skip: update autotest for redshift

epam · May 30, 2024 · d58b22c · d58b22c
1 parent 334f0ca
commit d58b22c
Show file tree

Hide file tree

Showing 7 changed files with 144 additions and 82 deletions.
diff --git a/.github/workflows/tf_testing.yml b/.github/workflows/tf_testing.yml
@@ -22,49 +22,49 @@ env:
   CORE_TESTING_FOLDER: ${{ github.workspace }}
   OUTPUT_DIR: ${{ github.workspace }}/auto_policy_testing/output
   AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }}
-  resource_priority_list: 'cloudtrail'
+  resource_priority_list: 'redshift'
   RED: '\033[0;31m'
 
 jobs:
-  terraform_test_policy_green_flights:
-    permissions:
-      contents: 'read'
-      id-token: 'write'
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Git clone the repository
-        uses: actions/checkout@v4
-      - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@v4
-        with:
-          role-to-assume: ${{ secrets.CI_ASSUME_ROLE }}
-          role-session-name: ECC-AWS-RULEPACK_CI-GREEN
-          role-duration-seconds: 43200 
-          aws-region: ${{ vars.AWS_REGION }}
-      - name: Install dependencies
-        shell: bash
-        working-directory: auto_policy_testing/scripts
-        run: |
-          pip install -r requirements.txt
-          sudo apt-get install -y oathtool
-      - name: terraform_test_policy_green_flights
-        shell: bash
-        working-directory: auto_policy_testing/scripts
-        run: |
-          python main.py \
-            --cloud AWS \
-            --infra_color green \
-            -l $resource_priority_list \
-            --base_dir $GITHUB_WORKSPACE \
-            --output_dir $OUTPUT_DIR \
-            --sa "github_ci_readonly_ecc-aws-rulepack"
-          echo -e "${RED}Failed policies:"
-          cat $OUTPUT_DIR/.failed
-          echo -e "${RED}Failed terraforms:"
-          cat $OUTPUT_DIR/.tf_failed
-          test -s $OUTPUT_DIR/.failed && exit 1
-          test -s $OUTPUT_DIR/.tf_failed && exit 1
-          exit 0
+  # terraform_test_policy_green_flights:
+  #   permissions:
+  #     contents: 'read'
+  #     id-token: 'write'
+  #   runs-on: ubuntu-22.04
+  #   steps:
+  #     - name: Git clone the repository
+  #       uses: actions/checkout@v4
+  #     - name: configure aws credentials
+  #       uses: aws-actions/configure-aws-credentials@v4
+  #       with:
+  #         role-to-assume: ${{ secrets.CI_ASSUME_ROLE }}
+  #         role-session-name: ECC-AWS-RULEPACK_CI-GREEN
+  #         role-duration-seconds: 43200 
+  #         aws-region: ${{ vars.AWS_REGION }}
+  #     - name: Install dependencies
+  #       shell: bash
+  #       working-directory: auto_policy_testing/scripts
+  #       run: |
+  #         pip install -r requirements.txt
+  #         sudo apt-get install -y oathtool
+  #     - name: terraform_test_policy_green_flights
+  #       shell: bash
+  #       working-directory: auto_policy_testing/scripts
+  #       run: |
+  #         python main.py \
+  #           --cloud AWS \
+  #           --infra_color green \
+  #           -l $resource_priority_list \
+  #           --base_dir $GITHUB_WORKSPACE \
+  #           --output_dir $OUTPUT_DIR \
+  #           --sa "github_ci_readonly_ecc-aws-rulepack"
+  #         echo -e "${RED}Failed policies:"
+  #         cat $OUTPUT_DIR/.failed
+  #         echo -e "${RED}Failed terraforms:"
+  #         cat $OUTPUT_DIR/.tf_failed
+  #         test -s $OUTPUT_DIR/.failed && exit 1
+  #         test -s $OUTPUT_DIR/.tf_failed && exit 1
+  #         exit 0
 
   terraform_test_policy_red_flights:
     permissions:

diff --git a/auto_policy_testing/green/redshift/outputs.tf b/auto_policy_testing/green/redshift/outputs.tf
@@ -1,5 +1,6 @@
 output "redshift" {
   value = {
-    redshift = aws_redshift_cluster.this.cluster_identifier
+    redshift                                            = aws_redshift_cluster.this1.cluster_identifier
+    ecc-aws-164-redshift_clusters_audit_logging_enabled = [aws_redshift_cluster.this1.cluster_identifier, aws_redshift_cluster.this2.cluster_identifier]
   }
 }
diff --git a/auto_policy_testing/green/redshift/redshift.tf b/auto_policy_testing/green/redshift/redshift.tf
@@ -1,5 +1,7 @@
-resource "aws_redshift_cluster" "this" {
-  cluster_identifier                   = "${module.naming.resource_prefix.redshift_cluster}"
+# Time to deploy about 7 min
+
+resource "aws_redshift_cluster" "this1" {
+  cluster_identifier                   = "${module.naming.resource_prefix.redshift_cluster}-1"
   database_name                        = "redshifttest"
   master_username                      = "root"
   master_password                      = random_password.this.result
@@ -12,21 +14,43 @@ resource "aws_redshift_cluster" "this" {
   allow_version_upgrade                = true
   publicly_accessible                  = false
   enhanced_vpc_routing                 = true
-  cluster_parameter_group_name         = aws_redshift_parameter_group.this.name
+  cluster_parameter_group_name         = aws_redshift_parameter_group.this1.name
   availability_zone_relocation_enabled = true
+}
 
-  logging {
-    enable      = true
-    bucket_name = aws_s3_bucket.this.id
-  }
+resource "aws_redshift_logging" "this1" {
+  cluster_identifier   = aws_redshift_cluster.this1.id
+  log_destination_type = "s3"
+  bucket_name          = aws_s3_bucket.this.id
+}
+
+resource "aws_redshift_cluster" "this2" {
+  cluster_identifier           = "${module.naming.resource_prefix.redshift_cluster}-2"
+  database_name                = "redshifttest"
+  master_username              = "root"
+  master_password              = random_password.this.result
+  node_type                    = "dc2.large"
+  port                         = 5431
+  skip_final_snapshot          = true
+  allow_version_upgrade        = true
+  publicly_accessible          = false
+  cluster_parameter_group_name = aws_redshift_parameter_group.this2.name
+}
+
+resource "aws_redshift_logging" "this2" {
+  cluster_identifier   = aws_redshift_cluster.this2.id
+  log_destination_type = "cloudwatch"
+  log_exports          = ["connectionlog", "userlog", "useractivitylog"]
 
-  depends_on = [
-    aws_s3_bucket_acl.this
-  ]
+  depends_on = [aws_cloudwatch_log_group.this]
 }
 
-resource "aws_redshift_parameter_group" "this" {
-  name   = "${module.naming.resource_prefix.redshift_parameter_group}"
+resource "aws_cloudwatch_log_group" "this" {
+  name = "/aws/redshift/cluster/${aws_redshift_cluster.this2.id}"
+}
+
+resource "aws_redshift_parameter_group" "this1" {
+  name   = "${module.naming.resource_prefix.redshift_parameter_group}-1"
   family = "redshift-1.0"
 
   parameter {
@@ -40,40 +64,23 @@ resource "aws_redshift_parameter_group" "this" {
   }
 }
 
-resource "aws_s3_bucket" "this" {
-  bucket        = "${module.naming.resource_prefix.redshift_cluster}-${random_integer.this.result}"
-  force_destroy = "true"
-}
+resource "aws_redshift_parameter_group" "this2" {
+  name   = "${module.naming.resource_prefix.redshift_parameter_group}-2"
+  family = "redshift-1.0"
 
-resource "aws_s3_bucket_ownership_controls" "this" {
-  bucket = aws_s3_bucket.this.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
+  parameter {
+    name  = "enable_user_activity_logging"
+    value = "true"
   }
 }
 
-resource "aws_s3_bucket_acl" "this" {
-  depends_on = [aws_s3_bucket_ownership_controls.this]
-
-  bucket = aws_s3_bucket.this.id
-  acl    = "private"
-}
-
-resource "aws_s3_bucket_policy" "this" {
-  bucket = aws_s3_bucket.this.id
-  policy = data.aws_iam_policy_document.this.json
-}
-
 resource "random_password" "this" {
   length           = 12
   special          = true
   numeric          = true
   min_numeric      = 1
+  min_special      = 1
   override_special = "!#$%*()-_=+[]{}:?"
 }
 
-resource "random_integer" "this" {
-  min = 1
-  max = 10000000
-}
 
diff --git a/auto_policy_testing/green/redshift/s3.tf b/auto_policy_testing/green/redshift/s3.tf
@@ -0,0 +1,29 @@
+
+resource "aws_s3_bucket" "this" {
+  bucket        = "${module.naming.resource_prefix.redshift_cluster}-${random_integer.this.result}"
+  force_destroy = "true"
+}
+
+resource "aws_s3_bucket_ownership_controls" "this" {
+  bucket = aws_s3_bucket.this.id
+  rule {
+    object_ownership = "BucketOwnerPreferred"
+  }
+}
+
+resource "aws_s3_bucket_acl" "this" {
+  depends_on = [aws_s3_bucket_ownership_controls.this]
+
+  bucket = aws_s3_bucket.this.id
+  acl    = "private"
+}
+
+resource "aws_s3_bucket_policy" "this" {
+  bucket = aws_s3_bucket.this.id
+  policy = data.aws_iam_policy_document.this.json
+}
+
+resource "random_integer" "this" {
+  min = 1
+  max = 10000000
+}
diff --git a/auto_policy_testing/red/redshift/redshift.tf b/auto_policy_testing/red/redshift/redshift.tf
@@ -1,20 +1,24 @@
+# Time to deploy about 7 min
+
 resource "aws_redshift_cluster" "this" {
-  cluster_identifier                   = "${module.naming.resource_prefix.redshift_cluster}"
-  database_name                        = "dev"
+  provider                             = aws.provider2
+  cluster_identifier                   = "${module.naming.resource_prefix.redshift_cluster}2"
   master_username                      = "awsuser"
+  database_name                        = "dev"
   master_password                      = random_password.this.result
   node_type                            = "dc2.large"
   skip_final_snapshot                  = true
+  automated_snapshot_retention_period  = 0
   encrypted                            = false
   allow_version_upgrade                = false
   enhanced_vpc_routing                 = false
-  availability_zone_relocation_enabled = false 
-  provider                             = aws.provider2
+  availability_zone_relocation_enabled = false
+  publicly_accessible                  = true
   cluster_parameter_group_name         = aws_redshift_parameter_group.this.name
 }
 
 resource "aws_redshift_parameter_group" "this" {
-  name   = "${module.naming.resource_prefix.redshift_parameter_group}"
+  name   = "${module.naming.resource_prefix.redshift_parameter_group}-2"
   family = "redshift-1.0"
 
   parameter {
@@ -32,5 +36,7 @@ resource "random_password" "this" {
   length           = 12
   special          = true
   numeric          = true
+  min_numeric      = 1
+  min_special      = 1
   override_special = "!#$%*()-_=+[]{}:?"
 }
diff --git a/auto_policy_testing/scripts/exception_rules.py b/auto_policy_testing/scripts/exception_rules.py
@@ -16,6 +16,9 @@
         "ecc-aws-592-reserved_rds_instance_payment_pending",
         "ecc-aws-593-reserved_rds_instance_recent_purchases",
         "ecc-aws-594-underutilized_rds_instance_storage",
+        "ecc-aws-595-reserved_redshift_node_payment_failed",
+        "ecc-aws-596-reserved_redshift_node_payment_pending",
+        "ecc-aws-597-reserved_redshift_node_recent_purchases",
         "ecc-aws-614-idle_rds_instance"
     ],
     "red": [
@@ -48,6 +51,10 @@
         "ecc-aws-592-reserved_rds_instance_payment_pending",
         "ecc-aws-593-reserved_rds_instance_recent_purchases",
         "ecc-aws-594-underutilized_rds_instance_storage",
+        "ecc-aws-595-reserved_redshift_node_payment_failed",
+        "ecc-aws-596-reserved_redshift_node_payment_pending",
+        "ecc-aws-597-reserved_redshift_node_recent_purchases",
+        "ecc-aws-598-redshift_instance_generation",
         "ecc-aws-614-idle_rds_instance"
     ],
     "parallel": [

diff --git a/terraform/ecc-aws-595-reserved_redshift_node_payment_failed/iam/595-policy.json b/terraform/ecc-aws-595-reserved_redshift_node_payment_failed/iam/595-policy.json
@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeReservedNodes"
+            ],
+            "Resource": "*"
+        }
+    ]
+}