComplianceStatus": "Green" + } + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-green/apigateway.GetStages_1.json b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-green/apigateway.GetStages_1.json new file mode 100644 index 000000000..4a5ef5242 --- /dev/null +++ b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-green/apigateway.GetStages_1.json @@ -0,0 +1,45 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "Items": [ + { + "AccessLogSettings": { + "DestinationArn": "arn:aws:logs:us-east-1:111111111111:log-group:376_log_group_green1", + "Format": "$context.identity.sourceIp,$context.identity.caller,$context.identity.user,$context.requestTime,$context.httpMethod,$context.resourcePath,$context.protocol,$context.status,$context.responseLength,$context.requestId" + }, + "AutoDeploy": false, + "CreatedDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 1, + "hour": 14, + "minute": 9, + "second": 14, + "microsecond": 0 + }, + "DefaultRouteSettings": { + "DetailedMetricsEnabled": false + }, + "LastUpdatedDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 1, + "hour": 14, + "minute": 9, + "second": 15, + "microsecond": 0 + }, + "RouteSettings": {}, + "StageName": "376-stage-green", + "StageVariables": {}, + "Tags": { + "CustodiaRule": "ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_set_correctly", + "ComplianceStatus": "Green" + } + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-red/apigateway.GetApis_1.json b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-red/apigateway.GetApis_1.json new file mode 100644 index 000000000..c9b657988 --- /dev/null +++ b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-red/apigateway.GetApis_1.json @@ -0,0 +1,31 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "Items": [ + { + "ApiEndpoint": "https://9sh4r83rii.execute-api.us-east-1.amazonaws.com", + "ApiId": "9sh4r83rii", + "ApiKeySelectionExpression": "$request.header.x-api-key", + "CreatedDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 1, + "hour": 14, + "minute": 9, + "second": 5, + "microsecond": 0 + }, + "DisableExecuteApiEndpoint": false, + "Name": "376_http-api_red", + "ProtocolType": "HTTP", + "RouteSelectionExpression": "$request.method $request.path", + "Tags": { + "CustodiaRule": "ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_set_correctly", + "ComplianceStatus": "Red" + } + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-red/apigateway.GetStages_1.json b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-red/apigateway.GetStages_1.json new file mode 100644 index 000000000..61795a2b1 --- /dev/null +++ b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/placebo-red/apigateway.GetStages_1.json @@ -0,0 +1,41 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "Items": [ + { + "AutoDeploy": false, + "CreatedDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 1, + "hour": 14, + "minute": 9, + "second": 6, + "microsecond": 0 + }, + "DefaultRouteSettings": { + "DetailedMetricsEnabled": false + }, + "LastUpdatedDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 1, + "hour": 14, + "minute": 9, + "second": 6, + "microsecond": 0 + }, + "RouteSettings": {}, + "StageName": "376-stage-red", + "StageVariables": {}, + "Tags": { + "CustodiaRule": "ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_set_correctly", + "ComplianceStatus": "Red" + } + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/red_policy_test.py b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/red_policy_test.py new file mode 100644 index 000000000..04484b03e --- /dev/null +++ b/tests/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertNotIn("accessLogSettings",resources[0]) \ No newline at end of file From b68778d35a2afe2e2d593a4b79351169639d5032 Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Thu, 2 Nov 2023 11:34:56 +0000 Subject: [PATCH 05/18] skip: deleted rule from non-compatible folder --- ...api_and_websocket_api_logs_not_enabled.yml | 20 ------------------- 1 file changed, 20 deletions(-) delete mode 100644 non-compatible-policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml diff --git a/non-compatible-policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml b/non-compatible-policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml deleted file mode 100644 index 1b5a09159..000000000 --- a/non-compatible-policies/ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled.yml +++ /dev/null @@ -1,20 +0,0 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-376-api_gateway_http_api_and_websocket_api_logs_not_enabled - comment: '010019022010' - description: | - API Gateway HTTP and WEBSOCKET API does not have logging enabled - resource: aws.api-stage - filters: - - or: - - type: value - key: AccessLogSettings - value: absent - - type: value - key: DefaultRouteSettings.LoggingLevel - value: "OFF" From 0dd95395d6fa21081eb66d2251452979e3ae2717 Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Mon, 6 Nov 2023 12:58:45 +0000 Subject: [PATCH 06/18] upd: updated a number of policies (see the list in the commit message) 001, 002, 003, 004, 015, 016, 017, 018, 019, 046, 050, 052, 053, 054, 055, 056, 057, 058, 059, 060, 061, 062, 063, 064, 067, 068, 077, 078, 079, 080, 081, 082, 084, 094, 095, 096, 097, 098, 099, 100, 112, 123, 127, 138, 139, 140, 141, 142, 143, 144, 145, 146, 149, 175, 224, 502, 515, 531 --- .../ecc-aws-052-cloudtrail_enabled_in_all_regions.yml | 2 +- .../ecc-aws-054-iam_policies_full_administrative_privileges.yml | 2 +- ...cc-aws-056-iam_user_with_password_and_unused_access_keys.yml | 2 +- ...-aws-058-ensure_support_role_created_to_manage_incidents.yml | 2 +- .../ecc-aws-067-unauthorized_api_calls_alarm_exists.yml | 2 +- ...ws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml | 2 +- .../ecc-aws-077-sign_in_without_mfa_alarm_exist.yml | 2 +- non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml | 2 +- .../ecc-aws-079-iam_policy_changes_alarm_exist.yml | 2 +- ...cc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml | 2 +- .../ecc-aws-081-console_auth_failure_alarm_exists.yml | 2 +- .../ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml | 2 +- .../ecc-aws-084-cloudtrail_bucket_logging_enabled.yml | 2 +- .../ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml | 2 +- ...cc-aws-095-aws_config_configuration_changes_alarm_exists.yml | 2 +- .../ecc-aws-096-security_group_changes_alarm_exists.yml | 2 +- ...ws-097-network_access_control_lists_changes_alarm_exists.yml | 2 +- .../ecc-aws-098-network_gateways_changes_alarm_exists.yml | 2 +- .../ecc-aws-099-route_table_changes_alarm_exists.yml | 2 +- .../ecc-aws-100-vpc_changes_alarm_exists.yml | 2 +- ...cc-aws-143-bucket_object-level_logging_for_write_enabled.yml | 2 +- ...ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml | 2 +- .../ecc-aws-145-organizations_changes_alarm_exists.yml | 2 +- ...gress_for_everyone_to_remote_server_administration_ports.yml | 2 +- ...e_mfa_is_enabled_for_all_iam_users_with_console_password.yml | 2 +- ...ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml | 2 +- ...cc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml | 2 +- policies/ecc-aws-004-bucket_policy_allows_https_requests.yml | 2 +- .../ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml | 2 +- ...-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml | 2 +- policies/ecc-aws-017-credentials_unused_for_45_days.yml | 2 +- ...ws-018-iam_users_receive_permissions_only_through_groups.yml | 2 +- policies/ecc-aws-019-iam_password_policy_password_reuse.yml | 2 +- .../ecc-aws-046-ensure_no_root_account_access_key_exists.yml | 2 +- policies/ecc-aws-050-iam_password_min_length_ge_14.yml | 2 +- policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml | 2 +- policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml | 2 +- ...nstance_roles_are_used_for_resource_access_from_instance.yml | 2 +- policies/ecc-aws-059-config_enabled_all_regions.yml | 2 +- .../ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml | 2 +- policies/ecc-aws-061-kms_key_rotation_is_enabled.yml | 2 +- .../ecc-aws-062-security_group_ingress_is_restricted_22.yml | 2 +- .../ecc-aws-063-security_group_ingress_is_restricted_3389.yml | 2 +- ...4-default_security_group_every_vpc_restricts_all_traffic.yml | 2 +- .../ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled.yml | 2 +- policies/ecc-aws-123-efs_is_encrypted.yml | 2 +- policies/ecc-aws-127-rds_cluster_storage_is_encrypted.yml | 2 +- ...iminate_use_root_user_for_administrative_and_daily_tasks.yml | 2 +- policies/ecc-aws-139-iam_access_analyzer_is_enabled.yml | 2 +- ..._one_active_access_key_available_for_any_single_iam_user.yml | 2 +- ...pired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml | 2 +- ...c-aws-142-s3_buckets_configured_with_block_public_access.yml | 2 +- policies/ecc-aws-149-rds_public_access_disabled.yml | 2 +- policies/ecc-aws-175-rds_instances_storage_is_encrypted.yml | 2 +- policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml | 2 +- .../ecc-aws-502-rds_automatic_minor_version_upgrade_enabled.yml | 2 +- policies/ecc-aws-515-security_hub_enabled.yml | 2 +- policies/ecc-aws-531-ebs_default_encryption_enabled.yml | 2 +- 58 files changed, 58 insertions(+), 58 deletions(-) diff --git a/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml b/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml index 452c95184..bd22fe798 100644 --- a/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml +++ b/non-compatible-policies/ecc-aws-052-cloudtrail_enabled_in_all_regions.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-052-cloudtrail_enabled_in_all_regions - comment: '010016010301' + comment: '010016012501' description: | CloudTrail is not enabled in all regions resource: aws.account diff --git a/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml b/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml index 8b1b438d4..f8367536a 100644 --- a/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml +++ b/non-compatible-policies/ecc-aws-054-iam_policies_full_administrative_privileges.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-054-iam_policies_full_administrative_privileges - comment: '010022000301' + comment: '010022002501' description: | IAM policies that allow full "*:*" administrative privileges are in use resource: iam-policy-all diff --git a/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml b/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml index 70bbae997..b147ff6b6 100644 --- a/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml +++ b/non-compatible-policies/ecc-aws-056-iam_user_with_password_and_unused_access_keys.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-056-iam_user_with_password_and_unused_access_keys - comment: '010033000301' + comment: '010033002501' description: | Access key was created during initial IAM user setup resource: aws.iam-user diff --git a/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml b/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml index 6fd8795e7..75913c036 100644 --- a/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml +++ b/non-compatible-policies/ecc-aws-058-ensure_support_role_created_to_manage_incidents.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-058-ensure_support_role_created_to_manage_incidents - comment: '010022000301' + comment: '010022002501' description: | Support role has not been created to manage incidents with AWS Support resource: aws.account diff --git a/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml b/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml index b53a21f75..f362a12ef 100644 --- a/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-067-unauthorized_api_calls_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-067-unauthorized_api_calls_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for unauthorized API calls resource: aws.account diff --git a/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml b/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml index df06f4fd8..663bdb5c6 100644 --- a/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml +++ b/non-compatible-policies/ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-068-s3_bucket_cloudtrail_logs_not_publicly_accessible - comment: '010040010300' + comment: '010040012500' description: | S3 bucket used to store CloudTrail logs is publicly accessible resource: aws.cloudtrail diff --git a/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml b/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml index c6ebf0160..0f5f6086f 100644 --- a/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml +++ b/non-compatible-policies/ecc-aws-077-sign_in_without_mfa_alarm_exist.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-077-sign_in_without_mfa_alarm_exist - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for Management Console sign-in without MFA resource: aws.account diff --git a/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml b/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml index ab028c5bf..5608a5113 100644 --- a/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-078-root_usage_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-078-root_usage_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for usage of "root" account resource: aws.account diff --git a/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml b/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml index 9c5d570a0..431104bb4 100644 --- a/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml +++ b/non-compatible-policies/ecc-aws-079-iam_policy_changes_alarm_exist.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-079-iam_policy_changes_alarm_exist - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for IAM policy changes resource: aws.account diff --git a/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml index 0f0236022..4effa7541 100644 --- a/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-080-cloudtrail_configuration_changes_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-080-cloudtrail_configuration_changes_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for CloudTrail configuration changes resource: aws.account diff --git a/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml b/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml index 36d4b7fd7..6f6cdef5f 100644 --- a/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-081-console_auth_failure_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-081-console_auth_failure_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for AWS Management Console authentication failures resource: aws.account diff --git a/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml b/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml index e814d8cdf..0f6fb25e7 100644 --- a/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-082-cmk_key_disabling_or_deletion_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for disabling or scheduled deletion of customer created CMKs resource: aws.account diff --git a/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml b/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml index b0effa738..9b85d44c9 100644 --- a/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml +++ b/non-compatible-policies/ecc-aws-084-cloudtrail_bucket_logging_enabled.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-084-cloudtrail_bucket_logging_enabled - comment: '010019010300' + comment: '010019012500' description: | S3 bucket access logging is disabled on the CloudTrail S3 bucket resource: aws.cloudtrail diff --git a/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml index 06d8b316f..82b5d33ee 100644 --- a/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-094-s3_bucket_policy_changes_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-094-s3_bucket_policy_changes_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for S3 bucket policy changes resource: aws.account diff --git a/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml index 3703fdc91..b125f989b 100644 --- a/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-095-aws_config_configuration_changes_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-095-aws_config_configuration_changes_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for AWS Config configuration changes resource: aws.account diff --git a/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml index 14b20dd2f..3a70d9574 100644 --- a/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-096-security_group_changes_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-096-security_group_changes_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for security group changes resource: aws.account diff --git a/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml index 11eaf0464..020aa919f 100644 --- a/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-097-network_access_control_lists_changes_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-097-network_access_control_lists_changes_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for changes to Network Access Control Lists (NACL) resource: aws.account diff --git a/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml index b6a2043e9..3682d8df4 100644 --- a/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-098-network_gateways_changes_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-098-network_gateways_changes_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for changes to network gateways resource: aws.account diff --git a/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml index 4cbdcab4f..64b14a64c 100644 --- a/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-099-route_table_changes_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-099-route_table_changes_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for route table changes resource: aws.account diff --git a/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml index 65fff8eed..ef6c24347 100644 --- a/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-100-vpc_changes_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-100-vpc_changes_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for VPC changes resource: aws.account diff --git a/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml b/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml index aabdb5c3d..ca2db8301 100644 --- a/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml +++ b/non-compatible-policies/ecc-aws-143-bucket_object-level_logging_for_write_enabled.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-143-bucket_object-level_logging_for_write_enabled - comment: '010019010300' + comment: '010019012500' description: | Object-level logging for write events is disabled for S3 bucket resource: aws.account diff --git a/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml b/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml index 7576cb1f1..228b020f6 100644 --- a/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml +++ b/non-compatible-policies/ecc-aws-144-bucket_object-level_logging_for_read_enabled.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-144-bucket_object-level_logging_for_read_enabled - comment: '010019010300' + comment: '010019012500' description: | Object-level logging for read events is disabled for S3 bucket resource: aws.account diff --git a/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml b/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml index 7b23cb005..3c4806f12 100644 --- a/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml +++ b/non-compatible-policies/ecc-aws-145-organizations_changes_alarm_exists.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-145-organizations_changes_alarm_exists - comment: '010016010300' + comment: '010016012500' description: | Log metric filter and alarm do not exist for AWS Organizations changes resource: aws.account diff --git a/non-compatible-policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml b/non-compatible-policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml index 6346e50ce..46d9d545c 100644 --- a/non-compatible-policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml +++ b/non-compatible-policies/ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports.yml @@ -6,7 +6,7 @@ policies: - name: ecc-aws-146-no_acls_allow_ingress_for_everyone_to_remote_server_administration_ports - comment: '010024020300' + comment: '010024022500' description: | Network ACLs allow ingress from 0.0.0.0/0 to remote server administration ports resource: aws.network-acl diff --git a/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml b/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml index af38766bc..7fbada6ac 100644 --- a/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml +++ b/policies/ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-001-ensure_mfa_is_enabled_for_all_iam_users_with_console_password - comment: '010036000301' + comment: '010036002501' description: | Multi-factor authentication (MFA) is not enabled for all IAM users that have console password resource: aws.iam-user diff --git a/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml b/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml index eac1692ae..0d0e8fe62 100644 --- a/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml +++ b/policies/ecc-aws-002-ensure_access_keys_are_rotated_every_90_days.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-002-ensure_access_keys_are_rotated_every_90_days - comment: '010022000301' + comment: '010022002501' description: | Access keys are not rotated every 90 days or less resource: aws.iam-user diff --git a/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml b/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml index 4ebf312a7..019a62a3a 100644 --- a/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml +++ b/policies/ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-003-ensure_vpc_flow_logging_enabled_for_every_vpc - comment: '010019010300' + comment: '010019012500' description: | VPC flow logging is not enabled in all VPCs resource: aws.vpc diff --git a/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml b/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml index 3415ceb76..8f7cf722c 100644 --- a/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml +++ b/policies/ecc-aws-004-bucket_policy_allows_https_requests.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-004-bucket_policy_allows_https_requests - comment: '010022040301' + comment: '010022042501' description: | S3 Bucket Policy allows HTTP requests resource: aws.s3 diff --git a/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml b/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml index 6f397b579..527eecc35 100644 --- a/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml +++ b/policies/ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account - comment: '010036000301' + comment: '010036002501' description: | Virtual MFA is not enabled for the "root" account resource: aws.account diff --git a/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml b/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml index f47dd99e1..810744cb3 100644 --- a/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml +++ b/policies/ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-016-ensure_hardware_mfa_is_enabled_for_root_account - comment: '010036000301' + comment: '010036002501' description: | Hardware MFA is not enabled for the 'root' account resource: account diff --git a/policies/ecc-aws-017-credentials_unused_for_45_days.yml b/policies/ecc-aws-017-credentials_unused_for_45_days.yml index 093419552..0948eb57c 100644 --- a/policies/ecc-aws-017-credentials_unused_for_45_days.yml +++ b/policies/ecc-aws-017-credentials_unused_for_45_days.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-017-credentials_unused_for_45_days - comment: '010022000301' + comment: '010022002501' description: | Credentials unused for 45 days or more are not disabled resource: aws.iam-user diff --git a/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml b/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml index 5b5bc94f5..156fac80e 100644 --- a/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml +++ b/policies/ecc-aws-018-iam_users_receive_permissions_only_through_groups.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-018-iam_users_receive_permissions_only_through_groups - comment: '010022000301' + comment: '010022002501' description: | IAM Users receive permissions not only through groups resource: aws.iam-user diff --git a/policies/ecc-aws-019-iam_password_policy_password_reuse.yml b/policies/ecc-aws-019-iam_password_policy_password_reuse.yml index 88c9316bc..387170155 100644 --- a/policies/ecc-aws-019-iam_password_policy_password_reuse.yml +++ b/policies/ecc-aws-019-iam_password_policy_password_reuse.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-019-iam_password_policy_password_reuse - comment: '010022000301' + comment: '010022002501' description: | IAM password policy does not prevent password reuse resource: aws.account diff --git a/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml b/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml index a2cfac897..3fd0c5787 100644 --- a/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml +++ b/policies/ecc-aws-046-ensure_no_root_account_access_key_exists.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-046-ensure_no_root_account_access_key_exists - comment: '010035000301' + comment: '010035002501' description: | Root user account access key exists resource: aws.account diff --git a/policies/ecc-aws-050-iam_password_min_length_ge_14.yml b/policies/ecc-aws-050-iam_password_min_length_ge_14.yml index 1233b7ace..b33e1eb10 100644 --- a/policies/ecc-aws-050-iam_password_min_length_ge_14.yml +++ b/policies/ecc-aws-050-iam_password_min_length_ge_14.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-050-iam_password_min_length_ge_14 - comment: '010022000301' + comment: '010022002501' description: | Password policy does not require minimum length of 14 characters or greater resource: aws.account diff --git a/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml b/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml index 3b87e8f87..47b60f2eb 100644 --- a/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml +++ b/policies/ecc-aws-053-cloudtrail_log_validation_enabled.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-053-cloudtrail_log_validation_enabled - comment: '010019010300' + comment: '010019012500' description: | CloudTrail log file validation is disabled resource: aws.cloudtrail diff --git a/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml b/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml index b4ef6f3e4..573328282 100644 --- a/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml +++ b/policies/ecc-aws-055-cloudtrail_integrated_with_cloudwatch.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-055-cloudtrail_integrated_with_cloudwatch - comment: '010019010300' + comment: '010019012500' description: | CloudTrail trails are not integrated with CloudWatch Logs resource: aws.cloudtrail diff --git a/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml b/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml index e1d012506..e30183045 100644 --- a/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml +++ b/policies/ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-057-ensure_iam_instance_roles_are_used_for_resource_access_from_instance - comment: '010048000300' + comment: '010048002500' description: | IAM instance roles are not used for AWS resource access from instances resource: aws.ec2 diff --git a/policies/ecc-aws-059-config_enabled_all_regions.yml b/policies/ecc-aws-059-config_enabled_all_regions.yml index ff7d5c8c2..ee2908862 100644 --- a/policies/ecc-aws-059-config_enabled_all_regions.yml +++ b/policies/ecc-aws-059-config_enabled_all_regions.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-059-config_enabled_all_regions - comment: '010016010301' + comment: '010016012501' description: | AWS Config is not enabled in all regions resource: account diff --git a/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml b/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml index 44230ae8c..78f67a5ce 100644 --- a/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml +++ b/policies/ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-060-cloudtrail_logs_encrypted_using_KMS_CMKs - comment: '010043010300' + comment: '010043012500' description: | CloudTrail logs are not encrypted at rest using KMS CMK resource: aws.cloudtrail diff --git a/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml b/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml index 152ad2d2c..74ae37109 100644 --- a/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml +++ b/policies/ecc-aws-061-kms_key_rotation_is_enabled.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-061-kms_key_rotation_is_enabled - comment: '010029090300' + comment: '010029092500' description: | Rotation for symmetric customer-created CMKs is not enabled resource: aws.kms-key diff --git a/policies/ecc-aws-062-security_group_ingress_is_restricted_22.yml b/policies/ecc-aws-062-security_group_ingress_is_restricted_22.yml index f67ade65c..cd84a759d 100644 --- a/policies/ecc-aws-062-security_group_ingress_is_restricted_22.yml +++ b/policies/ecc-aws-062-security_group_ingress_is_restricted_22.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-062-security_group_ingress_is_restricted_22 - comment: '010042020300' + comment: '010042022500' description: | Security groups allow ingress from 0.0.0.0/0 or ::/0 to remote server administration port (22) resource: aws.security-group diff --git a/policies/ecc-aws-063-security_group_ingress_is_restricted_3389.yml b/policies/ecc-aws-063-security_group_ingress_is_restricted_3389.yml index a4974ed20..c11c0f2c4 100644 --- a/policies/ecc-aws-063-security_group_ingress_is_restricted_3389.yml +++ b/policies/ecc-aws-063-security_group_ingress_is_restricted_3389.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-063-security_group_ingress_is_restricted_3389 - comment: '010042020300' + comment: '010042022500' description: | Security groups allow ingress from 0.0.0.0/0 or ::/0 to remote server administration port (3389) resource: aws.security-group diff --git a/policies/ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic.yml b/policies/ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic.yml index 0c487b541..753c727f6 100644 --- a/policies/ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic.yml +++ b/policies/ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-064-default_security_group_every_vpc_restricts_all_traffic - comment: '010042020300' + comment: '010042022500' description: | VPC default security group does not restrict all traffic resource: aws.security-group diff --git a/policies/ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled.yml b/policies/ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled.yml index 420e53838..1fe985af4 100644 --- a/policies/ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled.yml +++ b/policies/ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled - comment: '010047040301' + comment: '010047042501' description: | S3 bucket versioning MFA delete is disabled resource: s3 diff --git a/policies/ecc-aws-123-efs_is_encrypted.yml b/policies/ecc-aws-123-efs_is_encrypted.yml index f02912afe..387c25f65 100644 --- a/policies/ecc-aws-123-efs_is_encrypted.yml +++ b/policies/ecc-aws-123-efs_is_encrypted.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-123-efs_is_encrypted - comment: '010043040300' + comment: '010043042500' description: | Amazon EFS file systems are not encrypted resource: efs diff --git a/policies/ecc-aws-127-rds_cluster_storage_is_encrypted.yml b/policies/ecc-aws-127-rds_cluster_storage_is_encrypted.yml index 73ee91ec0..5f4437dcf 100644 --- a/policies/ecc-aws-127-rds_cluster_storage_is_encrypted.yml +++ b/policies/ecc-aws-127-rds_cluster_storage_is_encrypted.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-127-rds_cluster_storage_is_encrypted - comment: '010043060300' + comment: '010043062500' description: | Unencrypted RDS cluster storage is in use resource: rds-cluster diff --git a/policies/ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks.yml b/policies/ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks.yml index 127de12e7..b0f151f1e 100644 --- a/policies/ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks.yml +++ b/policies/ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks - comment: '010035000301' + comment: '010035002501' description: | Root user is used for administrative and daily tasks resource: aws.account diff --git a/policies/ecc-aws-139-iam_access_analyzer_is_enabled.yml b/policies/ecc-aws-139-iam_access_analyzer_is_enabled.yml index be31f90a6..ba821acf9 100644 --- a/policies/ecc-aws-139-iam_access_analyzer_is_enabled.yml +++ b/policies/ecc-aws-139-iam_access_analyzer_is_enabled.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-139-iam_access_analyzer_is_enabled - comment: '010016000300' + comment: '010016002500' description: | IAM Access analyzer is not enabled resource: aws.account diff --git a/policies/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user.yml b/policies/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user.yml index 2fd85ec78..8a5ba1853 100644 --- a/policies/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user.yml +++ b/policies/ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-140-only_one_active_access_key_available_for_any_single_iam_user - comment: '010022000301' + comment: '010022002501' description: | More than one active access key is available for a single IAM user resource: iam-user diff --git a/policies/ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml b/policies/ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml index 13d22725d..013c9982a 100644 --- a/policies/ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml +++ b/policies/ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-141-expired_ssl_tls_certificates_stored_in_aws_iam_are_removed - comment: '010029100301' + comment: '010029102501' description: | Expired SSL/TLS certificates stored in IAM are not removed resource: iam-certificate diff --git a/policies/ecc-aws-142-s3_buckets_configured_with_block_public_access.yml b/policies/ecc-aws-142-s3_buckets_configured_with_block_public_access.yml index 5c2611f53..aeb585a1d 100644 --- a/policies/ecc-aws-142-s3_buckets_configured_with_block_public_access.yml +++ b/policies/ecc-aws-142-s3_buckets_configured_with_block_public_access.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-142-s3_buckets_configured_with_block_public_access - comment: '010040040301' + comment: '010040042501' description: | S3 Buckets are not configured with 'Block public access' bucket settings resource: aws.s3 diff --git a/policies/ecc-aws-149-rds_public_access_disabled.yml b/policies/ecc-aws-149-rds_public_access_disabled.yml index 0599930c9..7c70e805b 100644 --- a/policies/ecc-aws-149-rds_public_access_disabled.yml +++ b/policies/ecc-aws-149-rds_public_access_disabled.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-149-rds_public_access_disabled - comment: '010040060300' + comment: '010040062500' description: | RDS instance is publicly accessible resource: rds diff --git a/policies/ecc-aws-175-rds_instances_storage_is_encrypted.yml b/policies/ecc-aws-175-rds_instances_storage_is_encrypted.yml index 14244950e..8ce6638e7 100644 --- a/policies/ecc-aws-175-rds_instances_storage_is_encrypted.yml +++ b/policies/ecc-aws-175-rds_instances_storage_is_encrypted.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-175-rds_instances_storage_is_encrypted - comment: '010043060300' + comment: '010043062500' description: | RDS instances storage not encrypted resource: rds diff --git a/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml b/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml index be203988b..10de0ee70 100644 --- a/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml +++ b/policies/ecc-aws-224-ec2_instance_imdsv2_enabled.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-224-ec2_instance_imdsv2_enabled - comment: '010024030400' + comment: '010024032500' description: | EC2 instances do not use IMDSv2 resource: aws.ec2 diff --git a/policies/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled.yml b/policies/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled.yml index 29a6f6234..63673c6bb 100644 --- a/policies/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled.yml +++ b/policies/ecc-aws-502-rds_automatic_minor_version_upgrade_enabled.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-502-rds_automatic_minor_version_upgrade_enabled - comment: '010021060300' + comment: '010021062500' description: | AUtomatic minor version upgrade is not configured for RDS DB instances resource: aws.rds diff --git a/policies/ecc-aws-515-security_hub_enabled.yml b/policies/ecc-aws-515-security_hub_enabled.yml index 67d151928..dd1f2ef2b 100644 --- a/policies/ecc-aws-515-security_hub_enabled.yml +++ b/policies/ecc-aws-515-security_hub_enabled.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-515-security_hub_enabled - comment: '010016090300' + comment: '010016092500' description: | Security Hub is not enabled resource: aws.account diff --git a/policies/ecc-aws-531-ebs_default_encryption_enabled.yml b/policies/ecc-aws-531-ebs_default_encryption_enabled.yml index 9e9afba3f..48d001580 100644 --- a/policies/ecc-aws-531-ebs_default_encryption_enabled.yml +++ b/policies/ecc-aws-531-ebs_default_encryption_enabled.yml @@ -7,7 +7,7 @@ policies: - name: ecc-aws-531-ebs_default_encryption_enabled - comment: '010043040300' + comment: '010043042500' description: | EBS volume default encryption disabled resource: aws.account From a68480dbb280f24dabf73df19a2dfb73ae1e59cd Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Tue, 7 Nov 2023 12:31:19 +0000 Subject: [PATCH 07/18] new: added policy ecc-aws-872-access_to_cloudshell_restricted --- ...ws-872-access_to_cloudshell_restricted.yml | 16 +++++++++ .../green/iam.tf | 16 +++++++++ .../green/provider.tf | 20 +++++++++++ .../green/terraform.tfvars | 2 ++ .../green/variables.tf | 9 +++++ .../iam/872-policy.json | 14 ++++++++ .../red/iam.tf | 25 +++++++++++++ .../red/provider.tf | 20 +++++++++++ .../red/terraform.tfvars | 2 ++ .../red/variables.tf | 9 +++++ .../placebo-green/iam.GetRole_1.json | 35 +++++++++++++++++++ .../iam.ListAttachedRolePolicies_1.json | 8 +++++ .../placebo-green/iam.ListRoles_1.json | 26 ++++++++++++++ .../placebo-red/iam.GetRole_1.json | 35 +++++++++++++++++++ .../iam.ListAttachedRolePolicies_1.json | 13 +++++++ .../placebo-red/iam.ListRoles_1.json | 26 ++++++++++++++ .../red_policy_test.py | 5 +++ 17 files changed, 281 insertions(+) create mode 100644 policies/ecc-aws-872-access_to_cloudshell_restricted.yml create mode 100644 terraform/ecc-aws-872-access_to_cloudshell_restricted/green/iam.tf create mode 100644 terraform/ecc-aws-872-access_to_cloudshell_restricted/green/provider.tf create mode 100644 terraform/ecc-aws-872-access_to_cloudshell_restricted/green/terraform.tfvars create mode 100644 terraform/ecc-aws-872-access_to_cloudshell_restricted/green/variables.tf create mode 100644 terraform/ecc-aws-872-access_to_cloudshell_restricted/iam/872-policy.json create mode 100644 terraform/ecc-aws-872-access_to_cloudshell_restricted/red/iam.tf create mode 100644 terraform/ecc-aws-872-access_to_cloudshell_restricted/red/provider.tf create mode 100644 terraform/ecc-aws-872-access_to_cloudshell_restricted/red/terraform.tfvars create mode 100644 terraform/ecc-aws-872-access_to_cloudshell_restricted/red/variables.tf create mode 100644 tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.GetRole_1.json create mode 100644 tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.ListAttachedRolePolicies_1.json create mode 100644 tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.ListRoles_1.json create mode 100644 tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.GetRole_1.json create mode 100644 tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.ListAttachedRolePolicies_1.json create mode 100644 tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.ListRoles_1.json create mode 100644 tests/ecc-aws-872-access_to_cloudshell_restricted/red_policy_test.py diff --git a/policies/ecc-aws-872-access_to_cloudshell_restricted.yml b/policies/ecc-aws-872-access_to_cloudshell_restricted.yml new file mode 100644 index 000000000..ead6b3a09 --- /dev/null +++ b/policies/ecc-aws-872-access_to_cloudshell_restricted.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-872-access_to_cloudshell_restricted + comment: '010022002501' + description: | + Access to cloudshell not restricted + resource: iam-role + filters: + - type: has-specific-managed-policy + value: AWSCloudShellFullAccess diff --git a/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/iam.tf b/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/iam.tf new file mode 100644 index 000000000..19929233e --- /dev/null +++ b/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/iam.tf @@ -0,0 +1,16 @@ +resource "aws_iam_role" "this" { + name = "872_role_green" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "ec2.amazonaws.com" + } + } + ] + }) +} \ No newline at end of file diff --git a/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/provider.tf b/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/provider.tf new file mode 100644 index 000000000..ca3c74094 --- /dev/null +++ b/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-872-access_to_cloudshell_restricted" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/terraform.tfvars b/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/variables.tf b/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-872-access_to_cloudshell_restricted/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-872-access_to_cloudshell_restricted/iam/872-policy.json b/terraform/ecc-aws-872-access_to_cloudshell_restricted/iam/872-policy.json new file mode 100644 index 000000000..7a12342af --- /dev/null +++ b/terraform/ecc-aws-872-access_to_cloudshell_restricted/iam/872-policy.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:ListRoles", + "iam:GetRole", + "iam:GetPolicy" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/iam.tf b/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/iam.tf new file mode 100644 index 000000000..e49a819a5 --- /dev/null +++ b/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/iam.tf @@ -0,0 +1,25 @@ +data "aws_iam_policy" "this" { + arn = "arn:aws:iam::aws:policy/AWSCloudShellFullAccess" +} + +resource "aws_iam_role" "this" { + name = "872_role_red" + + assume_role_policy = jsonencode({ + Version = "2012-10-17", + Statement = [ + { + Action = "sts:AssumeRole", + Effect = "Allow", + Principal = { + Service = "ec2.amazonaws.com" + } + } + ] + }) +} + +resource "aws_iam_role_policy_attachment" "this" { + role = "${aws_iam_role.this.name}" + policy_arn = "${data.aws_iam_policy.this.arn}" +} \ No newline at end of file diff --git a/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/provider.tf b/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/provider.tf new file mode 100644 index 000000000..3aa6c473e --- /dev/null +++ b/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-872-access_to_cloudshell_restricted" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/terraform.tfvars b/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/variables.tf b/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-872-access_to_cloudshell_restricted/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.GetRole_1.json b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.GetRole_1.json new file mode 100644 index 000000000..54e55f57a --- /dev/null +++ b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.GetRole_1.json @@ -0,0 +1,35 @@ +{ + "status_code": 200, + "data": { + "Role": { + "Path": "/", + "RoleName": "872_role_green", + "RoleId": "AROAXPHGII4AJMVITBGJJ", + "Arn": "arn:aws:iam::111111111111:role/872_role_green", + "CreateDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 7, + "hour": 10, + "minute": 19, + "second": 7, + "microsecond": 0 + }, + "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22ec2.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D", + "MaxSessionDuration": 3600, + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-872-access_to_cloudshell_restricted" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ], + "RoleLastUsed": {} + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.ListAttachedRolePolicies_1.json b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.ListAttachedRolePolicies_1.json new file mode 100644 index 000000000..98435d62d --- /dev/null +++ b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.ListAttachedRolePolicies_1.json @@ -0,0 +1,8 @@ +{ + "status_code": 200, + "data": { + "AttachedPolicies": [], + "IsTruncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.ListRoles_1.json b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.ListRoles_1.json new file mode 100644 index 000000000..c2261992e --- /dev/null +++ b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-green/iam.ListRoles_1.json @@ -0,0 +1,26 @@ +{ + "status_code": 200, + "data": { + "Roles": [ + { + "Path": "/", + "RoleName": "872_role_green", + "RoleId": "AROAXPHGII4AJMVITBGJJ", + "Arn": "arn:aws:iam::111111111111:role/872_role_green", + "CreateDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 7, + "hour": 10, + "minute": 19, + "second": 7, + "microsecond": 0 + }, + "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22ec2.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D", + "MaxSessionDuration": 3600 + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.GetRole_1.json b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.GetRole_1.json new file mode 100644 index 000000000..1562aa493 --- /dev/null +++ b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.GetRole_1.json @@ -0,0 +1,35 @@ +{ + "status_code": 200, + "data": { + "Role": { + "Path": "/", + "RoleName": "872_role_red", + "RoleId": "AROAXPHGII4AAF6WY5HYF", + "Arn": "arn:aws:iam::111111111111:role/872_role_red", + "CreateDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 7, + "hour": 10, + "minute": 20, + "second": 9, + "microsecond": 0 + }, + "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22ec2.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D", + "MaxSessionDuration": 3600, + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-872-access_to_cloudshell_restricted" + } + ], + "RoleLastUsed": {} + }, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.ListAttachedRolePolicies_1.json b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.ListAttachedRolePolicies_1.json new file mode 100644 index 000000000..76cbde9cd --- /dev/null +++ b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.ListAttachedRolePolicies_1.json @@ -0,0 +1,13 @@ +{ + "status_code": 200, + "data": { + "AttachedPolicies": [ + { + "PolicyName": "AWSCloudShellFullAccess", + "PolicyArn": "arn:aws:iam::aws:policy/AWSCloudShellFullAccess" + } + ], + "IsTruncated": false, + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.ListRoles_1.json b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.ListRoles_1.json new file mode 100644 index 000000000..8bc8d298a --- /dev/null +++ b/tests/ecc-aws-872-access_to_cloudshell_restricted/placebo-red/iam.ListRoles_1.json @@ -0,0 +1,26 @@ +{ + "status_code": 200, + "data": { + "Roles": [ + { + "Path": "/", + "RoleName": "872_role_red", + "RoleId": "AROAXPHGII4AAF6WY5HYF", + "Arn": "arn:aws:iam::111111111111:role/872_role_red", + "CreateDate": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 7, + "hour": 10, + "minute": 20, + "second": 9, + "microsecond": 0 + }, + "AssumeRolePolicyDocument": "%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22ec2.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D", + "MaxSessionDuration": 3600 + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-872-access_to_cloudshell_restricted/red_policy_test.py b/tests/ecc-aws-872-access_to_cloudshell_restricted/red_policy_test.py new file mode 100644 index 000000000..d5dca2a04 --- /dev/null +++ b/tests/ecc-aws-872-access_to_cloudshell_restricted/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['c7n:MatchedPolicies'][0]['PolicyName'], 'AWSCloudShellFullAccess') \ No newline at end of file From f96d13e8320c0713a34861b9dd6a27a7fb726a0f Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Tue, 14 Nov 2023 14:16:15 +0000 Subject: [PATCH 08/18] new: added policy ecc-aws-549-ec2_instance_previous_generation --- ...s-549-ec2_instance_previous_generation.yml | 18 ++ .../green/ec2.tf | 25 +++ .../green/provider.tf | 19 ++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 + .../iam/549-policy.json | 13 ++ .../red/ec2.tf | 25 +++ .../red/provider.tf | 19 ++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 + .../ec2.DescribeInstances_1.json | 198 ++++++++++++++++++ .../placebo-red/ec2.DescribeInstances_1.json | 198 ++++++++++++++++++ .../red_policy_test.py | 5 + 13 files changed, 542 insertions(+) create mode 100755 policies/ecc-aws-549-ec2_instance_previous_generation.yml create mode 100644 terraform/ecc-aws-549-ec2_instance_previous_generation/green/ec2.tf create mode 100644 terraform/ecc-aws-549-ec2_instance_previous_generation/green/provider.tf create mode 100644 terraform/ecc-aws-549-ec2_instance_previous_generation/green/terraform.tfvars create mode 100644 terraform/ecc-aws-549-ec2_instance_previous_generation/green/variables.tf create mode 100644 terraform/ecc-aws-549-ec2_instance_previous_generation/iam/549-policy.json create mode 100644 terraform/ecc-aws-549-ec2_instance_previous_generation/red/ec2.tf create mode 100644 terraform/ecc-aws-549-ec2_instance_previous_generation/red/provider.tf create mode 100644 terraform/ecc-aws-549-ec2_instance_previous_generation/red/terraform.tfvars create mode 100644 terraform/ecc-aws-549-ec2_instance_previous_generation/red/variables.tf create mode 100644 tests/ecc-aws-549-ec2_instance_previous_generation/placebo-green/ec2.DescribeInstances_1.json create mode 100644 tests/ecc-aws-549-ec2_instance_previous_generation/placebo-red/ec2.DescribeInstances_1.json create mode 100644 tests/ecc-aws-549-ec2_instance_previous_generation/red_policy_test.py diff --git a/policies/ecc-aws-549-ec2_instance_previous_generation.yml b/policies/ecc-aws-549-ec2_instance_previous_generation.yml new file mode 100755 index 000000000..60eadec56 --- /dev/null +++ b/policies/ecc-aws-549-ec2_instance_previous_generation.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-549-ec2_instance_previous_generation + comment: '010006032000' + description: | + EC2 instance is not using last generation classes + resource: ec2 + filters: + - type: value + key: InstanceType + op: regex + value: '(m1|m2|m3|t1|c1|c3|i2|cr1|r3|hs1|g2|a1).[^\s]+' diff --git a/terraform/ecc-aws-549-ec2_instance_previous_generation/green/ec2.tf b/terraform/ecc-aws-549-ec2_instance_previous_generation/green/ec2.tf new file mode 100644 index 000000000..989d6cc75 --- /dev/null +++ b/terraform/ecc-aws-549-ec2_instance_previous_generation/green/ec2.tf @@ -0,0 +1,25 @@ +resource "aws_instance" "this" { + ami = data.aws_ami.this.id + instance_type = "t2.micro" + + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + + tags = { + Name = "549_instance_green" + CustodianRule = "ecc-aws-549-ec2_instance_previous_generation" + ComplianceStatus = "Green" + } +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} diff --git a/terraform/ecc-aws-549-ec2_instance_previous_generation/green/provider.tf b/terraform/ecc-aws-549-ec2_instance_previous_generation/green/provider.tf new file mode 100644 index 000000000..3a8452fd5 --- /dev/null +++ b/terraform/ecc-aws-549-ec2_instance_previous_generation/green/provider.tf @@ -0,0 +1,19 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + default_tags { + tags = { + CustodianRule = "ecc-aws-549-ec2_instance_previous_generation" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-549-ec2_instance_previous_generation/green/terraform.tfvars b/terraform/ecc-aws-549-ec2_instance_previous_generation/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-549-ec2_instance_previous_generation/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-549-ec2_instance_previous_generation/green/variables.tf b/terraform/ecc-aws-549-ec2_instance_previous_generation/green/variables.tf new file mode 100644 index 000000000..09e482677 --- /dev/null +++ b/terraform/ecc-aws-549-ec2_instance_previous_generation/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-549-ec2_instance_previous_generation/iam/549-policy.json b/terraform/ecc-aws-549-ec2_instance_previous_generation/iam/549-policy.json new file mode 100644 index 000000000..fa52ff5c3 --- /dev/null +++ b/terraform/ecc-aws-549-ec2_instance_previous_generation/iam/549-policy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-549-ec2_instance_previous_generation/red/ec2.tf b/terraform/ecc-aws-549-ec2_instance_previous_generation/red/ec2.tf new file mode 100644 index 000000000..e82c08654 --- /dev/null +++ b/terraform/ecc-aws-549-ec2_instance_previous_generation/red/ec2.tf @@ -0,0 +1,25 @@ +resource "aws_instance" "this" { + ami = data.aws_ami.this.id + instance_type = "t1.micro" + + metadata_options { + http_tokens = "optional" + http_endpoint = "enabled" + } + + tags = { + Name = "549_instance_red" + CustodianRule = "ecc-aws-549-ec2_instance_previous_generation" + ComplianceStatus = "Red" + } +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} diff --git a/terraform/ecc-aws-549-ec2_instance_previous_generation/red/provider.tf b/terraform/ecc-aws-549-ec2_instance_previous_generation/red/provider.tf new file mode 100644 index 000000000..b7b3186a5 --- /dev/null +++ b/terraform/ecc-aws-549-ec2_instance_previous_generation/red/provider.tf @@ -0,0 +1,19 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + default_tags { + tags = { + CustodianRule = "ecc-aws-549-ec2_instance_previous_generation" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-549-ec2_instance_previous_generation/red/terraform.tfvars b/terraform/ecc-aws-549-ec2_instance_previous_generation/red/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-549-ec2_instance_previous_generation/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-549-ec2_instance_previous_generation/red/variables.tf b/terraform/ecc-aws-549-ec2_instance_previous_generation/red/variables.tf new file mode 100644 index 000000000..09e482677 --- /dev/null +++ b/terraform/ecc-aws-549-ec2_instance_previous_generation/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/tests/ecc-aws-549-ec2_instance_previous_generation/placebo-green/ec2.DescribeInstances_1.json b/tests/ecc-aws-549-ec2_instance_previous_generation/placebo-green/ec2.DescribeInstances_1.json new file mode 100644 index 000000000..73385f5c1 --- /dev/null +++ b/tests/ecc-aws-549-ec2_instance_previous_generation/placebo-green/ec2.DescribeInstances_1.json @@ -0,0 +1,198 @@ +{ + "status_code": 200, + "data": { + "Reservations": [ + { + "Groups": [], + "Instances": [ + { + "AmiLaunchIndex": 0, + "ImageId": "ami-076c7acfc9e8ee57d", + "InstanceId": "i-0cb62c7ea005a1987", + "InstanceType": "t2.micro", + "LaunchTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 13, + "hour": 12, + "minute": 9, + "second": 27, + "microsecond": 0 + }, + "Monitoring": { + "State": "disabled" + }, + "Placement": { + "AvailabilityZone": "us-east-1a", + "GroupName": "", + "Tenancy": "default" + }, + "PrivateDnsName": "ip-172-31-44-187.ec2.internal", + "PrivateIpAddress": "172.31.44.187", + "ProductCodes": [], + "PublicDnsName": "ec2-54-89-149-190.compute-1.amazonaws.com", + "PublicIpAddress": "54.89.149.190", + "State": { + "Code": 16, + "Name": "running" + }, + "StateTransitionReason": "", + "SubnetId": "subnet-8158d8de", + "VpcId": "vpc-ad9744d0", + "Architecture": "x86_64", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 13, + "hour": 12, + "minute": 9, + "second": 28, + "microsecond": 0 + }, + "DeleteOnTermination": true, + "Status": "attached", + "VolumeId": "vol-0c2031db593718d1a" + } + } + ], + "ClientToken": "terraform-20231113120924881300000001", + "EbsOptimized": false, + "EnaSupport": true, + "Hypervisor": "xen", + "NetworkInterfaces": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-54-89-149-190.compute-1.amazonaws.com", + "PublicIp": "54.89.149.190" + }, + "Attachment": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 13, + "hour": 12, + "minute": 9, + "second": 27, + "microsecond": 0 + }, + "AttachmentId": "eni-attach-0328c631930205803", + "DeleteOnTermination": true, + "DeviceIndex": 0, + "Status": "attached", + "NetworkCardIndex": 0 + }, + "Description": "", + "Groups": [ + { + "GroupName": "default", + "GroupId": "sg-a5befc90" + } + ], + "Ipv6Addresses": [], + "MacAddress": "0e:52:a7:c0:47:c3", + "NetworkInterfaceId": "eni-0c1412ded927be043", + "OwnerId": "111111111111", + "PrivateDnsName": "ip-172-31-44-187.ec2.internal", + "PrivateIpAddress": "172.31.44.187", + "PrivateIpAddresses": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-54-89-149-190.compute-1.amazonaws.com", + "PublicIp": "54.89.149.190" + }, + "Primary": true, + "PrivateDnsName": "ip-172-31-44-187.ec2.internal", + "PrivateIpAddress": "172.31.44.187" + } + ], + "SourceDestCheck": true, + "Status": "in-use", + "SubnetId": "subnet-8158d8de", + "VpcId": "vpc-ad9744d0", + "InterfaceType": "interface" + } + ], + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SecurityGroups": [ + { + "GroupName": "default", + "GroupId": "sg-a5befc90" + } + ], + "SourceDestCheck": true, + "Tags": [ + { + "Key": "Name", + "Value": "549_instance_green" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-549-ec2_instance_previous_generation" + } + ], + "VirtualizationType": "hvm", + "CpuOptions": { + "CoreCount": 1, + "ThreadsPerCore": 1 + }, + "CapacityReservationSpecification": { + "CapacityReservationPreference": "open" + }, + "HibernationOptions": { + "Configured": false + }, + "MetadataOptions": { + "State": "applied", + "HttpTokens": "required", + "HttpPutResponseHopLimit": 1, + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "InstanceMetadataTags": "disabled" + }, + "EnclaveOptions": { + "Enabled": false + }, + "PlatformDetails": "Linux/UNIX", + "UsageOperation": "RunInstances", + "UsageOperationUpdateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 13, + "hour": 12, + "minute": 9, + "second": 27, + "microsecond": 0 + }, + "PrivateDnsNameOptions": { + "HostnameType": "ip-name", + "EnableResourceNameDnsARecord": false, + "EnableResourceNameDnsAAAARecord": false + }, + "MaintenanceOptions": { + "AutoRecovery": "default" + }, + "CurrentInstanceBootMode": "legacy-bios" + } + ], + "OwnerId": "111111111111", + "ReservationId": "r-064fbefe490d98c5b" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-549-ec2_instance_previous_generation/placebo-red/ec2.DescribeInstances_1.json b/tests/ecc-aws-549-ec2_instance_previous_generation/placebo-red/ec2.DescribeInstances_1.json new file mode 100644 index 000000000..26450b6e9 --- /dev/null +++ b/tests/ecc-aws-549-ec2_instance_previous_generation/placebo-red/ec2.DescribeInstances_1.json @@ -0,0 +1,198 @@ +{ + "status_code": 200, + "data": { + "Reservations": [ + { + "Groups": [], + "Instances": [ + { + "AmiLaunchIndex": 0, + "ImageId": "ami-076c7acfc9e8ee57d", + "InstanceId": "i-0a53061ca7711249b", + "InstanceType": "t1.micro", + "LaunchTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 13, + "hour": 12, + "minute": 15, + "second": 47, + "microsecond": 0 + }, + "Monitoring": { + "State": "disabled" + }, + "Placement": { + "AvailabilityZone": "us-east-1c", + "GroupName": "", + "Tenancy": "default" + }, + "PrivateDnsName": "ip-172-31-85-19.ec2.internal", + "PrivateIpAddress": "172.31.85.19", + "ProductCodes": [], + "PublicDnsName": "ec2-44-208-25-60.compute-1.amazonaws.com", + "PublicIpAddress": "44.208.25.60", + "State": { + "Code": 16, + "Name": "running" + }, + "StateTransitionReason": "", + "SubnetId": "subnet-cd7af8ec", + "VpcId": "vpc-ad9744d0", + "Architecture": "x86_64", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 13, + "hour": 12, + "minute": 15, + "second": 48, + "microsecond": 0 + }, + "DeleteOnTermination": true, + "Status": "attached", + "VolumeId": "vol-04690305ce20bafa5" + } + } + ], + "ClientToken": "terraform-20231113121544633700000001", + "EbsOptimized": false, + "EnaSupport": true, + "Hypervisor": "xen", + "NetworkInterfaces": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-44-208-25-60.compute-1.amazonaws.com", + "PublicIp": "44.208.25.60" + }, + "Attachment": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 13, + "hour": 12, + "minute": 15, + "second": 47, + "microsecond": 0 + }, + "AttachmentId": "eni-attach-0db7cca78cc9712aa", + "DeleteOnTermination": true, + "DeviceIndex": 0, + "Status": "attached", + "NetworkCardIndex": 0 + }, + "Description": "", + "Groups": [ + { + "GroupName": "default", + "GroupId": "sg-a5befc90" + } + ], + "Ipv6Addresses": [], + "MacAddress": "12:1b:fb:0a:74:99", + "NetworkInterfaceId": "eni-0754c641ad4391a47", + "OwnerId": "111111111111", + "PrivateDnsName": "ip-172-31-85-19.ec2.internal", + "PrivateIpAddress": "172.31.85.19", + "PrivateIpAddresses": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-44-208-25-60.compute-1.amazonaws.com", + "PublicIp": "44.208.25.60" + }, + "Primary": true, + "PrivateDnsName": "ip-172-31-85-19.ec2.internal", + "PrivateIpAddress": "172.31.85.19" + } + ], + "SourceDestCheck": true, + "Status": "in-use", + "SubnetId": "subnet-cd7af8ec", + "VpcId": "vpc-ad9744d0", + "InterfaceType": "interface" + } + ], + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SecurityGroups": [ + { + "GroupName": "default", + "GroupId": "sg-a5befc90" + } + ], + "SourceDestCheck": true, + "Tags": [ + { + "Key": "Name", + "Value": "549_instance_red" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-549-ec2_instance_previous_generation" + } + ], + "VirtualizationType": "hvm", + "CpuOptions": { + "CoreCount": 1, + "ThreadsPerCore": 1 + }, + "CapacityReservationSpecification": { + "CapacityReservationPreference": "open" + }, + "HibernationOptions": { + "Configured": false + }, + "MetadataOptions": { + "State": "applied", + "HttpTokens": "optional", + "HttpPutResponseHopLimit": 1, + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "InstanceMetadataTags": "disabled" + }, + "EnclaveOptions": { + "Enabled": false + }, + "PlatformDetails": "Linux/UNIX", + "UsageOperation": "RunInstances", + "UsageOperationUpdateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 13, + "hour": 12, + "minute": 15, + "second": 47, + "microsecond": 0 + }, + "PrivateDnsNameOptions": { + "HostnameType": "ip-name", + "EnableResourceNameDnsARecord": false, + "EnableResourceNameDnsAAAARecord": false + }, + "MaintenanceOptions": { + "AutoRecovery": "default" + }, + "CurrentInstanceBootMode": "legacy-bios" + } + ], + "OwnerId": "111111111111", + "ReservationId": "r-0da16be037ac266c1" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-549-ec2_instance_previous_generation/red_policy_test.py b/tests/ecc-aws-549-ec2_instance_previous_generation/red_policy_test.py new file mode 100644 index 000000000..b9da010eb --- /dev/null +++ b/tests/ecc-aws-549-ec2_instance_previous_generation/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['InstanceType'], 't1.micro') From 6d7b1f0c3be15454601ff1752be3ef40d4eaab07 Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Tue, 14 Nov 2023 14:41:42 +0000 Subject: [PATCH 09/18] new: added policy ecc-aws-583-elb_classic_metadata --- policies/ecc-aws-583-elb_classic.yml | 13 +++ terraform/ecc-aws-583-elb_classic/green/lb.tf | 80 +++++++++++++++++++ .../ecc-aws-583-elb_classic/green/provider.tf | 20 +++++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 +++ .../iam/583-policy.json | 13 +++ terraform/ecc-aws-583-elb_classic/red/lb.tf | 59 ++++++++++++++ .../ecc-aws-583-elb_classic/red/provider.tf | 20 +++++ .../red/terraform.tfvars | 2 + .../ecc-aws-583-elb_classic/red/variables.tf | 9 +++ ...loadbalancing.DescribeLoadBalancers_1.json | 46 +++++++++++ .../elasticloadbalancing.DescribeTags_1.json | 21 +++++ ...loadbalancing.DescribeLoadBalancers_1.json | 77 ++++++++++++++++++ .../placebo-red/tagging.GetResources_1.json | 22 +++++ .../red_policy_test.py | 4 + 15 files changed, 397 insertions(+) create mode 100644 policies/ecc-aws-583-elb_classic.yml create mode 100644 terraform/ecc-aws-583-elb_classic/green/lb.tf create mode 100644 terraform/ecc-aws-583-elb_classic/green/provider.tf create mode 100644 terraform/ecc-aws-583-elb_classic/green/terraform.tfvars create mode 100644 terraform/ecc-aws-583-elb_classic/green/variables.tf create mode 100644 terraform/ecc-aws-583-elb_classic/iam/583-policy.json create mode 100644 terraform/ecc-aws-583-elb_classic/red/lb.tf create mode 100644 terraform/ecc-aws-583-elb_classic/red/provider.tf create mode 100644 terraform/ecc-aws-583-elb_classic/red/terraform.tfvars create mode 100644 terraform/ecc-aws-583-elb_classic/red/variables.tf create mode 100644 tests/ecc-aws-583-elb_classic/placebo-green/elasticloadbalancing.DescribeLoadBalancers_1.json create mode 100644 tests/ecc-aws-583-elb_classic/placebo-green/elasticloadbalancing.DescribeTags_1.json create mode 100644 tests/ecc-aws-583-elb_classic/placebo-red/elasticloadbalancing.DescribeLoadBalancers_1.json create mode 100644 tests/ecc-aws-583-elb_classic/placebo-red/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-583-elb_classic/red_policy_test.py diff --git a/policies/ecc-aws-583-elb_classic.yml b/policies/ecc-aws-583-elb_classic.yml new file mode 100644 index 000000000..9ae40fd53 --- /dev/null +++ b/policies/ecc-aws-583-elb_classic.yml @@ -0,0 +1,13 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-583-elb_classic + comment: '010009022000' + description: | + Classic Load Balancer are used instead of Application Load Balancer + resource: elb \ No newline at end of file diff --git a/terraform/ecc-aws-583-elb_classic/green/lb.tf b/terraform/ecc-aws-583-elb_classic/green/lb.tf new file mode 100644 index 000000000..09a1f3e93 --- /dev/null +++ b/terraform/ecc-aws-583-elb_classic/green/lb.tf @@ -0,0 +1,80 @@ +resource "aws_lb" "this" { + name = "583albgreen" + security_groups = [aws_security_group.this.id] + subnets = [aws_subnet.subnet1.id, aws_subnet.subnet2.id] + load_balancer_type = "application" +} + +resource "aws_vpc" "this" { + cidr_block = "10.0.0.0/16" + instance_tenancy = "default" +} + +resource "aws_subnet" "subnet1" { + vpc_id = aws_vpc.this.id + cidr_block = "10.0.1.0/24" + availability_zone = "us-east-1a" +} + +resource "aws_subnet" "subnet2" { + vpc_id = aws_vpc.this.id + cidr_block = "10.0.2.0/24" + availability_zone = "us-east-1b" +} + +resource "aws_security_group" "this" { + name = "583_security_group_green" + vpc_id = aws_vpc.this.id + + lifecycle { + create_before_destroy = true + } +} + +resource "aws_security_group_rule" "rule1" { + from_port = 22 + to_port = 22 + protocol = "tcp" + cidr_blocks = [ + "0.0.0.0/0" + ] + security_group_id = aws_security_group.this.id + type = "ingress" +} + +resource "aws_security_group_rule" "rule2" { + from_port = 80 + protocol = "tcp" + to_port = 80 + cidr_blocks = [ + "0.0.0.0/0" + ] + security_group_id = aws_security_group.this.id + type = "ingress" +} + +resource "aws_security_group_rule" "rule3" { + protocol = "tcp" + from_port = 443 + to_port = 443 + cidr_blocks = [ + "0.0.0.0/0" + ] + security_group_id = aws_security_group.this.id + type = "ingress" +} + +resource "aws_security_group_rule" "rule4" { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = [ + "0.0.0.0/0" + ] + security_group_id = aws_security_group.this.id + type = "egress" +} + +resource "aws_internet_gateway" "this" { + vpc_id = aws_vpc.this.id +} \ No newline at end of file diff --git a/terraform/ecc-aws-583-elb_classic/green/provider.tf b/terraform/ecc-aws-583-elb_classic/green/provider.tf new file mode 100644 index 000000000..c750f21a7 --- /dev/null +++ b/terraform/ecc-aws-583-elb_classic/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-583-elb_classic" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-583-elb_classic/green/terraform.tfvars b/terraform/ecc-aws-583-elb_classic/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-583-elb_classic/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-583-elb_classic/green/variables.tf b/terraform/ecc-aws-583-elb_classic/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-583-elb_classic/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-583-elb_classic/iam/583-policy.json b/terraform/ecc-aws-583-elb_classic/iam/583-policy.json new file mode 100644 index 000000000..89bb36c01 --- /dev/null +++ b/terraform/ecc-aws-583-elb_classic/iam/583-policy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeLoadBalancers", + "ec2:DescribeRegions" + ], + "Resource": "*" + } + ] +} diff --git a/terraform/ecc-aws-583-elb_classic/red/lb.tf b/terraform/ecc-aws-583-elb_classic/red/lb.tf new file mode 100644 index 000000000..7447af647 --- /dev/null +++ b/terraform/ecc-aws-583-elb_classic/red/lb.tf @@ -0,0 +1,59 @@ +resource "aws_instance" "this" { + ami = data.aws_ami.this.id + instance_type = "t2.micro" +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +resource "aws_elb" "this" { + name = "elb-583-http-red" + availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"] + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 443 + lb_protocol = "https" + ssl_certificate_id = aws_acm_certificate.this.arn + } + + instances = ["${aws_instance.this.id}"] + cross_zone_load_balancing = true + idle_timeout = 400 + connection_draining = true + connection_draining_timeout = 400 +} + +resource "tls_private_key" "this" { + algorithm = "RSA" +} + +resource "tls_self_signed_cert" "this" { + private_key_pem = tls_private_key.this.private_key_pem + + subject { + common_name = "example.com" + organization = "ACME Examples, Inc" + } + + validity_period_hours = 12 + + allowed_uses = [ + "key_encipherment", + "digital_signature", + "server_auth", + ] +} + +resource "aws_acm_certificate" "this" { + private_key = tls_private_key.this.private_key_pem + certificate_body = tls_self_signed_cert.this.cert_pem +} \ No newline at end of file diff --git a/terraform/ecc-aws-583-elb_classic/red/provider.tf b/terraform/ecc-aws-583-elb_classic/red/provider.tf new file mode 100644 index 000000000..cd432a34e --- /dev/null +++ b/terraform/ecc-aws-583-elb_classic/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-583-elb_classic" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-583-elb_classic/red/terraform.tfvars b/terraform/ecc-aws-583-elb_classic/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-583-elb_classic/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-583-elb_classic/red/variables.tf b/terraform/ecc-aws-583-elb_classic/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-583-elb_classic/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/tests/ecc-aws-583-elb_classic/placebo-green/elasticloadbalancing.DescribeLoadBalancers_1.json b/tests/ecc-aws-583-elb_classic/placebo-green/elasticloadbalancing.DescribeLoadBalancers_1.json new file mode 100644 index 000000000..c2c1c98b6 --- /dev/null +++ b/tests/ecc-aws-583-elb_classic/placebo-green/elasticloadbalancing.DescribeLoadBalancers_1.json @@ -0,0 +1,46 @@ +{ + "status_code": 200, + "data": { + "LoadBalancers": [ + { + "LoadBalancerArn": "arn:aws:elasticloadbalancing:us-east-1:111111111111:loadbalancer/app/alb-583-green/41f34b2e65d2ba72", + "DNSName": "alb-583-green-1689571504.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneId": "Z35SXDOTRQ7X7K", + "CreatedTime": { + "__class__": "datetime", + "year": 2022, + "month": 10, + "day": 27, + "hour": 11, + "minute": 2, + "second": 39, + "microsecond": 970000 + }, + "LoadBalancerName": "alb-583-green", + "Scheme": "internet-facing", + "VpcId": "vpc-12345asdfg", + "State": { + "Code": "active" + }, + "Type": "application", + "AvailabilityZones": [ + { + "ZoneName": "us-east-1a", + "SubnetId": "subnet-0a836d1ddc51a5825", + "LoadBalancerAddresses": [] + }, + { + "ZoneName": "us-east-1b", + "SubnetId": "subnet-0bbb2e4e86f11a0fc", + "LoadBalancerAddresses": [] + } + ], + "SecurityGroups": [ + "sg-0f31bc19d2a9479d1" + ], + "IpAddressType": "ipv4" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-583-elb_classic/placebo-green/elasticloadbalancing.DescribeTags_1.json b/tests/ecc-aws-583-elb_classic/placebo-green/elasticloadbalancing.DescribeTags_1.json new file mode 100644 index 000000000..92acbd59e --- /dev/null +++ b/tests/ecc-aws-583-elb_classic/placebo-green/elasticloadbalancing.DescribeTags_1.json @@ -0,0 +1,21 @@ +{ + "status_code": 200, + "data": { + "TagDescriptions": [ + { + "ResourceArn": "arn:aws:elasticloadbalancing:us-east-1:111111111111:loadbalancer/app/alb-583-green/41f34b2e65d2ba72", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-583-elb_classic" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-583-elb_classic/placebo-red/elasticloadbalancing.DescribeLoadBalancers_1.json b/tests/ecc-aws-583-elb_classic/placebo-red/elasticloadbalancing.DescribeLoadBalancers_1.json new file mode 100644 index 000000000..07133484b --- /dev/null +++ b/tests/ecc-aws-583-elb_classic/placebo-red/elasticloadbalancing.DescribeLoadBalancers_1.json @@ -0,0 +1,77 @@ +{ + "status_code": 200, + "data": { + "LoadBalancerDescriptions": [ + { + "LoadBalancerName": "elb-583-http-red", + "DNSName": "elb-583-http-red-52759978.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneName": "elb-583-http-red-52759978.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneNameID": "Z35SXDOTRQ7X7K", + "ListenerDescriptions": [ + { + "Listener": { + "Protocol": "HTTPS", + "LoadBalancerPort": 443, + "InstanceProtocol": "HTTP", + "InstancePort": 8000, + "SSLCertificateId": "arn:aws:acm:us-east-1:111111111111:certificate/32befb95-2e36-43c5-ac0f-f5a54035fab1" + }, + "PolicyNames": [ + "ELBSecurityPolicy-2016-08" + ] + } + ], + "Policies": { + "AppCookieStickinessPolicies": [], + "LBCookieStickinessPolicies": [], + "OtherPolicies": [ + "ELBSecurityPolicy-2016-08" + ] + }, + "BackendServerDescriptions": [], + "AvailabilityZones": [ + "us-east-1a", + "us-east-1b", + "us-east-1c" + ], + "Subnets": [ + "subnet-8158d8de", + "subnet-b045c2d6", + "subnet-cd7af8ec" + ], + "VPCId": "vpc-ad9744d0", + "Instances": [ + { + "InstanceId": "i-0d5715e97daeba230" + } + ], + "HealthCheck": { + "Target": "TCP:8000", + "Interval": 30, + "Timeout": 5, + "UnhealthyThreshold": 2, + "HealthyThreshold": 10 + }, + "SourceSecurityGroup": { + "OwnerAlias": "111111111111", + "GroupName": "default_elb_fc2f8b95-5e14-38b7-80f6-2259e106c533" + }, + "SecurityGroups": [ + "sg-0146f21282b80644b" + ], + "CreatedTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 14, + "hour": 11, + "minute": 28, + "second": 30, + "microsecond": 370000 + }, + "Scheme": "internet-facing" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-583-elb_classic/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-583-elb_classic/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..a78528bae --- /dev/null +++ b/tests/ecc-aws-583-elb_classic/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:elasticloadbalancing:us-east-1:111111111111:loadbalancer/elb-583-http-red", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-583-elb_classic" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-583-elb_classic/red_policy_test.py b/tests/ecc-aws-583-elb_classic/red_policy_test.py new file mode 100644 index 000000000..39e6bcc88 --- /dev/null +++ b/tests/ecc-aws-583-elb_classic/red_policy_test.py @@ -0,0 +1,4 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) From cff94e1f7b5584044a5269b196eb27d865a05371 Mon Sep 17 00:00:00 2001 From: Astr1k Date: Wed, 15 Nov 2023 13:27:55 +0000 Subject: [PATCH 10/18] new: added policy ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1 --- ...volumes_are_of_type_gp3_instead_of_io1.yml | 18 ++++++++ .../green/ebs.tf | 12 ++++++ .../green/provider.tf | 20 +++++++++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 ++++ .../iam/570-policy.json | 12 ++++++ .../red/ebs.tf | 13 ++++++ .../red/provider.tf | 20 +++++++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 ++++ .../placebo-green/ec2.DescribeVolumes_1.json | 41 +++++++++++++++++++ .../placebo-red/ec2.DescribeVolumes_1.json | 40 ++++++++++++++++++ .../red_policy_test.py | 5 +++ 13 files changed, 203 insertions(+) create mode 100644 policies/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1.yml create mode 100644 terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/ebs.tf create mode 100644 terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/provider.tf create mode 100644 terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/terraform.tfvars create mode 100644 terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/variables.tf create mode 100644 terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/iam/570-policy.json create mode 100644 terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/ebs.tf create mode 100644 terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/provider.tf create mode 100644 terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/terraform.tfvars create mode 100644 terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/variables.tf create mode 100644 tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-green/ec2.DescribeVolumes_1.json create mode 100644 tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-red/ec2.DescribeVolumes_1.json create mode 100644 tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red_policy_test.py diff --git a/policies/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1.yml b/policies/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1.yml new file mode 100644 index 000000000..ce8b421f6 --- /dev/null +++ b/policies/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1 + comment: '010007042000' + description: | + EBS volumes are type of io1 or io2 instead of gp3 + resource: aws.ebs + filters: + - type: value + key: VolumeType + op: regex + value: '(io1|io2)' diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/ebs.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/ebs.tf new file mode 100644 index 000000000..a5d709514 --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/ebs.tf @@ -0,0 +1,12 @@ +resource "aws_ebs_volume" "this" { + availability_zone = data.aws_availability_zones.this.names[0] + size = 8 + type = "gp3" + tags = { + Name = "570-ebs_volume-green" + } +} + +data "aws_availability_zones" "this" { + state = "available" +} \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/provider.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/provider.tf new file mode 100644 index 000000000..8a5de251e --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/terraform.tfvars b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/variables.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/iam/570-policy.json b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/iam/570-policy.json new file mode 100644 index 000000000..f707deebd --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/iam/570-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVolumes" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/ebs.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/ebs.tf new file mode 100644 index 000000000..7115338df --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/ebs.tf @@ -0,0 +1,13 @@ +resource "aws_ebs_volume" "this" { + availability_zone = data.aws_availability_zones.this.names[0] + size = 8 + type = "io1" + iops = 100 + tags = { + Name = "570-ebs_volume-red" + } +} + +data "aws_availability_zones" "this" { + state = "available" +} \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/provider.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/provider.tf new file mode 100644 index 000000000..67178a6d4 --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/terraform.tfvars b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/variables.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-green/ec2.DescribeVolumes_1.json b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-green/ec2.DescribeVolumes_1.json new file mode 100644 index 000000000..c3f0ad344 --- /dev/null +++ b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-green/ec2.DescribeVolumes_1.json @@ -0,0 +1,41 @@ +{ + "status_code": 200, + "data": { + "Volumes": [ + { + "Attachments": [], + "AvailabilityZone": "us-east-1a", + "CreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 14, + "hour": 13, + "minute": 49, + "second": 12, + "microsecond": 551000 + }, + "Encrypted": false, + "Size": 8, + "SnapshotId": "", + "State": "available", + "VolumeId": "vol-012d727c7534061d4", + "Iops": 3000, + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1" + } + ], + "VolumeType": "gp3", + "MultiAttachEnabled": false, + "Throughput": 125 + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-red/ec2.DescribeVolumes_1.json b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-red/ec2.DescribeVolumes_1.json new file mode 100644 index 000000000..1ab9c5243 --- /dev/null +++ b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-red/ec2.DescribeVolumes_1.json @@ -0,0 +1,40 @@ +{ + "status_code": 200, + "data": { + "Volumes": [ + { + "Attachments": [], + "AvailabilityZone": "us-east-1a", + "CreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 14, + "hour": 14, + "minute": 1, + "second": 31, + "microsecond": 420000 + }, + "Encrypted": false, + "Size": 8, + "SnapshotId": "", + "State": "available", + "VolumeId": "vol-00926f59f3b171f3b", + "Iops": 100, + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1" + } + ], + "VolumeType": "io1", + "MultiAttachEnabled": false + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red_policy_test.py b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red_policy_test.py new file mode 100644 index 000000000..3dce85a5f --- /dev/null +++ b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['VolumeType'], "io1") \ No newline at end of file From 5c119e8a7f3a539884c1dc78fc003cb772f53e5e Mon Sep 17 00:00:00 2001 From: Astr1k Date: Wed, 15 Nov 2023 15:33:26 +0000 Subject: [PATCH 11/18] new: added policy ecc-aws-590-rds_general_purpose_ssd_storage_type --- ...0-rds_general_purpose_ssd_storage_type.yml | 17 ++ .../green/provider.tf | 20 +++ .../green/rds.tf | 18 ++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 + .../iam/590-policy.json | 13 ++ .../red/provider.tf | 20 +++ .../red/rds.tf | 20 +++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 + .../rds.DescribeDBInstances_1.json | 165 ++++++++++++++++++ .../rds.DescribeDBInstances_1.json | 160 +++++++++++++++++ .../red_policy_test.py | 5 + 13 files changed, 460 insertions(+) create mode 100644 policies/ecc-aws-590-rds_general_purpose_ssd_storage_type.yml create mode 100644 terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/provider.tf create mode 100644 terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/rds.tf create mode 100644 terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/terraform.tfvars create mode 100644 terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/variables.tf create mode 100644 terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/iam/590-policy.json create mode 100644 terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/provider.tf create mode 100644 terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/rds.tf create mode 100644 terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/terraform.tfvars create mode 100644 terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/variables.tf create mode 100644 tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/placebo-green/rds.DescribeDBInstances_1.json create mode 100644 tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/placebo-red/rds.DescribeDBInstances_1.json create mode 100644 tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/red_policy_test.py diff --git a/policies/ecc-aws-590-rds_general_purpose_ssd_storage_type.yml b/policies/ecc-aws-590-rds_general_purpose_ssd_storage_type.yml new file mode 100644 index 000000000..f899c53ff --- /dev/null +++ b/policies/ecc-aws-590-rds_general_purpose_ssd_storage_type.yml @@ -0,0 +1,17 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-590-rds_general_purpose_ssd_storage_type + comment: '010007062000' + description: | + Amazon RDS instance not uses general purpose ssd + resource: rds + filters: + - type: value + key: StorageType + value: io1 diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/provider.tf b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/provider.tf new file mode 100644 index 000000000..db99a1e82 --- /dev/null +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-590-rds_general_purpose_ssd_storage_type" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/rds.tf b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/rds.tf new file mode 100644 index 000000000..83c9fc4c3 --- /dev/null +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/rds.tf @@ -0,0 +1,18 @@ +resource "random_password" "this" { + length = 12 + special = true + numeric = true + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_db_instance" "this" { + allocated_storage = 10 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + db_name = "database590green" + username = "root" + password = random_password.this.result + parameter_group_name = "default.mysql5.7" + skip_final_snapshot = true +} diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/terraform.tfvars b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/variables.tf b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/iam/590-policy.json b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/iam/590-policy.json new file mode 100644 index 000000000..805b5cf76 --- /dev/null +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/iam/590-policy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "tag:GetResources" + ], + "Resource": "*" + } + ] +} diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/provider.tf b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/provider.tf new file mode 100644 index 000000000..1a2b6406a --- /dev/null +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-590-rds_general_purpose_ssd_storage_type" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/rds.tf b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/rds.tf new file mode 100644 index 000000000..536b62563 --- /dev/null +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/rds.tf @@ -0,0 +1,20 @@ +resource "random_password" "this" { + length = 12 + special = true + numeric = true + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_db_instance" "this" { + allocated_storage = 100 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + db_name = "database590red" + username = "root" + password = random_password.this.result + parameter_group_name = "default.mysql5.7" + skip_final_snapshot = true + storage_type = "io1" + iops = "1000" +} diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/terraform.tfvars b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/variables.tf b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-590-rds_general_purpose_ssd_storage_type/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/placebo-green/rds.DescribeDBInstances_1.json b/tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/placebo-green/rds.DescribeDBInstances_1.json new file mode 100644 index 000000000..aa129f9dc --- /dev/null +++ b/tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/placebo-green/rds.DescribeDBInstances_1.json @@ -0,0 +1,165 @@ +{ + "status_code": 200, + "data": { + "DBInstances": [ + { + "DBInstanceIdentifier": "terraform-20231115141649646700000001", + "DBInstanceClass": "db.t3.micro", + "Engine": "mysql", + "DBInstanceStatus": "available", + "MasterUsername": "root", + "DBName": "database590green", + "Endpoint": { + "Address": "terraform-20231115141649646700000001.chhajgiktbgu.us-east-1.rds.amazonaws.com", + "Port": 3306, + "HostedZoneId": "Z2R2ITUGPM61AM" + }, + "AllocatedStorage": 10, + "InstanceCreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 15, + "hour": 14, + "minute": 21, + "second": 13, + "microsecond": 990000 + }, + "PreferredBackupWindow": "08:28-08:58", + "BackupRetentionPeriod": 0, + "DBSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-a5befc90", + "Status": "active" + } + ], + "DBParameterGroups": [ + { + "DBParameterGroupName": "default.mysql5.7", + "ParameterApplyStatus": "in-sync" + } + ], + "AvailabilityZone": "us-east-1b", + "DBSubnetGroup": { + "DBSubnetGroupName": "default", + "DBSubnetGroupDescription": "default", + "VpcId": "vpc-ad9744d0", + "SubnetGroupStatus": "Complete", + "Subnets": [ + { + "SubnetIdentifier": "subnet-cd7af8ec", + "SubnetAvailabilityZone": { + "Name": "us-east-1c" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-fa9dcab7", + "SubnetAvailabilityZone": { + "Name": "us-east-1d" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-247c052a", + "SubnetAvailabilityZone": { + "Name": "us-east-1f" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-b045c2d6", + "SubnetAvailabilityZone": { + "Name": "us-east-1b" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-5264af63", + "SubnetAvailabilityZone": { + "Name": "us-east-1e" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-8158d8de", + "SubnetAvailabilityZone": { + "Name": "us-east-1a" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + } + ] + }, + "PreferredMaintenanceWindow": "mon:07:30-mon:08:00", + "PendingModifiedValues": { + "DBInstanceClass": "db.t2.micro" + }, + "MultiAZ": false, + "EngineVersion": "5.7.42", + "AutoMinorVersionUpgrade": true, + "ReadReplicaDBInstanceIdentifiers": [], + "LicenseModel": "general-public-license", + "OptionGroupMemberships": [ + { + "OptionGroupName": "default:mysql-5-7", + "Status": "in-sync" + } + ], + "PubliclyAccessible": false, + "StorageType": "gp2", + "DbInstancePort": 0, + "StorageEncrypted": false, + "DbiResourceId": "db-BJMJSDZWWEAHI3KO4ZVADVVI3I", + "CACertificateIdentifier": "rds-ca-2019", + "DomainMemberships": [], + "CopyTagsToSnapshot": false, + "MonitoringInterval": 0, + "DBInstanceArn": "arn:aws:rds:us-east-1:644160558196:db:terraform-20231115141649646700000001", + "IAMDatabaseAuthenticationEnabled": false, + "PerformanceInsightsEnabled": false, + "DeletionProtection": false, + "AssociatedRoles": [], + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-590-rds_general_purpose_ssd_storage_type" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "Name", + "Value": "database590green" + } + ], + "CustomerOwnedIpEnabled": false, + "ActivityStreamStatus": "stopped", + "BackupTarget": "region", + "NetworkType": "IPV4", + "StorageThroughput": 0, + "CertificateDetails": { + "CAIdentifier": "rds-ca-2019", + "ValidTill": { + "__class__": "datetime", + "year": 2024, + "month": 8, + "day": 22, + "hour": 17, + "minute": 8, + "second": 50, + "microsecond": 0 + } + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/placebo-red/rds.DescribeDBInstances_1.json b/tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/placebo-red/rds.DescribeDBInstances_1.json new file mode 100644 index 000000000..3ea0b08fe --- /dev/null +++ b/tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/placebo-red/rds.DescribeDBInstances_1.json @@ -0,0 +1,160 @@ +{ + "status_code": 200, + "data": { + "DBInstances": [ + { + "DBInstanceIdentifier": "terraform-20231115143007956400000001", + "DBInstanceClass": "db.t2.micro", + "Engine": "mysql", + "DBInstanceStatus": "available", + "MasterUsername": "root", + "DBName": "database590red", + "Endpoint": { + "Address": "terraform-20231115143007956400000001.chhajgiktbgu.us-east-1.rds.amazonaws.com", + "Port": 3306, + "HostedZoneId": "Z2R2ITUGPM61AM" + }, + "AllocatedStorage": 100, + "InstanceCreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 15, + "hour": 14, + "minute": 34, + "second": 23, + "microsecond": 203000 + }, + "PreferredBackupWindow": "05:56-06:26", + "BackupRetentionPeriod": 0, + "DBSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-a5befc90", + "Status": "active" + } + ], + "DBParameterGroups": [ + { + "DBParameterGroupName": "default.mysql5.7", + "ParameterApplyStatus": "in-sync" + } + ], + "AvailabilityZone": "us-east-1f", + "DBSubnetGroup": { + "DBSubnetGroupName": "default", + "DBSubnetGroupDescription": "default", + "VpcId": "vpc-ad9744d0", + "SubnetGroupStatus": "Complete", + "Subnets": [ + { + "SubnetIdentifier": "subnet-cd7af8ec", + "SubnetAvailabilityZone": { + "Name": "us-east-1c" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-fa9dcab7", + "SubnetAvailabilityZone": { + "Name": "us-east-1d" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-247c052a", + "SubnetAvailabilityZone": { + "Name": "us-east-1f" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-b045c2d6", + "SubnetAvailabilityZone": { + "Name": "us-east-1b" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-5264af63", + "SubnetAvailabilityZone": { + "Name": "us-east-1e" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-8158d8de", + "SubnetAvailabilityZone": { + "Name": "us-east-1a" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + } + ] + }, + "PreferredMaintenanceWindow": "wed:06:44-wed:07:14", + "PendingModifiedValues": {}, + "MultiAZ": false, + "EngineVersion": "5.7.42", + "AutoMinorVersionUpgrade": true, + "ReadReplicaDBInstanceIdentifiers": [], + "LicenseModel": "general-public-license", + "Iops": 1000, + "OptionGroupMemberships": [ + { + "OptionGroupName": "default:mysql-5-7", + "Status": "in-sync" + } + ], + "PubliclyAccessible": false, + "StorageType": "io1", + "DbInstancePort": 0, + "StorageEncrypted": false, + "DbiResourceId": "db-J3UBF5KYWG26HXTH5C65YMJDBQ", + "CACertificateIdentifier": "rds-ca-2019", + "DomainMemberships": [], + "CopyTagsToSnapshot": false, + "MonitoringInterval": 0, + "DBInstanceArn": "arn:aws:rds:us-east-1:644160558196:db:terraform-20231115143007956400000001", + "IAMDatabaseAuthenticationEnabled": false, + "PerformanceInsightsEnabled": false, + "DeletionProtection": false, + "AssociatedRoles": [], + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-590-rds_general_purpose_ssd_storage_type" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ], + "CustomerOwnedIpEnabled": false, + "ActivityStreamStatus": "stopped", + "BackupTarget": "region", + "NetworkType": "IPV4", + "StorageThroughput": 0, + "CertificateDetails": { + "CAIdentifier": "rds-ca-2019", + "ValidTill": { + "__class__": "datetime", + "year": 2024, + "month": 8, + "day": 22, + "hour": 17, + "minute": 8, + "second": 50, + "microsecond": 0 + } + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/red_policy_test.py b/tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/red_policy_test.py new file mode 100644 index 000000000..1d57f8296 --- /dev/null +++ b/tests/ecc-aws-590-rds_general_purpose_ssd_storage_type/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['StorageType'], "io1") \ No newline at end of file From ee0c927d291803ebe93d85f8d44cb70fd9fb242f Mon Sep 17 00:00:00 2001 From: Astr1k Date: Mon, 27 Nov 2023 12:25:23 +0000 Subject: [PATCH 12/18] new: added policy ecc-aws-598-redshift_instance_generation --- ...c-aws-598-redshift_instance_generation.yml | 18 ++++ .../green/provider.tf | 19 ++++ .../green/redshift.tf | 15 +++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 ++ .../iam/598-policy.json | 12 +++ .../redshift.DescribeClusters_1.json | 94 +++++++++++++++++++ .../redshift.DescribeClusters_1.json | 94 +++++++++++++++++++ .../red_policy_test.py | 5 + 9 files changed, 268 insertions(+) create mode 100644 policies/ecc-aws-598-redshift_instance_generation.yml create mode 100644 terraform/ecc-aws-598-redshift_instance_generation/green/provider.tf create mode 100644 terraform/ecc-aws-598-redshift_instance_generation/green/redshift.tf create mode 100644 terraform/ecc-aws-598-redshift_instance_generation/green/terraform.tfvars create mode 100644 terraform/ecc-aws-598-redshift_instance_generation/green/variables.tf create mode 100644 terraform/ecc-aws-598-redshift_instance_generation/iam/598-policy.json create mode 100644 tests/ecc-aws-598-redshift_instance_generation/placebo-green/redshift.DescribeClusters_1.json create mode 100644 tests/ecc-aws-598-redshift_instance_generation/placebo-red/redshift.DescribeClusters_1.json create mode 100644 tests/ecc-aws-598-redshift_instance_generation/red_policy_test.py diff --git a/policies/ecc-aws-598-redshift_instance_generation.yml b/policies/ecc-aws-598-redshift_instance_generation.yml new file mode 100644 index 000000000..9f4887b03 --- /dev/null +++ b/policies/ecc-aws-598-redshift_instance_generation.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-598-redshift_instance_generation + comment: '010006062000' + description: | + Amazon Redshift uses previous generation instances + resource: redshift + filters: + - type: value + key: NodeType + op: regex + value: '(dc1|ds2).[^\s]+' diff --git a/terraform/ecc-aws-598-redshift_instance_generation/green/provider.tf b/terraform/ecc-aws-598-redshift_instance_generation/green/provider.tf new file mode 100644 index 000000000..17f371ce6 --- /dev/null +++ b/terraform/ecc-aws-598-redshift_instance_generation/green/provider.tf @@ -0,0 +1,19 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + default_tags { + tags = { + CustodianRule = "ecc-aws-598-redshift_instance_generation" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-598-redshift_instance_generation/green/redshift.tf b/terraform/ecc-aws-598-redshift_instance_generation/green/redshift.tf new file mode 100644 index 000000000..1a038557a --- /dev/null +++ b/terraform/ecc-aws-598-redshift_instance_generation/green/redshift.tf @@ -0,0 +1,15 @@ +resource "aws_redshift_cluster" "this" { + cluster_identifier = "c7n-598-redshift-green" + database_name = "redshift598green" + master_username = "root" + master_password = random_password.this.result + node_type = "dc2.large" + skip_final_snapshot = true +} + +resource "random_password" "this" { + length = 12 + special = false + override_special = "_%@" + min_numeric = 1 +} diff --git a/terraform/ecc-aws-598-redshift_instance_generation/green/terraform.tfvars b/terraform/ecc-aws-598-redshift_instance_generation/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-598-redshift_instance_generation/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-598-redshift_instance_generation/green/variables.tf b/terraform/ecc-aws-598-redshift_instance_generation/green/variables.tf new file mode 100644 index 000000000..09e482677 --- /dev/null +++ b/terraform/ecc-aws-598-redshift_instance_generation/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-598-redshift_instance_generation/iam/598-policy.json b/terraform/ecc-aws-598-redshift_instance_generation/iam/598-policy.json new file mode 100644 index 000000000..ea4f3e0d3 --- /dev/null +++ b/terraform/ecc-aws-598-redshift_instance_generation/iam/598-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "redshift:DescribeClusters" + ], + "Resource": "*" + } + ] +} diff --git a/tests/ecc-aws-598-redshift_instance_generation/placebo-green/redshift.DescribeClusters_1.json b/tests/ecc-aws-598-redshift_instance_generation/placebo-green/redshift.DescribeClusters_1.json new file mode 100644 index 000000000..db39dc0d5 --- /dev/null +++ b/tests/ecc-aws-598-redshift_instance_generation/placebo-green/redshift.DescribeClusters_1.json @@ -0,0 +1,94 @@ +{ + "status_code": 200, + "data": { + "Clusters": [ + { + "ClusterIdentifier": "c7n-598-redshift-green", + "NodeType": "dc2.large", + "ClusterStatus": "available", + "ClusterAvailabilityStatus": "Available", + "MasterUsername": "root", + "DBName": "redshift598green", + "Endpoint": { + "Address": "c7n-598-redshift-green.cqwaglj6btcm.us-east-1.redshift.amazonaws.com", + "Port": 5439 + }, + "ClusterCreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 27, + "hour": 11, + "minute": 13, + "second": 44, + "microsecond": 730000 + }, + "AutomatedSnapshotRetentionPeriod": 1, + "ManualSnapshotRetentionPeriod": -1, + "ClusterSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-a5befc90", + "Status": "active" + } + ], + "ClusterParameterGroups": [ + { + "ParameterGroupName": "default.redshift-1.0", + "ParameterApplyStatus": "in-sync" + } + ], + "ClusterSubnetGroupName": "default", + "VpcId": "vpc-ad9744d0", + "AvailabilityZone": "us-east-1c", + "PreferredMaintenanceWindow": "thu:08:30-thu:09:00", + "PendingModifiedValues": {}, + "ClusterVersion": "1.0", + "AllowVersionUpgrade": true, + "NumberOfNodes": 1, + "PubliclyAccessible": true, + "Encrypted": false, + "ClusterPublicKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSLfRy3lKvZpJhD6J2xB9gciMn4wKQAkJ+J22XOtAWcJJIIC75C8K8O4Xk0Ie2+S4yTq/H1blPL35qrFoV0Z1K7zKjMHU9D9sm52iyOF0H6gUnI7zyYBsHd3r8Xeb5NDEKNuphXR7RJSkDZCJUMyAKT9FqE/sli8Cqsp8wnaO6IEXs4y5rjsNgG1eZCtoK4DOiEzxiEwCHAcKAjui2TG+fKLyzPEXvuEJBQCKl4arcUGmqA9b2VJODHR3ud8WBbE+VISgQu62x0m25mf3ApmIBfROyyeNi9ALSbRdNIwX9A3mGziuDseRoKNYLMX0Js8RcppJYwOmPj+MFiDhJwFXT Amazon-Redshift\n", + "ClusterNodes": [ + { + "NodeRole": "SHARED", + "PrivateIPAddress": "172.31.83.168", + "PublicIPAddress": "3.221.51.54" + } + ], + "ClusterRevisionNumber": "60353", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-598-redshift_instance_generation" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ], + "EnhancedVpcRouting": false, + "IamRoles": [], + "MaintenanceTrackName": "current", + "DeferredMaintenanceWindows": [], + "NextMaintenanceWindowStartTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 30, + "hour": 8, + "minute": 30, + "second": 0, + "microsecond": 0 + }, + "AvailabilityZoneRelocationStatus": "disabled", + "ClusterNamespaceArn": "arn:aws:redshift:us-east-1:644160558196:namespace:4aaaf1ee-3d46-4eab-8be2-1071795eb7e1", + "AquaConfiguration": { + "AquaStatus": "disabled", + "AquaConfigurationStatus": "auto" + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-598-redshift_instance_generation/placebo-red/redshift.DescribeClusters_1.json b/tests/ecc-aws-598-redshift_instance_generation/placebo-red/redshift.DescribeClusters_1.json new file mode 100644 index 000000000..f1ecfb5ae --- /dev/null +++ b/tests/ecc-aws-598-redshift_instance_generation/placebo-red/redshift.DescribeClusters_1.json @@ -0,0 +1,94 @@ +{ + "status_code": 200, + "data": { + "Clusters": [ + { + "ClusterIdentifier": "c7n-598-redshift-red", + "NodeType": "dc1.large", + "ClusterStatus": "available", + "ClusterAvailabilityStatus": "Available", + "MasterUsername": "root", + "DBName": "redshift598red", + "Endpoint": { + "Address": "c7n-598-redshift-red.bqwaglj6btcm.us-east-1.redshift.amazonaws.com", + "Port": 5439 + }, + "ClusterCreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 27, + "hour": 11, + "minute": 13, + "second": 44, + "microsecond": 730000 + }, + "AutomatedSnapshotRetentionPeriod": 1, + "ManualSnapshotRetentionPeriod": -1, + "ClusterSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-a5befc90", + "Status": "active" + } + ], + "ClusterParameterGroups": [ + { + "ParameterGroupName": "default.redshift-1.0", + "ParameterApplyStatus": "in-sync" + } + ], + "ClusterSubnetGroupName": "default", + "VpcId": "vpc-ad9744d0", + "AvailabilityZone": "us-east-1c", + "PreferredMaintenanceWindow": "thu:08:30-thu:09:00", + "PendingModifiedValues": {}, + "ClusterVersion": "1.0", + "AllowVersionUpgrade": true, + "NumberOfNodes": 1, + "PubliclyAccessible": true, + "Encrypted": false, + "ClusterPublicKey": "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCSLfRy3lKvZpJhD6J2xB9gciMn4wKQAkJ+J22XOtAWcJJIIC75C8K8O4Xk0Ie2+S4yTq/H1blPL35qrFoV0Z1K7zKjMHU9D9sm52iyOF0H6gUnI7zyYBsHd3r8Xeb5NDEKNuphXR7RJSkDZCJUMyAKT9FqE/sli8Cqsp8wnaO6IEXs4y5rjsNgG1eZCtoK4DOiEzxiEwCHAcKAjui2TG+fKLyzPEXvuEJBQCKl4arcUGmqA9b2VJODHR3ud8WBbE+VISgQu62x0m25mf3ApmIBfROyyeNi9ALSbRdNIwX9A3mGziuDseRoKNYLMX0Js8RcppJYwOmPj+MFiDhJwFXT Amazon-Redshift\n", + "ClusterNodes": [ + { + "NodeRole": "SHARED", + "PrivateIPAddress": "172.31.83.168", + "PublicIPAddress": "3.221.51.54" + } + ], + "ClusterRevisionNumber": "60353", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-598-redshift_instance_generation" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ], + "EnhancedVpcRouting": false, + "IamRoles": [], + "MaintenanceTrackName": "current", + "DeferredMaintenanceWindows": [], + "NextMaintenanceWindowStartTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 30, + "hour": 8, + "minute": 30, + "second": 0, + "microsecond": 0 + }, + "AvailabilityZoneRelocationStatus": "disabled", + "ClusterNamespaceArn": "arn:aws:redshift:us-east-1:644160558196:namespace:3aaaf1ee-3d46-4eab-8be2-1071795eb7e1", + "AquaConfiguration": { + "AquaStatus": "disabled", + "AquaConfigurationStatus": "auto" + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-598-redshift_instance_generation/red_policy_test.py b/tests/ecc-aws-598-redshift_instance_generation/red_policy_test.py new file mode 100644 index 000000000..7b360c014 --- /dev/null +++ b/tests/ecc-aws-598-redshift_instance_generation/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['NodeType'], 'dc1.large') \ No newline at end of file From 113c7d80b2753114315ee4c84306b100dc2a74dc Mon Sep 17 00:00:00 2001 From: Astr1k Date: Mon, 27 Nov 2023 15:13:54 +0000 Subject: [PATCH 13/18] new: added policy ecc-aws-566-opensearch_auto_tune_enabled --- ...c-aws-566-opensearch_auto_tune_enabled.yml | 18 ++++ .../green/os.tf | 18 ++++ .../green/provider.tf | 20 +++++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 ++ .../iam/566-policy.json | 15 ++++ .../red/os.tf | 13 +++ .../red/provider.tf | 20 +++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 ++ .../es.DescribeElasticsearchDomains_1.json | 88 +++++++++++++++++++ .../placebo-green/es.ListDomainNames_1.json | 12 +++ .../placebo-green/es.ListTags_1.json | 16 ++++ .../es.DescribeElasticsearchDomains_1.json | 88 +++++++++++++++++++ .../placebo-red/es.ListDomainNames_1.json | 12 +++ .../placebo-red/es.ListTags_1.json | 16 ++++ .../red_policy_test.py | 5 ++ 17 files changed, 363 insertions(+) create mode 100644 policies/ecc-aws-566-opensearch_auto_tune_enabled.yml create mode 100644 terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/os.tf create mode 100644 terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/provider.tf create mode 100644 terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/terraform.tfvars create mode 100644 terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/variables.tf create mode 100644 terraform/ecc-aws-566-opensearch_auto_tune_enabled/iam/566-policy.json create mode 100644 terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/os.tf create mode 100644 terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/provider.tf create mode 100644 terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/terraform.tfvars create mode 100644 terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/variables.tf create mode 100644 tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.DescribeElasticsearchDomains_1.json create mode 100644 tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.ListDomainNames_1.json create mode 100644 tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.ListTags_1.json create mode 100644 tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.DescribeElasticsearchDomains_1.json create mode 100644 tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.ListDomainNames_1.json create mode 100644 tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.ListTags_1.json create mode 100644 tests/ecc-aws-566-opensearch_auto_tune_enabled/red_policy_test.py diff --git a/policies/ecc-aws-566-opensearch_auto_tune_enabled.yml b/policies/ecc-aws-566-opensearch_auto_tune_enabled.yml new file mode 100644 index 000000000..6df0d894f --- /dev/null +++ b/policies/ecc-aws-566-opensearch_auto_tune_enabled.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-566-opensearch_auto_tune_enabled + comment: '010005052000' + description: | + Opensearch Auto-Tune not enabled + resource: elasticsearch + filters: + - not: + - type: value + key: AutoTuneOptions.State + value: ENABLED diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/os.tf b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/os.tf new file mode 100644 index 000000000..0c55eae44 --- /dev/null +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/os.tf @@ -0,0 +1,18 @@ +resource "aws_opensearch_domain" "this" { + domain_name = "domain-566-green" + engine_version = "OpenSearch_2.11" + + cluster_config { + instance_type = "c6g.large.search" + } + + auto_tune_options { + desired_state = "ENABLED" + rollback_on_disable = "NO_ROLLBACK" + } + + ebs_options { + ebs_enabled = true + volume_size = 10 + } +} diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/provider.tf b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/provider.tf new file mode 100644 index 000000000..3c29d4e7b --- /dev/null +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-566-opensearch_auto_tune_enabled" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/terraform.tfvars b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/variables.tf b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/iam/566-policy.json b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/iam/566-policy.json new file mode 100644 index 000000000..59f1771e8 --- /dev/null +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/iam/566-policy.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:DescribeElasticsearchDomains", + "es:ListTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/os.tf b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/os.tf new file mode 100644 index 000000000..df2a77d55 --- /dev/null +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/os.tf @@ -0,0 +1,13 @@ +resource "aws_opensearch_domain" "this" { + domain_name = "domain-566-red" + engine_version = "OpenSearch_2.11" + + cluster_config { + instance_type = "t3.small.search" + } + + ebs_options { + ebs_enabled = true + volume_size = 10 + } +} diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/provider.tf b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/provider.tf new file mode 100644 index 000000000..2d4aa6fa1 --- /dev/null +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-566-opensearch_auto_tune_enabled" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/terraform.tfvars b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/variables.tf b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-566-opensearch_auto_tune_enabled/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.DescribeElasticsearchDomains_1.json b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.DescribeElasticsearchDomains_1.json new file mode 100644 index 000000000..3e6ba1f28 --- /dev/null +++ b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.DescribeElasticsearchDomains_1.json @@ -0,0 +1,88 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "DomainStatusList": [ + { + "DomainId": "644160558196/domain-566-green", + "DomainName": "domain-566-green", + "ARN": "arn:aws:es:us-east-1:644160558196:domain/domain-566-green", + "Created": true, + "Deleted": false, + "Endpoint": "search-domain-566-green-ah6lw32c5lqn5utokvyd3uavou.us-east-1.es.amazonaws.com", + "Processing": false, + "UpgradeProcessing": false, + "ElasticsearchVersion": "OpenSearch_2.11", + "ElasticsearchClusterConfig": { + "InstanceType": "t3.small.elasticsearch", + "InstanceCount": 1, + "DedicatedMasterEnabled": false, + "ZoneAwarenessEnabled": false, + "WarmEnabled": false, + "ColdStorageOptions": { + "Enabled": false + } + }, + "EBSOptions": { + "EBSEnabled": true, + "VolumeType": "gp3", + "VolumeSize": 10, + "Iops": 3000, + "Throughput": 125 + }, + "AccessPolicies": "", + "SnapshotOptions": { + "AutomatedSnapshotStartHour": 0 + }, + "CognitoOptions": { + "Enabled": false + }, + "EncryptionAtRestOptions": { + "Enabled": false + }, + "NodeToNodeEncryptionOptions": { + "Enabled": false + }, + "AdvancedOptions": { + "override_main_response_version": "false", + "rest.action.multi.allow_explicit_index": "true" + }, + "ServiceSoftwareOptions": { + "CurrentVersion": "OpenSearch_2_11_R20231113-P1", + "NewVersion": "", + "UpdateAvailable": false, + "Cancellable": false, + "UpdateStatus": "COMPLETED", + "Description": "There is no software update available for this domain.", + "AutomatedUpdateDate": { + "__class__": "datetime", + "year": 1970, + "month": 1, + "day": 1, + "hour": 0, + "minute": 0, + "second": 0, + "microsecond": 0 + }, + "OptionalDeployment": true + }, + "DomainEndpointOptions": { + "EnforceHTTPS": false, + "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07", + "CustomEndpointEnabled": false + }, + "AdvancedSecurityOptions": { + "Enabled": false, + "InternalUserDatabaseEnabled": false, + "AnonymousAuthEnabled": false + }, + "AutoTuneOptions": { + "State": "ENABLED" + }, + "ChangeProgressDetails": { + "ChangeId": "ba7ad78e-e099-4b02-ad06-a36738b6caf6" + } + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.ListDomainNames_1.json b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.ListDomainNames_1.json new file mode 100644 index 000000000..0053d40fa --- /dev/null +++ b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.ListDomainNames_1.json @@ -0,0 +1,12 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "DomainNames": [ + { + "DomainName": "domain-566-green", + "EngineType": "OpenSearch" + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.ListTags_1.json b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.ListTags_1.json new file mode 100644 index 000000000..a21196961 --- /dev/null +++ b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-green/es.ListTags_1.json @@ -0,0 +1,16 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-566-opensearch_auto_tune_enabled" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.DescribeElasticsearchDomains_1.json b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.DescribeElasticsearchDomains_1.json new file mode 100644 index 000000000..2a7c37331 --- /dev/null +++ b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.DescribeElasticsearchDomains_1.json @@ -0,0 +1,88 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "DomainStatusList": [ + { + "DomainId": "644160558196/domain-566-red", + "DomainName": "domain-566-red", + "ARN": "arn:aws:es:us-east-1:644160558196:domain/domain-566-red", + "Created": true, + "Deleted": false, + "Endpoint": "search-domain-566-red-fh6lw32c5lqn5utokvyd3uavou.us-east-1.es.amazonaws.com", + "Processing": false, + "UpgradeProcessing": false, + "ElasticsearchVersion": "OpenSearch_2.11", + "ElasticsearchClusterConfig": { + "InstanceType": "t3.small.elasticsearch", + "InstanceCount": 1, + "DedicatedMasterEnabled": false, + "ZoneAwarenessEnabled": false, + "WarmEnabled": false, + "ColdStorageOptions": { + "Enabled": false + } + }, + "EBSOptions": { + "EBSEnabled": true, + "VolumeType": "gp3", + "VolumeSize": 10, + "Iops": 3000, + "Throughput": 125 + }, + "AccessPolicies": "", + "SnapshotOptions": { + "AutomatedSnapshotStartHour": 0 + }, + "CognitoOptions": { + "Enabled": false + }, + "EncryptionAtRestOptions": { + "Enabled": false + }, + "NodeToNodeEncryptionOptions": { + "Enabled": false + }, + "AdvancedOptions": { + "override_main_response_version": "false", + "rest.action.multi.allow_explicit_index": "true" + }, + "ServiceSoftwareOptions": { + "CurrentVersion": "OpenSearch_2_11_R20231113-P1", + "NewVersion": "", + "UpdateAvailable": false, + "Cancellable": false, + "UpdateStatus": "COMPLETED", + "Description": "There is no software update available for this domain.", + "AutomatedUpdateDate": { + "__class__": "datetime", + "year": 1970, + "month": 1, + "day": 1, + "hour": 0, + "minute": 0, + "second": 0, + "microsecond": 0 + }, + "OptionalDeployment": true + }, + "DomainEndpointOptions": { + "EnforceHTTPS": false, + "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07", + "CustomEndpointEnabled": false + }, + "AdvancedSecurityOptions": { + "Enabled": false, + "InternalUserDatabaseEnabled": false, + "AnonymousAuthEnabled": false + }, + "AutoTuneOptions": { + "State": "DISABLED" + }, + "ChangeProgressDetails": { + "ChangeId": "ba7ad78e-e099-4b02-ad06-a36738b6caf6" + } + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.ListDomainNames_1.json b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.ListDomainNames_1.json new file mode 100644 index 000000000..ab411a6a3 --- /dev/null +++ b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.ListDomainNames_1.json @@ -0,0 +1,12 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "DomainNames": [ + { + "DomainName": "domain-566-red", + "EngineType": "OpenSearch" + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.ListTags_1.json b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.ListTags_1.json new file mode 100644 index 000000000..531ebfde2 --- /dev/null +++ b/tests/ecc-aws-566-opensearch_auto_tune_enabled/placebo-red/es.ListTags_1.json @@ -0,0 +1,16 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-566-opensearch_auto_tune_enabled" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-566-opensearch_auto_tune_enabled/red_policy_test.py b/tests/ecc-aws-566-opensearch_auto_tune_enabled/red_policy_test.py new file mode 100644 index 000000000..83ac937a1 --- /dev/null +++ b/tests/ecc-aws-566-opensearch_auto_tune_enabled/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertNotEqual(resources[0]['AutoTuneOptions']['State'], 'ENABLED') \ No newline at end of file From 44718653034439748bb490bd36e99e81f8113bc1 Mon Sep 17 00:00:00 2001 From: Astr1k Date: Wed, 29 Nov 2023 09:03:03 +0000 Subject: [PATCH 14/18] new: added policy ecc-aws-602-cloudwatch_logs_with_no_log_retention_period --- ...atch_logs_with_no_log_retention_period.yml | 17 ++++++++++++++ .../green/log_group.tf | 4 ++++ .../green/provider.tf | 20 +++++++++++++++++ .../green/terraform.tfvars | 2 ++ .../green/variables.tf | 9 ++++++++ .../iam/602-policy.json | 14 ++++++++++++ .../red/log_group.tf | 4 ++++ .../red/provider.tf | 20 +++++++++++++++++ .../red/terraform.tfvars | 2 ++ .../red/variables.tf | 9 ++++++++ .../logs.DescribeLogGroups_1.json | 16 ++++++++++++++ .../placebo-green/tagging.GetResources_1.json | 22 +++++++++++++++++++ .../placebo-red/logs.DescribeLogGroups_1.json | 15 +++++++++++++ .../placebo-red/tagging.GetResources_1.json | 22 +++++++++++++++++++ .../red_policy_test.py | 5 +++++ 15 files changed, 181 insertions(+) create mode 100644 policies/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period.yml create mode 100644 terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/log_group.tf create mode 100644 terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/provider.tf create mode 100644 terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/terraform.tfvars create mode 100644 terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/variables.tf create mode 100644 terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/iam/602-policy.json create mode 100644 terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/log_group.tf create mode 100644 terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/provider.tf create mode 100644 terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/terraform.tfvars create mode 100644 terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/variables.tf create mode 100644 tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-green/logs.DescribeLogGroups_1.json create mode 100644 tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-green/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-red/logs.DescribeLogGroups_1.json create mode 100644 tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-red/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red_policy_test.py diff --git a/policies/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period.yml b/policies/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period.yml new file mode 100644 index 000000000..28fe09ab0 --- /dev/null +++ b/policies/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period.yml @@ -0,0 +1,17 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-602-cloudwatch_logs_with_no_log_retention_period + comment: '010009012000' + description: | + CloudWatch Log Group does not have retention period + resource: log-group + filters: + - type: value + key: retentionInDays + value: absent \ No newline at end of file diff --git a/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/log_group.tf b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/log_group.tf new file mode 100644 index 000000000..452a31195 --- /dev/null +++ b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/log_group.tf @@ -0,0 +1,4 @@ +resource "aws_cloudwatch_log_group" "this" { + name = "cloudwatch_602_log_group_green" + retention_in_days = 180 +} diff --git a/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/provider.tf b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/provider.tf new file mode 100644 index 000000000..feeef5323 --- /dev/null +++ b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-602-cloudwatch_logs_with_no_log_retention_period" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/terraform.tfvars b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/variables.tf b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/iam/602-policy.json b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/iam/602-policy.json new file mode 100644 index 000000000..4700edf97 --- /dev/null +++ b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/iam/602-policy.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "logs:DescribeLogGroups", + "tag:GetResources" + ], + "Resource": "*" + } + ] +} diff --git a/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/log_group.tf b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/log_group.tf new file mode 100644 index 000000000..dfd4ebf33 --- /dev/null +++ b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/log_group.tf @@ -0,0 +1,4 @@ +resource "aws_cloudwatch_log_group" "this" { + name = "cloudwatch_602_log_group_red" + retention_in_days = 0 +} diff --git a/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/provider.tf b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/provider.tf new file mode 100644 index 000000000..7af168651 --- /dev/null +++ b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws"{ + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-602-cloudwatch_logs_with_no_log_retention_period" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/terraform.tfvars b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/variables.tf b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-green/logs.DescribeLogGroups_1.json b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-green/logs.DescribeLogGroups_1.json new file mode 100644 index 000000000..49c2533cc --- /dev/null +++ b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-green/logs.DescribeLogGroups_1.json @@ -0,0 +1,16 @@ +{ + "status_code": 200, + "data": { + "logGroups": [ + { + "logGroupName": "cloudwatch_602_log_group_green", + "creationTime": 1700479492806, + "retentionInDays": 180, + "metricFilterCount": 0, + "arn": "arn:aws:logs:us-east-1:644160558196:log-group:cloudwatch_602_log_group_green:*", + "storedBytes": 0 + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-green/tagging.GetResources_1.json b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-green/tagging.GetResources_1.json new file mode 100644 index 000000000..5428476ef --- /dev/null +++ b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-green/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:logs:us-east-1:644160558196:log-group:cloudwatch_602_log_group_green", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-602-cloudwatch_logs_with_no_log_retention_period" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-red/logs.DescribeLogGroups_1.json b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-red/logs.DescribeLogGroups_1.json new file mode 100644 index 000000000..ea0e83677 --- /dev/null +++ b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-red/logs.DescribeLogGroups_1.json @@ -0,0 +1,15 @@ +{ + "status_code": 200, + "data": { + "logGroups": [ + { + "logGroupName": "cloudwatch_602_log_group_red", + "creationTime": 1700484862998, + "metricFilterCount": 0, + "arn": "arn:aws:logs:us-east-1:644160558196:log-group:cloudwatch_602_log_group_red:*", + "storedBytes": 0 + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..20f84c559 --- /dev/null +++ b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:logs:us-east-1:644160558196:log-group:cloudwatch_602_log_group_red", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-602-cloudwatch_logs_with_no_log_retention_period" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red_policy_test.py b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red_policy_test.py new file mode 100644 index 000000000..da1a0d8c2 --- /dev/null +++ b/tests/ecc-aws-602-cloudwatch_logs_with_no_log_retention_period/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertNotIn('retentionInDays', resources[0]) \ No newline at end of file From 203dd37badfde1afbc98be94ce5113bbc76f4fcd Mon Sep 17 00:00:00 2001 From: Astr1k Date: Tue, 21 Nov 2023 13:08:44 +0000 Subject: [PATCH 15/18] new: added policy ecc-aws-586-elasticsearch_general_purpose_ssd_volume --- ...asticsearch_general_purpose_ssd_volume.yml | 18 ++++ .../green/es.tf | 16 ++++ .../green/provider.tf | 20 +++++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 ++ .../iam/586-policy.json | 15 ++++ .../red/es.tf | 16 ++++ .../red/provider.tf | 20 +++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 ++ .../es.DescribeElasticsearchDomains_1.json | 88 +++++++++++++++++++ .../placebo-green/es.ListDomainNames_1.json | 12 +++ .../placebo-green/es.ListTags_1.json | 16 ++++ .../es.DescribeElasticsearchDomains_1.json | 87 ++++++++++++++++++ .../placebo-red/es.ListDomainNames_1.json | 12 +++ .../placebo-red/es.ListTags_1.json | 16 ++++ .../red_policy_test.py | 5 ++ 17 files changed, 363 insertions(+) create mode 100644 policies/ecc-aws-586-elasticsearch_general_purpose_ssd_volume.yml create mode 100644 terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/es.tf create mode 100644 terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/provider.tf create mode 100644 terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/terraform.tfvars create mode 100644 terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/variables.tf create mode 100644 terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/iam/586-policy.json create mode 100644 terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/es.tf create mode 100644 terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/provider.tf create mode 100644 terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/terraform.tfvars create mode 100644 terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/variables.tf create mode 100644 tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.DescribeElasticsearchDomains_1.json create mode 100644 tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.ListDomainNames_1.json create mode 100644 tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.ListTags_1.json create mode 100644 tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.DescribeElasticsearchDomains_1.json create mode 100644 tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.ListDomainNames_1.json create mode 100644 tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.ListTags_1.json create mode 100644 tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red_policy_test.py diff --git a/policies/ecc-aws-586-elasticsearch_general_purpose_ssd_volume.yml b/policies/ecc-aws-586-elasticsearch_general_purpose_ssd_volume.yml new file mode 100644 index 000000000..196367cb1 --- /dev/null +++ b/policies/ecc-aws-586-elasticsearch_general_purpose_ssd_volume.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-586-elasticsearch_general_purpose_ssd_volume + comment: '010007052000' + description: | + ElasticSearch instance not uses general purpose ssd + resource: elasticsearch + filters: + - not: + - type: value + key: EBSOptions.VolumeType + value: gp3 diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/es.tf b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/es.tf new file mode 100644 index 000000000..78a14b9dc --- /dev/null +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/es.tf @@ -0,0 +1,16 @@ +resource "aws_opensearch_domain" "this" { + domain_name = "domain-586-green" + engine_version = "OpenSearch_2.11" + + cluster_config { + instance_type = "t3.small.search" + dedicated_master_enabled = false + } + + ebs_options { + ebs_enabled = true + volume_size = 10 + volume_type = "gp3" + throughput = 125 + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/provider.tf b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/provider.tf new file mode 100644 index 000000000..8eddae641 --- /dev/null +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-586-elasticsearch_general_purpose_ssd_volume" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/terraform.tfvars b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/variables.tf b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/iam/586-policy.json b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/iam/586-policy.json new file mode 100644 index 000000000..a85e973a9 --- /dev/null +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/iam/586-policy.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "es:DescribeDomains", + "es:DescribeElasticsearchDomains", + "es:ListTags" + ], + "Resource": "*" + } + ] +} diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/es.tf b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/es.tf new file mode 100644 index 000000000..2c66ec0e1 --- /dev/null +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/es.tf @@ -0,0 +1,16 @@ +resource "aws_opensearch_domain" "this" { + domain_name = "domain-586-red" + engine_version = "OpenSearch_2.11" + + cluster_config { + instance_type = "t2.small.search" + dedicated_master_enabled = false + } + + ebs_options { + ebs_enabled = true + volume_size = 35 + volume_type = "io1" + iops = 1000 + } +} diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/provider.tf b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/provider.tf new file mode 100644 index 000000000..1178b977c --- /dev/null +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-586-elasticsearch_general_purpose_ssd_volume" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/terraform.tfvars b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/variables.tf b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.DescribeElasticsearchDomains_1.json b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.DescribeElasticsearchDomains_1.json new file mode 100644 index 000000000..d29aee550 --- /dev/null +++ b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.DescribeElasticsearchDomains_1.json @@ -0,0 +1,88 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "DomainStatusList": [ + { + "DomainId": "644160558196/domain-586-green", + "DomainName": "domain-586-green", + "ARN": "arn:aws:es:us-east-1:644160558196:domain/domain-586-green", + "Created": true, + "Deleted": false, + "Endpoint": "search-domain-586-green-i4mdaxicvk24bxeevxxcsfcm44.us-east-1.es.amazonaws.com", + "Processing": false, + "UpgradeProcessing": false, + "ElasticsearchVersion": "OpenSearch_2.11", + "ElasticsearchClusterConfig": { + "InstanceType": "t3.small.elasticsearch", + "InstanceCount": 1, + "DedicatedMasterEnabled": false, + "ZoneAwarenessEnabled": false, + "WarmEnabled": false, + "ColdStorageOptions": { + "Enabled": false + } + }, + "EBSOptions": { + "EBSEnabled": true, + "VolumeType": "gp3", + "VolumeSize": 10, + "Iops": 3000, + "Throughput": 125 + }, + "AccessPolicies": "", + "SnapshotOptions": { + "AutomatedSnapshotStartHour": 0 + }, + "CognitoOptions": { + "Enabled": false + }, + "EncryptionAtRestOptions": { + "Enabled": false + }, + "NodeToNodeEncryptionOptions": { + "Enabled": false + }, + "AdvancedOptions": { + "override_main_response_version": "false", + "rest.action.multi.allow_explicit_index": "true" + }, + "ServiceSoftwareOptions": { + "CurrentVersion": "OpenSearch_2_11_R20231113-P1", + "NewVersion": "", + "UpdateAvailable": false, + "Cancellable": false, + "UpdateStatus": "COMPLETED", + "Description": "There is no software update available for this domain.", + "AutomatedUpdateDate": { + "__class__": "datetime", + "year": 1970, + "month": 1, + "day": 1, + "hour": 0, + "minute": 0, + "second": 0, + "microsecond": 0 + }, + "OptionalDeployment": true + }, + "DomainEndpointOptions": { + "EnforceHTTPS": false, + "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07", + "CustomEndpointEnabled": false + }, + "AdvancedSecurityOptions": { + "Enabled": false, + "InternalUserDatabaseEnabled": false, + "AnonymousAuthEnabled": false + }, + "AutoTuneOptions": { + "State": "DISABLED" + }, + "ChangeProgressDetails": { + "ChangeId": "558e60bd-9342-46c2-b99e-6a37381cc7c8" + } + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.ListDomainNames_1.json b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.ListDomainNames_1.json new file mode 100644 index 000000000..84a653c2e --- /dev/null +++ b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.ListDomainNames_1.json @@ -0,0 +1,12 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "DomainNames": [ + { + "DomainName": "domain-586-green", + "EngineType": "OpenSearch" + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.ListTags_1.json b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.ListTags_1.json new file mode 100644 index 000000000..9e0b61ba7 --- /dev/null +++ b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-green/es.ListTags_1.json @@ -0,0 +1,16 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-586-elasticsearch_general_purpose_ssd_volume" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.DescribeElasticsearchDomains_1.json b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.DescribeElasticsearchDomains_1.json new file mode 100644 index 000000000..2f3399194 --- /dev/null +++ b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.DescribeElasticsearchDomains_1.json @@ -0,0 +1,87 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "DomainStatusList": [ + { + "DomainId": "644160558196/domain-586-red", + "DomainName": "domain-586-red", + "ARN": "arn:aws:es:us-east-1:644160558196:domain/domain-586-red", + "Created": true, + "Deleted": false, + "Endpoint": "search-domain-586-red-okzsr5xqeqq5frfzrsvaqendny.us-east-1.es.amazonaws.com", + "Processing": false, + "UpgradeProcessing": false, + "ElasticsearchVersion": "OpenSearch_2.11", + "ElasticsearchClusterConfig": { + "InstanceType": "t2.small.elasticsearch", + "InstanceCount": 1, + "DedicatedMasterEnabled": false, + "ZoneAwarenessEnabled": false, + "WarmEnabled": false, + "ColdStorageOptions": { + "Enabled": false + } + }, + "EBSOptions": { + "EBSEnabled": true, + "VolumeType": "io1", + "VolumeSize": 35, + "Iops": 1000 + }, + "AccessPolicies": "", + "SnapshotOptions": { + "AutomatedSnapshotStartHour": 0 + }, + "CognitoOptions": { + "Enabled": false + }, + "EncryptionAtRestOptions": { + "Enabled": false + }, + "NodeToNodeEncryptionOptions": { + "Enabled": false + }, + "AdvancedOptions": { + "override_main_response_version": "false", + "rest.action.multi.allow_explicit_index": "true" + }, + "ServiceSoftwareOptions": { + "CurrentVersion": "OpenSearch_2_11_R20231113-P1", + "NewVersion": "", + "UpdateAvailable": false, + "Cancellable": false, + "UpdateStatus": "COMPLETED", + "Description": "There is no software update available for this domain.", + "AutomatedUpdateDate": { + "__class__": "datetime", + "year": 1970, + "month": 1, + "day": 1, + "hour": 0, + "minute": 0, + "second": 0, + "microsecond": 0 + }, + "OptionalDeployment": true + }, + "DomainEndpointOptions": { + "EnforceHTTPS": false, + "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07", + "CustomEndpointEnabled": false + }, + "AdvancedSecurityOptions": { + "Enabled": false, + "InternalUserDatabaseEnabled": false, + "AnonymousAuthEnabled": false + }, + "AutoTuneOptions": { + "State": "DISABLED" + }, + "ChangeProgressDetails": { + "ChangeId": "d462d15c-0b5a-4b40-950f-38307df63f28" + } + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.ListDomainNames_1.json b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.ListDomainNames_1.json new file mode 100644 index 000000000..8bacbf53e --- /dev/null +++ b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.ListDomainNames_1.json @@ -0,0 +1,12 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "DomainNames": [ + { + "DomainName": "domain-586-red", + "EngineType": "OpenSearch" + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.ListTags_1.json b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.ListTags_1.json new file mode 100644 index 000000000..14219ec0d --- /dev/null +++ b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/placebo-red/es.ListTags_1.json @@ -0,0 +1,16 @@ +{ + "status_code": 200, + "data": { + "ResponseMetadata": {}, + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-586-elasticsearch_general_purpose_ssd_volume" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } +} \ No newline at end of file diff --git a/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red_policy_test.py b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red_policy_test.py new file mode 100644 index 000000000..f801982d0 --- /dev/null +++ b/tests/ecc-aws-586-elasticsearch_general_purpose_ssd_volume/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['EBSOptions']['VolumeType'], "io1") \ No newline at end of file From 6ec8467035a418bc05c53a67d633a0606199968d Mon Sep 17 00:00:00 2001 From: Astr1k Date: Tue, 28 Nov 2023 13:26:17 +0000 Subject: [PATCH 16/18] new: added policy ecc-aws-630-ec2_ami_not_in_use --- policies/ecc-aws-630-ec2_ami_not_in_use.yml | 16 ++ .../green/ec2.tf | 42 ++++ .../green/provider.tf | 20 ++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 + .../iam/630-policy.json | 15 ++ .../ecc-aws-630-ec2_ami_not_in_use/red/ec2.tf | 23 ++ .../red/provider.tf | 20 ++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 + ...toscaling.DescribeAutoScalingGroups_1.json | 7 + .../placebo-green/ec2.DescribeImages_1.json | 49 +++++ .../ec2.DescribeInstances_1.json | 198 ++++++++++++++++++ ...toscaling.DescribeAutoScalingGroups_1.json | 7 + .../placebo-red/ec2.DescribeImages_1.json | 49 +++++ .../placebo-red/ec2.DescribeInstances_1.json | 198 ++++++++++++++++++ .../red_policy_test.py | 8 + 17 files changed, 674 insertions(+) create mode 100644 policies/ecc-aws-630-ec2_ami_not_in_use.yml create mode 100644 terraform/ecc-aws-630-ec2_ami_not_in_use/green/ec2.tf create mode 100644 terraform/ecc-aws-630-ec2_ami_not_in_use/green/provider.tf create mode 100644 terraform/ecc-aws-630-ec2_ami_not_in_use/green/terraform.tfvars create mode 100644 terraform/ecc-aws-630-ec2_ami_not_in_use/green/variables.tf create mode 100644 terraform/ecc-aws-630-ec2_ami_not_in_use/iam/630-policy.json create mode 100644 terraform/ecc-aws-630-ec2_ami_not_in_use/red/ec2.tf create mode 100644 terraform/ecc-aws-630-ec2_ami_not_in_use/red/provider.tf create mode 100644 terraform/ecc-aws-630-ec2_ami_not_in_use/red/terraform.tfvars create mode 100644 terraform/ecc-aws-630-ec2_ami_not_in_use/red/variables.tf create mode 100644 tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json create mode 100644 tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/ec2.DescribeImages_1.json create mode 100644 tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/ec2.DescribeInstances_1.json create mode 100644 tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json create mode 100644 tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/ec2.DescribeImages_1.json create mode 100644 tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/ec2.DescribeInstances_1.json create mode 100644 tests/ecc-aws-630-ec2_ami_not_in_use/red_policy_test.py diff --git a/policies/ecc-aws-630-ec2_ami_not_in_use.yml b/policies/ecc-aws-630-ec2_ami_not_in_use.yml new file mode 100644 index 000000000..8c5e6b253 --- /dev/null +++ b/policies/ecc-aws-630-ec2_ami_not_in_use.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-630-ec2_ami_not_in_use + comment: '010002032000' + description: | + AMI not in use + resource: aws.ami + filters: + - type: unused + value: true diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/green/ec2.tf b/terraform/ecc-aws-630-ec2_ami_not_in_use/green/ec2.tf new file mode 100644 index 000000000..571ed5297 --- /dev/null +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/green/ec2.tf @@ -0,0 +1,42 @@ +resource "aws_instance" "ami" { + ami = data.aws_ami.ami.id + instance_type = "t2.micro" + + tags = { + Name = "630_instance_green_ami" + } +} + +data "aws_ami" "ami" { + most_recent = true + owners = ["amazon"] + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +resource "aws_ami_from_instance" "this" { + name = "630_ami_green" + source_instance_id = aws_instance.ami.id +} + + +resource "aws_instance" "this" { + ami = data.aws_ami.this.id + instance_type = "t2.micro" + + tags = { + Name = "630_instance_green" + } +} + +data "aws_ami" "this" { + most_recent = true + owners = ["self"] + filter { + name = "name" + values = ["630_ami_green"] + } + depends_on = [aws_ami_from_instance.this] +} \ No newline at end of file diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/green/provider.tf b/terraform/ecc-aws-630-ec2_ami_not_in_use/green/provider.tf new file mode 100644 index 000000000..09166a501 --- /dev/null +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-630-ec2_ami_not_in_use" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/green/terraform.tfvars b/terraform/ecc-aws-630-ec2_ami_not_in_use/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/green/variables.tf b/terraform/ecc-aws-630-ec2_ami_not_in_use/green/variables.tf new file mode 100644 index 000000000..09e482677 --- /dev/null +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/iam/630-policy.json b/terraform/ecc-aws-630-ec2_ami_not_in_use/iam/630-policy.json new file mode 100644 index 000000000..b8598f1d5 --- /dev/null +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/iam/630-policy.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "ec2:DescribeTags" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/red/ec2.tf b/terraform/ecc-aws-630-ec2_ami_not_in_use/red/ec2.tf new file mode 100644 index 000000000..e45b41db3 --- /dev/null +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/red/ec2.tf @@ -0,0 +1,23 @@ +resource "aws_instance" "this" { + ami = data.aws_ami.this.id + instance_type = "t2.micro" + + tags = { + Name = "630_instance_red" + } +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +resource "aws_ami_from_instance" "this" { + name = "630_ami_red" + source_instance_id = aws_instance.this.id + depends_on = [aws_instance.this] +} \ No newline at end of file diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/red/provider.tf b/terraform/ecc-aws-630-ec2_ami_not_in_use/red/provider.tf new file mode 100644 index 000000000..15ec481d3 --- /dev/null +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-630-ec2_ami_not_in_use" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/red/terraform.tfvars b/terraform/ecc-aws-630-ec2_ami_not_in_use/red/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-630-ec2_ami_not_in_use/red/variables.tf b/terraform/ecc-aws-630-ec2_ami_not_in_use/red/variables.tf new file mode 100644 index 000000000..09e482677 --- /dev/null +++ b/terraform/ecc-aws-630-ec2_ami_not_in_use/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json new file mode 100644 index 000000000..046123e53 --- /dev/null +++ b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json @@ -0,0 +1,7 @@ +{ + "status_code": 200, + "data": { + "AutoScalingGroups": [], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/ec2.DescribeImages_1.json b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/ec2.DescribeImages_1.json new file mode 100644 index 000000000..cff278787 --- /dev/null +++ b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/ec2.DescribeImages_1.json @@ -0,0 +1,49 @@ +{ + "status_code": 200, + "data": { + "Images": [ + { + "Architecture": "x86_64", + "CreationDate": "2023-11-28T10:16:53.000Z", + "ImageId": "ami-054f2f6bd6064a7b0", + "ImageLocation": "644160558196/630_ami_green", + "ImageType": "machine", + "Public": false, + "OwnerId": "644160558196", + "PlatformDetails": "Linux/UNIX", + "UsageOperation": "RunInstances", + "State": "available", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "DeleteOnTermination": true, + "SnapshotId": "snap-0fe44d0ad75998f3a", + "VolumeSize": 8, + "VolumeType": "gp2", + "Encrypted": false + } + } + ], + "EnaSupport": true, + "Hypervisor": "xen", + "Name": "630_ami_green", + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SriovNetSupport": "simple", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-630-ec2_ami_not_in_use" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ], + "VirtualizationType": "hvm" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/ec2.DescribeInstances_1.json b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/ec2.DescribeInstances_1.json new file mode 100644 index 000000000..2b54530e5 --- /dev/null +++ b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-green/ec2.DescribeInstances_1.json @@ -0,0 +1,198 @@ +{ + "status_code": 200, + "data": { + "Reservations": [ + { + "Groups": [], + "Instances": [ + { + "AmiLaunchIndex": 0, + "ImageId": "ami-054f2f6bd6064a7b0", + "InstanceId": "i-03ea3255b358e3e16", + "InstanceType": "t2.micro", + "LaunchTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 28, + "hour": 10, + "minute": 20, + "second": 29, + "microsecond": 0 + }, + "Monitoring": { + "State": "disabled" + }, + "Placement": { + "AvailabilityZone": "us-east-1d", + "GroupName": "", + "Tenancy": "default" + }, + "PrivateDnsName": "ip-172-31-30-133.ec2.internal", + "PrivateIpAddress": "172.31.30.133", + "ProductCodes": [], + "PublicDnsName": "ec2-18-212-233-129.compute-1.amazonaws.com", + "PublicIpAddress": "18.212.233.129", + "State": { + "Code": 16, + "Name": "running" + }, + "StateTransitionReason": "", + "SubnetId": "subnet-fa9dcab7", + "VpcId": "vpc-ad9744d0", + "Architecture": "x86_64", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 28, + "hour": 10, + "minute": 20, + "second": 30, + "microsecond": 0 + }, + "DeleteOnTermination": true, + "Status": "attached", + "VolumeId": "vol-0046ef0709add6743" + } + } + ], + "ClientToken": "terraform-20231128102027934600000001", + "EbsOptimized": false, + "EnaSupport": true, + "Hypervisor": "xen", + "NetworkInterfaces": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-18-212-233-129.compute-1.amazonaws.com", + "PublicIp": "18.212.233.129" + }, + "Attachment": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 28, + "hour": 10, + "minute": 20, + "second": 29, + "microsecond": 0 + }, + "AttachmentId": "eni-attach-00a31a588a1d7026c", + "DeleteOnTermination": true, + "DeviceIndex": 0, + "Status": "attached", + "NetworkCardIndex": 0 + }, + "Description": "", + "Groups": [ + { + "GroupName": "default", + "GroupId": "sg-a5befc90" + } + ], + "Ipv6Addresses": [], + "MacAddress": "0a:85:60:49:38:19", + "NetworkInterfaceId": "eni-0444476c4849d6c20", + "OwnerId": "644160558196", + "PrivateDnsName": "ip-172-31-30-133.ec2.internal", + "PrivateIpAddress": "172.31.30.133", + "PrivateIpAddresses": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-18-212-233-129.compute-1.amazonaws.com", + "PublicIp": "18.212.233.129" + }, + "Primary": true, + "PrivateDnsName": "ip-172-31-30-133.ec2.internal", + "PrivateIpAddress": "172.31.30.133" + } + ], + "SourceDestCheck": true, + "Status": "in-use", + "SubnetId": "subnet-fa9dcab7", + "VpcId": "vpc-ad9744d0", + "InterfaceType": "interface" + } + ], + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SecurityGroups": [ + { + "GroupName": "default", + "GroupId": "sg-a5befc90" + } + ], + "SourceDestCheck": true, + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-630-ec2_ami_not_in_use" + }, + { + "Key": "Name", + "Value": "630_instance_green" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ], + "VirtualizationType": "hvm", + "CpuOptions": { + "CoreCount": 1, + "ThreadsPerCore": 1 + }, + "CapacityReservationSpecification": { + "CapacityReservationPreference": "open" + }, + "HibernationOptions": { + "Configured": false + }, + "MetadataOptions": { + "State": "applied", + "HttpTokens": "optional", + "HttpPutResponseHopLimit": 1, + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "InstanceMetadataTags": "disabled" + }, + "EnclaveOptions": { + "Enabled": false + }, + "PlatformDetails": "Linux/UNIX", + "UsageOperation": "RunInstances", + "UsageOperationUpdateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 28, + "hour": 10, + "minute": 20, + "second": 29, + "microsecond": 0 + }, + "PrivateDnsNameOptions": { + "HostnameType": "ip-name", + "EnableResourceNameDnsARecord": false, + "EnableResourceNameDnsAAAARecord": false + }, + "MaintenanceOptions": { + "AutoRecovery": "default" + }, + "CurrentInstanceBootMode": "legacy-bios" + } + ], + "OwnerId": "644160558196", + "ReservationId": "r-0f2befbbd584d8248" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json new file mode 100644 index 000000000..046123e53 --- /dev/null +++ b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json @@ -0,0 +1,7 @@ +{ + "status_code": 200, + "data": { + "AutoScalingGroups": [], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/ec2.DescribeImages_1.json b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/ec2.DescribeImages_1.json new file mode 100644 index 000000000..e7188d2de --- /dev/null +++ b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/ec2.DescribeImages_1.json @@ -0,0 +1,49 @@ +{ + "status_code": 200, + "data": { + "Images": [ + { + "Architecture": "x86_64", + "CreationDate": "2023-11-28T09:40:01.000Z", + "ImageId": "ami-04e00817508275ea5", + "ImageLocation": "644160558196/630_ami_red", + "ImageType": "machine", + "Public": false, + "OwnerId": "644160558196", + "PlatformDetails": "Linux/UNIX", + "UsageOperation": "RunInstances", + "State": "available", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "DeleteOnTermination": true, + "SnapshotId": "snap-0ed317e361eea4e6c", + "VolumeSize": 8, + "VolumeType": "gp2", + "Encrypted": false + } + } + ], + "EnaSupport": true, + "Hypervisor": "xen", + "Name": "630_ami_red", + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SriovNetSupport": "simple", + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-630-ec2_ami_not_in_use" + } + ], + "VirtualizationType": "hvm" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/ec2.DescribeInstances_1.json b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/ec2.DescribeInstances_1.json new file mode 100644 index 000000000..c03eefcc2 --- /dev/null +++ b/tests/ecc-aws-630-ec2_ami_not_in_use/placebo-red/ec2.DescribeInstances_1.json @@ -0,0 +1,198 @@ +{ + "status_code": 200, + "data": { + "Reservations": [ + { + "Groups": [], + "Instances": [ + { + "AmiLaunchIndex": 0, + "ImageId": "ami-0588935a949f9ff17", + "InstanceId": "i-07d288cfe4d3d4441", + "InstanceType": "t2.micro", + "LaunchTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 28, + "hour": 9, + "minute": 30, + "second": 8, + "microsecond": 0 + }, + "Monitoring": { + "State": "disabled" + }, + "Placement": { + "AvailabilityZone": "us-east-1d", + "GroupName": "", + "Tenancy": "default" + }, + "PrivateDnsName": "ip-172-31-24-198.ec2.internal", + "PrivateIpAddress": "172.31.24.198", + "ProductCodes": [], + "PublicDnsName": "ec2-54-144-221-98.compute-1.amazonaws.com", + "PublicIpAddress": "54.144.221.98", + "State": { + "Code": 16, + "Name": "running" + }, + "StateTransitionReason": "", + "SubnetId": "subnet-fa9dcab7", + "VpcId": "vpc-ad9744d0", + "Architecture": "x86_64", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 28, + "hour": 9, + "minute": 30, + "second": 9, + "microsecond": 0 + }, + "DeleteOnTermination": true, + "Status": "attached", + "VolumeId": "vol-0f06fa19b6ec345c4" + } + } + ], + "ClientToken": "terraform-20231128093007285000000001", + "EbsOptimized": false, + "EnaSupport": true, + "Hypervisor": "xen", + "NetworkInterfaces": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-54-144-221-98.compute-1.amazonaws.com", + "PublicIp": "54.144.221.98" + }, + "Attachment": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 28, + "hour": 9, + "minute": 30, + "second": 8, + "microsecond": 0 + }, + "AttachmentId": "eni-attach-0e3491ebf7916fac2", + "DeleteOnTermination": true, + "DeviceIndex": 0, + "Status": "attached", + "NetworkCardIndex": 0 + }, + "Description": "", + "Groups": [ + { + "GroupName": "default", + "GroupId": "sg-a5befc90" + } + ], + "Ipv6Addresses": [], + "MacAddress": "0a:d3:54:1d:db:27", + "NetworkInterfaceId": "eni-016535eaedf242068", + "OwnerId": "644160558196", + "PrivateDnsName": "ip-172-31-24-198.ec2.internal", + "PrivateIpAddress": "172.31.24.198", + "PrivateIpAddresses": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-54-144-221-98.compute-1.amazonaws.com", + "PublicIp": "54.144.221.98" + }, + "Primary": true, + "PrivateDnsName": "ip-172-31-24-198.ec2.internal", + "PrivateIpAddress": "172.31.24.198" + } + ], + "SourceDestCheck": true, + "Status": "in-use", + "SubnetId": "subnet-fa9dcab7", + "VpcId": "vpc-ad9744d0", + "InterfaceType": "interface" + } + ], + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SecurityGroups": [ + { + "GroupName": "default", + "GroupId": "sg-a5befc90" + } + ], + "SourceDestCheck": true, + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-630-ec2_ami_not_in_use" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "Name", + "Value": "630_instance_red" + } + ], + "VirtualizationType": "hvm", + "CpuOptions": { + "CoreCount": 1, + "ThreadsPerCore": 1 + }, + "CapacityReservationSpecification": { + "CapacityReservationPreference": "open" + }, + "HibernationOptions": { + "Configured": false + }, + "MetadataOptions": { + "State": "applied", + "HttpTokens": "optional", + "HttpPutResponseHopLimit": 1, + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "InstanceMetadataTags": "disabled" + }, + "EnclaveOptions": { + "Enabled": false + }, + "PlatformDetails": "Linux/UNIX", + "UsageOperation": "RunInstances", + "UsageOperationUpdateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 28, + "hour": 9, + "minute": 30, + "second": 8, + "microsecond": 0 + }, + "PrivateDnsNameOptions": { + "HostnameType": "ip-name", + "EnableResourceNameDnsARecord": false, + "EnableResourceNameDnsAAAARecord": false + }, + "MaintenanceOptions": { + "AutoRecovery": "default" + }, + "CurrentInstanceBootMode": "legacy-bios" + } + ], + "OwnerId": "644160558196", + "ReservationId": "r-0fa278a70e76589bb" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-630-ec2_ami_not_in_use/red_policy_test.py b/tests/ecc-aws-630-ec2_ami_not_in_use/red_policy_test.py new file mode 100644 index 000000000..71be852f8 --- /dev/null +++ b/tests/ecc-aws-630-ec2_ami_not_in_use/red_policy_test.py @@ -0,0 +1,8 @@ +class PolicyTest(object): + + def test_resources_with_client(self, base_test, resources, local_session): + base_test.assertEqual(len(resources), 1) + base_ami = resources[0]['ImageId'] + ami_client = local_session.client("ec2").describe_instances() + ec2_ami = ami_client['Reservations'][0]['Instances'][0]['ImageId'] + base_test.assertNotEqual(base_ami, ec2_ami) \ No newline at end of file From 22888bcf5bc537fa5c8ad67a9cde06d9846c44d8 Mon Sep 17 00:00:00 2001 From: Astr1k Date: Thu, 30 Nov 2023 16:52:43 +0000 Subject: [PATCH 17/18] new: added policy ecc-aws-591-reserved_rds_instance_payment_failed --- ...1-reserved_rds_instance_payment_failed.yml | 17 +++++++ .../iam/591-policy.json | 13 ++++++ .../rds.DescribeReservedDBInstances_1.json | 44 +++++++++++++++++++ .../placebo-green/tagging.GetResources_1.json | 22 ++++++++++ .../rds.DescribeReservedDBInstances_1.json | 44 +++++++++++++++++++ .../placebo-red/tagging.GetResources_1.json | 22 ++++++++++ .../red_policy_test.py | 5 +++ 7 files changed, 167 insertions(+) create mode 100644 policies/ecc-aws-591-reserved_rds_instance_payment_failed.yml create mode 100644 terraform/ecc-aws-591-reserved_rds_instance_payment_failed/iam/591-policy.json create mode 100644 tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-green/rds.DescribeReservedDBInstances_1.json create mode 100644 tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-green/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-red/rds.DescribeReservedDBInstances_1.json create mode 100644 tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-red/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-591-reserved_rds_instance_payment_failed/red_policy_test.py diff --git a/policies/ecc-aws-591-reserved_rds_instance_payment_failed.yml b/policies/ecc-aws-591-reserved_rds_instance_payment_failed.yml new file mode 100644 index 000000000..71ec6b7dd --- /dev/null +++ b/policies/ecc-aws-591-reserved_rds_instance_payment_failed.yml @@ -0,0 +1,17 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-591-reserved_rds_instance_payment_failed + comment: '010008062000' + description: | + Amazon RDS reserved instance payment failed + resource: aws.rds-reserved + filters: + - type: value + key: State + value: payment-failed diff --git a/terraform/ecc-aws-591-reserved_rds_instance_payment_failed/iam/591-policy.json b/terraform/ecc-aws-591-reserved_rds_instance_payment_failed/iam/591-policy.json new file mode 100644 index 000000000..48a4553f7 --- /dev/null +++ b/terraform/ecc-aws-591-reserved_rds_instance_payment_failed/iam/591-policy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeReservedDBInstances", + "tagging:GetResources" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-green/rds.DescribeReservedDBInstances_1.json b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-green/rds.DescribeReservedDBInstances_1.json new file mode 100644 index 000000000..94991177c --- /dev/null +++ b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-green/rds.DescribeReservedDBInstances_1.json @@ -0,0 +1,44 @@ +{ + "status_code": 200, + "data": { + "ReservedDBInstances": [ + { + "ReservedDBInstanceId": "ri-2019-05-06-14-19-06-332", + "ReservedDBInstancesOfferingId": "03563adc-1d96-4d2b-b171-3192b150aca8", + "DBInstanceClass": "db.t2.micro", + "StartTime": { + "__class__": "datetime", + "year": 2019, + "month": 5, + "day": 6, + "hour": 14, + "minute": 19, + "second": 11, + "microsecond": 531000 + }, + "Duration": 31536000, + "FixedPrice": 102.0, + "UsagePrice": 0.0, + "CurrencyCode": "USD", + "DBInstanceCount": 1, + "ProductDescription": "mysql", + "OfferingType": "All Upfront", + "MultiAZ": false, + "State": "active", + "RecurringCharges": [], + "ReservedDBInstanceArn": "arn:aws:rds:us-east-1:644160558196:ri:ri-2019-05-06-14-19-06-332" + } + ], + "ResponseMetadata": { + "RequestId": "9dc0340f-201a-4be0-a4db-93a959b7b2b9", + "HTTPStatusCode": 200, + "HTTPHeaders": { + "x-amzn-requestid": "9dc0340f-201a-4be0-a4db-93a959b7b2b9", + "content-type": "text/xml", + "content-length": "1296", + "date": "Mon, 06 May 2019 14:46:52 GMT" + }, + "RetryAttempts": 0 + } + } +} \ No newline at end of file diff --git a/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-green/tagging.GetResources_1.json b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-green/tagging.GetResources_1.json new file mode 100644 index 000000000..e5cb10c81 --- /dev/null +++ b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-green/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:rds:us-east-1:644160558196:ri:ri-2019-05-06-14-19-06-332", + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "CsutodianRule", + "Value": "ecc-aws-591-reserved_rds_instance_payment_failed" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-red/rds.DescribeReservedDBInstances_1.json b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-red/rds.DescribeReservedDBInstances_1.json new file mode 100644 index 000000000..4c792e0da --- /dev/null +++ b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-red/rds.DescribeReservedDBInstances_1.json @@ -0,0 +1,44 @@ +{ + "status_code": 200, + "data": { + "ReservedDBInstances": [ + { + "ReservedDBInstanceId": "ri-2019-05-06-14-19-06-332", + "ReservedDBInstancesOfferingId": "03563adc-1d96-4d2b-b171-3192b150aca8", + "DBInstanceClass": "db.t2.micro", + "StartTime": { + "__class__": "datetime", + "year": 2019, + "month": 5, + "day": 6, + "hour": 14, + "minute": 19, + "second": 11, + "microsecond": 531000 + }, + "Duration": 31536000, + "FixedPrice": 102.0, + "UsagePrice": 0.0, + "CurrencyCode": "USD", + "DBInstanceCount": 1, + "ProductDescription": "mysql", + "OfferingType": "All Upfront", + "MultiAZ": false, + "State": "payment-failed", + "RecurringCharges": [], + "ReservedDBInstanceArn": "arn:aws:rds:us-east-1:644160558196:ri:ri-2019-05-06-14-19-06-332" + } + ], + "ResponseMetadata": { + "RequestId": "9dc0340f-201a-4be0-a4db-93a959b7b2b9", + "HTTPStatusCode": 200, + "HTTPHeaders": { + "x-amzn-requestid": "9dc0340f-201a-4be0-a4db-93a959b7b2b9", + "content-type": "text/xml", + "content-length": "1296", + "date": "Mon, 06 May 2019 14:46:52 GMT" + }, + "RetryAttempts": 0 + } + } +} \ No newline at end of file diff --git a/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..ac697272a --- /dev/null +++ b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:rds:us-east-1:644160558196:ri:ri-2019-05-06-14-19-06-332", + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CsutodianRule", + "Value": "ecc-aws-591-reserved_rds_instance_payment_failed" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-591-reserved_rds_instance_payment_failed/red_policy_test.py b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/red_policy_test.py new file mode 100644 index 000000000..15b4ebda7 --- /dev/null +++ b/tests/ecc-aws-591-reserved_rds_instance_payment_failed/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['State'], "payment-failed") \ No newline at end of file From 4267de28ebbf2faba3894eb0ac9dfcfc75db3807 Mon Sep 17 00:00:00 2001 From: Astr1k Date: Thu, 30 Nov 2023 13:13:45 +0000 Subject: [PATCH 18/18] new: added policy ecc-aws-569-asg_propagate_tags_to_ec2_instances --- ...69-asg_propagate_tags_to_ec2_instances.yml | 19 +++++ .../green/asg.tf | 41 ++++++++++ .../green/provider.tf | 19 +++++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 +++ .../iam/569-policy.json | 10 +++ .../red/asg.tf | 41 ++++++++++ .../red/provider.tf | 19 +++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 +++ ...toscaling.DescribeAutoScalingGroups_1.json | 78 +++++++++++++++++++ ...toscaling.DescribeAutoScalingGroups_1.json | 78 +++++++++++++++++++ .../red_policy_test.py | 5 ++ 13 files changed, 332 insertions(+) create mode 100644 policies/ecc-aws-569-asg_propagate_tags_to_ec2_instances.yml create mode 100644 terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/asg.tf create mode 100644 terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/provider.tf create mode 100644 terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/terraform.tfvars create mode 100644 terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/variables.tf create mode 100644 terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/iam/569-policy.json create mode 100644 terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/asg.tf create mode 100644 terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/provider.tf create mode 100644 terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/terraform.tfvars create mode 100644 terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/variables.tf create mode 100644 tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json create mode 100644 tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json create mode 100644 tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red_policy_test.py diff --git a/policies/ecc-aws-569-asg_propagate_tags_to_ec2_instances.yml b/policies/ecc-aws-569-asg_propagate_tags_to_ec2_instances.yml new file mode 100644 index 000000000..16070a39b --- /dev/null +++ b/policies/ecc-aws-569-asg_propagate_tags_to_ec2_instances.yml @@ -0,0 +1,19 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-569-asg_propagate_tags_to_ec2_instances + comment: '010010032000' + description: | + Auto Scaling groups not propagating tags to ec2 instance + resource: asg + filters: + - not: + - type: value + key: Tags[*].PropagateAtLaunch + op: contains + value: true \ No newline at end of file diff --git a/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/asg.tf b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/asg.tf new file mode 100644 index 000000000..40e32e69e --- /dev/null +++ b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/asg.tf @@ -0,0 +1,41 @@ +resource "aws_launch_template" "this" { + name_prefix = "569_launch_template_green" + image_id = data.aws_ami.this.id + instance_type = "t2.micro" +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +resource "aws_autoscaling_group" "this" { + name = "569-autoscaling_group-green" + availability_zones = ["us-east-1a"] + desired_capacity = 1 + max_size = 1 + min_size = 1 + + launch_template { + id = aws_launch_template.this.id + version = "$Latest" + } + + tag { + key = "CustodianRule" + value = "ecc-aws-569-asg_propagate_tags_to_ec2_instances" + propagate_at_launch = true + } + + tag { + key = "ComplianceStatus" + value = "Green" + propagate_at_launch = true + } + +} \ No newline at end of file diff --git a/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/provider.tf b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/provider.tf new file mode 100644 index 000000000..bc2ca84c0 --- /dev/null +++ b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/provider.tf @@ -0,0 +1,19 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + default_tags { + tags = { + CustodianRule = "ecc-aws-569-asg_propagate_tags_to_ec2_instances" + ComplianceStatus = "Green" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/terraform.tfvars b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/variables.tf b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/iam/569-policy.json b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/iam/569-policy.json new file mode 100644 index 000000000..de2970768 --- /dev/null +++ b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/iam/569-policy.json @@ -0,0 +1,10 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": "autoscaling:DescribeAutoScalingGroups", + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/asg.tf b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/asg.tf new file mode 100644 index 000000000..48635d9fb --- /dev/null +++ b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/asg.tf @@ -0,0 +1,41 @@ +resource "aws_launch_template" "this" { + name_prefix = "569_launch_template_red" + image_id = data.aws_ami.this.id + instance_type = "t2.micro" +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +resource "aws_autoscaling_group" "this" { + name = "569-autoscaling_group-red" + availability_zones = ["us-east-1a"] + desired_capacity = 1 + max_size = 1 + min_size = 1 + + launch_template { + id = aws_launch_template.this.id + version = "$Latest" + } + + tag { + key = "CustodianRule" + value = "ecc-aws-569-asg_propagate_tags_to_ec2_instances" + propagate_at_launch = false + } + + tag { + key = "ComplianceStatus" + value = "Red" + propagate_at_launch = false + } + +} diff --git a/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/provider.tf b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/provider.tf new file mode 100644 index 000000000..229722992 --- /dev/null +++ b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/provider.tf @@ -0,0 +1,19 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + default_tags { + tags = { + CustodianRule = "ecc-aws-569-asg_propagate_tags_to_ec2_instances" + ComplianceStatus = "Red" + } + } +} \ No newline at end of file diff --git a/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/terraform.tfvars b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/variables.tf b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json b/tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json new file mode 100644 index 000000000..78316e5a1 --- /dev/null +++ b/tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json @@ -0,0 +1,78 @@ +{ + "status_code": 200, + "data": { + "AutoScalingGroups": [ + { + "AutoScalingGroupName": "569-autoscaling_group-green", + "AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:644160558196:autoScalingGroup:81b0d529-f99f-4adb-8cc8-b3152903e381:autoScalingGroupName/569-autoscaling_group-green", + "LaunchTemplate": { + "LaunchTemplateId": "lt-0aa0094620500361c", + "LaunchTemplateName": "569_launch_template_green20231130112021578100000001", + "Version": "$Latest" + }, + "MinSize": 1, + "MaxSize": 1, + "DesiredCapacity": 1, + "DefaultCooldown": 300, + "AvailabilityZones": [ + "us-east-1a" + ], + "LoadBalancerNames": [], + "TargetGroupARNs": [], + "HealthCheckType": "EC2", + "HealthCheckGracePeriod": 300, + "Instances": [ + { + "InstanceId": "i-0b2c4659dac98f542", + "InstanceType": "t2.micro", + "AvailabilityZone": "us-east-1a", + "LifecycleState": "InService", + "HealthStatus": "Healthy", + "LaunchTemplate": { + "LaunchTemplateId": "lt-0aa0094620500361c", + "LaunchTemplateName": "569_launch_template_green20231130112021578100000001", + "Version": "1" + }, + "ProtectedFromScaleIn": false + } + ], + "CreatedTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 30, + "hour": 11, + "minute": 20, + "second": 24, + "microsecond": 55000 + }, + "SuspendedProcesses": [], + "VPCZoneIdentifier": "", + "EnabledMetrics": [], + "Tags": [ + { + "ResourceId": "569-autoscaling_group-green", + "ResourceType": "auto-scaling-group", + "Key": "ComplianceStatus", + "Value": "Green", + "PropagateAtLaunch": true + }, + { + "ResourceId": "569-autoscaling_group-green", + "ResourceType": "auto-scaling-group", + "Key": "CustodianRule", + "Value": "ecc-aws-569-asg_propagate_tags_to_ec2_instances", + "PropagateAtLaunch": true + } + ], + "TerminationPolicies": [ + "Default" + ], + "NewInstancesProtectedFromScaleIn": false, + "ServiceLinkedRoleARN": "arn:aws:iam::644160558196:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", + "TrafficSources": [] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json b/tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json new file mode 100644 index 000000000..9944cabed --- /dev/null +++ b/tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json @@ -0,0 +1,78 @@ +{ + "status_code": 200, + "data": { + "AutoScalingGroups": [ + { + "AutoScalingGroupName": "569-autoscaling_group-red", + "AutoScalingGroupARN": "arn:aws:autoscaling:us-east-1:644160558196:autoScalingGroup:5efe04ef-77b0-4099-b9bf-7c4901724ae8:autoScalingGroupName/569-autoscaling_group-red", + "LaunchTemplate": { + "LaunchTemplateId": "lt-0d29691d83d2de26e", + "LaunchTemplateName": "569_launch_template_red20231130112103086000000001", + "Version": "$Latest" + }, + "MinSize": 1, + "MaxSize": 1, + "DesiredCapacity": 1, + "DefaultCooldown": 300, + "AvailabilityZones": [ + "us-east-1a" + ], + "LoadBalancerNames": [], + "TargetGroupARNs": [], + "HealthCheckType": "EC2", + "HealthCheckGracePeriod": 300, + "Instances": [ + { + "InstanceId": "i-03cfa57caf40fa4e3", + "InstanceType": "t2.micro", + "AvailabilityZone": "us-east-1a", + "LifecycleState": "InService", + "HealthStatus": "Healthy", + "LaunchTemplate": { + "LaunchTemplateId": "lt-0d29691d83d2de26e", + "LaunchTemplateName": "569_launch_template_red20231130112103086000000001", + "Version": "1" + }, + "ProtectedFromScaleIn": false + } + ], + "CreatedTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 30, + "hour": 11, + "minute": 21, + "second": 5, + "microsecond": 596000 + }, + "SuspendedProcesses": [], + "VPCZoneIdentifier": "", + "EnabledMetrics": [], + "Tags": [ + { + "ResourceId": "569-autoscaling_group-red", + "ResourceType": "auto-scaling-group", + "Key": "ComplianceStatus", + "Value": "Red", + "PropagateAtLaunch": false + }, + { + "ResourceId": "569-autoscaling_group-red", + "ResourceType": "auto-scaling-group", + "Key": "CustodianRule", + "Value": "ecc-aws-569-asg_propagate_tags_to_ec2_instances", + "PropagateAtLaunch": false + } + ], + "TerminationPolicies": [ + "Default" + ], + "NewInstancesProtectedFromScaleIn": false, + "ServiceLinkedRoleARN": "arn:aws:iam::644160558196:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling", + "TrafficSources": [] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red_policy_test.py b/tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red_policy_test.py new file mode 100644 index 000000000..f7efc7df7 --- /dev/null +++ b/tests/ecc-aws-569-asg_propagate_tags_to_ec2_instances/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertFalse(resources[0]['Tags'][0]['PropagateAtLaunch']) \ No newline at end of file