-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(fsx): Add check logic with respective unit test. Add metadata too
- Loading branch information
1 parent
88f5f01
commit c95296b
Showing
4 changed files
with
361 additions
and
0 deletions.
There are no files selected for viewing
Empty file.
32 changes: 32 additions & 0 deletions
32
...m_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
{ | ||
"Provider": "aws", | ||
"CheckID": "fsx_file_system_copy_tags_to_backups_enabled", | ||
"CheckTitle": "Check if FSx file systems are configured to copy tags to backups.", | ||
"CheckType": [ | ||
"Software and Configuration Checks/Vulnerabilities" | ||
], | ||
"ServiceName": "fsx", | ||
"SubServiceName": "", | ||
"ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}", | ||
"Severity": "low", | ||
"ResourceType": "AwsFSxFileSystem", | ||
"Description": "Check if an Amazon FSx file system is configured to copy tags to backups. The control fails if this configuration isn't enabled.", | ||
"Risk": "Without tag copying, managing and tracking your resources could be more difficult, impacting your governance and inventory management processes.", | ||
"RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-lustre-copy-tags-to-backups.html", | ||
"Remediation": { | ||
"Code": { | ||
"CLI": "aws fsx update-file-system --file-system-id <file-system-id> filesystemtypeconfiguration <copy-tags-to-backups: true>", | ||
"NativeIaC": "", | ||
"Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-2", | ||
"Terraform": "" | ||
}, | ||
"Recommendation": { | ||
"Text": "Configure your FSx file system to copy tags to backups to improve resource management and tracking.", | ||
"Url": "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html" | ||
} | ||
}, | ||
"Categories": [], | ||
"DependsOn": [], | ||
"RelatedTo": [], | ||
"Notes": "" | ||
} |
24 changes: 24 additions & 0 deletions
24
..._file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
from prowler.lib.check.models import Check, Check_Report_AWS | ||
from prowler.providers.aws.services.fsx.fsx_client import fsx_client | ||
|
||
|
||
class fsx_file_system_copy_tags_to_backups_enabled(Check): | ||
def execute(self): | ||
findings = [] | ||
for file_system in fsx_client.file_systems.values(): | ||
if file_system.type in ["OPENZFS", "LUSTRE", "WINDOWS"]: | ||
report = Check_Report_AWS(self.metadata()) | ||
report.region = file_system.region | ||
report.resource_id = file_system.id | ||
report.resource_arn = file_system.arn | ||
report.resource_tags = file_system.tags | ||
report.status = "PASS" | ||
report.status_extended = f"FSx file system {file_system.id} has copy tags to backups enabled." | ||
|
||
if not file_system.copy_tags_to_backups: | ||
report.status = "FAIL" | ||
report.status_extended = f"FSx file system {file_system.id} does not have copy tags to backups enabled." | ||
|
||
findings.append(report) | ||
|
||
return findings |
305 changes: 305 additions & 0 deletions
305
...systems_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled_test.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,305 @@ | ||
from unittest import mock | ||
|
||
from boto3 import client | ||
from moto import mock_aws | ||
|
||
from prowler.providers.aws.services.fsx.fsx_service import FSx | ||
from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider | ||
|
||
|
||
class Test_fsx_file_system_copy_tags_to_backups_enabled: | ||
@mock_aws | ||
def test_fsx_no_file_system(self): | ||
client("fsx", region_name=AWS_REGION_EU_WEST_1) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client", | ||
new=FSx(aws_provider), | ||
): | ||
from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import ( | ||
fsx_file_system_copy_tags_to_backups_enabled, | ||
) | ||
|
||
check = fsx_file_system_copy_tags_to_backups_enabled() | ||
result = check.execute() | ||
assert len(result) == 0 | ||
|
||
@mock_aws | ||
def test_ontap(self): | ||
fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) | ||
fsx_client.create_file_system( | ||
FileSystemType="ONTAP", | ||
StorageCapacity=1200, | ||
Tags=[{"Key": "Name", "Value": "Test"}], | ||
SubnetIds=["subnet-12345678"], | ||
) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client", | ||
new=FSx(aws_provider), | ||
): | ||
from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import ( | ||
fsx_file_system_copy_tags_to_backups_enabled, | ||
) | ||
|
||
check = fsx_file_system_copy_tags_to_backups_enabled() | ||
result = check.execute() | ||
assert len(result) == 0 | ||
|
||
@mock_aws | ||
def test_openzfs_copy_tags_to_backups_disabled(self): | ||
fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) | ||
file_system = fsx_client.create_file_system( | ||
FileSystemType="OPENZFS", | ||
StorageCapacity=1200, | ||
OpenZFSConfiguration={ | ||
"CopyTagsToBackups": False, | ||
"DeploymentType": "SINGLE_AZ_1", | ||
"ThroughputCapacity": 12, | ||
}, | ||
Tags=[{"Key": "Name", "Value": "Test"}], | ||
SubnetIds=["subnet-12345678"], | ||
) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client", | ||
new=FSx(aws_provider), | ||
): | ||
from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import ( | ||
fsx_file_system_copy_tags_to_backups_enabled, | ||
) | ||
|
||
check = fsx_file_system_copy_tags_to_backups_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"FSx file system {file_system['FileSystem']['FileSystemId']} does not have copy tags to backups enabled." | ||
) | ||
assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"] | ||
assert ( | ||
result[0].resource_arn | ||
== f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}" | ||
) | ||
assert result[0].region == AWS_REGION_EU_WEST_1 | ||
|
||
@mock_aws | ||
def test_openzfs_copy_tags_to_backups_enabled(self): | ||
fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) | ||
file_system = fsx_client.create_file_system( | ||
FileSystemType="OPENZFS", | ||
StorageCapacity=1200, | ||
OpenZFSConfiguration={ | ||
"CopyTagsToBackups": True, | ||
"DeploymentType": "SINGLE_AZ_1", | ||
"ThroughputCapacity": 12, | ||
}, | ||
Tags=[{"Key": "Name", "Value": "Test"}], | ||
SubnetIds=["subnet-12345678"], | ||
) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client", | ||
new=FSx(aws_provider), | ||
): | ||
from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import ( | ||
fsx_file_system_copy_tags_to_backups_enabled, | ||
) | ||
|
||
check = fsx_file_system_copy_tags_to_backups_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== f"FSx file system {file_system['FileSystem']['FileSystemId']} has copy tags to backups enabled." | ||
) | ||
assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"] | ||
assert ( | ||
result[0].resource_arn | ||
== f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}" | ||
) | ||
assert result[0].region == AWS_REGION_EU_WEST_1 | ||
|
||
@mock_aws | ||
def test_lustre_copy_tags_to_backups_disabled(self): | ||
fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) | ||
file_system = fsx_client.create_file_system( | ||
FileSystemType="LUSTRE", | ||
StorageCapacity=1200, | ||
LustreConfiguration={"CopyTagsToBackups": False}, | ||
Tags=[{"Key": "Name", "Value": "Test"}], | ||
SubnetIds=["subnet-12345678"], | ||
) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client", | ||
new=FSx(aws_provider), | ||
): | ||
from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import ( | ||
fsx_file_system_copy_tags_to_backups_enabled, | ||
) | ||
|
||
check = fsx_file_system_copy_tags_to_backups_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"FSx file system {file_system['FileSystem']['FileSystemId']} does not have copy tags to backups enabled." | ||
) | ||
assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"] | ||
assert ( | ||
result[0].resource_arn | ||
== f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}" | ||
) | ||
assert result[0].region == AWS_REGION_EU_WEST_1 | ||
|
||
@mock_aws | ||
def test_lustre_copy_tags_to_backups_enabled(self): | ||
fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) | ||
file_system = fsx_client.create_file_system( | ||
FileSystemType="LUSTRE", | ||
StorageCapacity=1200, | ||
LustreConfiguration={"CopyTagsToBackups": True}, | ||
Tags=[{"Key": "Name", "Value": "Test"}], | ||
SubnetIds=["subnet-12345678"], | ||
) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client", | ||
new=FSx(aws_provider), | ||
): | ||
from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import ( | ||
fsx_file_system_copy_tags_to_backups_enabled, | ||
) | ||
|
||
check = fsx_file_system_copy_tags_to_backups_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== f"FSx file system {file_system['FileSystem']['FileSystemId']} has copy tags to backups enabled." | ||
) | ||
assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"] | ||
assert ( | ||
result[0].resource_arn | ||
== f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}" | ||
) | ||
assert result[0].region == AWS_REGION_EU_WEST_1 | ||
|
||
@mock_aws | ||
def test_windows_copy_tags_to_backups_disabled(self): | ||
fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) | ||
file_system = fsx_client.create_file_system( | ||
FileSystemType="WINDOWS", | ||
StorageCapacity=1200, | ||
WindowsConfiguration={ | ||
"CopyTagsToBackups": False, | ||
"ThroughputCapacity": 12, | ||
}, | ||
Tags=[{"Key": "Name", "Value": "Test"}], | ||
SubnetIds=["subnet-12345678"], | ||
) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client", | ||
new=FSx(aws_provider), | ||
): | ||
from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import ( | ||
fsx_file_system_copy_tags_to_backups_enabled, | ||
) | ||
|
||
check = fsx_file_system_copy_tags_to_backups_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "FAIL" | ||
assert ( | ||
result[0].status_extended | ||
== f"FSx file system {file_system['FileSystem']['FileSystemId']} does not have copy tags to backups enabled." | ||
) | ||
assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"] | ||
assert ( | ||
result[0].resource_arn | ||
== f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}" | ||
) | ||
assert result[0].region == AWS_REGION_EU_WEST_1 | ||
|
||
@mock_aws | ||
def test_windows_copy_tags_to_backups_enabled(self): | ||
fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1) | ||
file_system = fsx_client.create_file_system( | ||
FileSystemType="WINDOWS", | ||
StorageCapacity=1200, | ||
WindowsConfiguration={ | ||
"CopyTagsToBackups": True, | ||
"ThroughputCapacity": 12, | ||
}, | ||
Tags=[{"Key": "Name", "Value": "Test"}], | ||
SubnetIds=["subnet-12345678"], | ||
) | ||
|
||
aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1]) | ||
|
||
with mock.patch( | ||
"prowler.providers.common.provider.Provider.get_global_provider", | ||
return_value=aws_provider, | ||
), mock.patch( | ||
"prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client", | ||
new=FSx(aws_provider), | ||
): | ||
from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import ( | ||
fsx_file_system_copy_tags_to_backups_enabled, | ||
) | ||
|
||
check = fsx_file_system_copy_tags_to_backups_enabled() | ||
result = check.execute() | ||
assert len(result) == 1 | ||
assert result[0].status == "PASS" | ||
assert ( | ||
result[0].status_extended | ||
== f"FSx file system {file_system['FileSystem']['FileSystemId']} has copy tags to backups enabled." | ||
) | ||
assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"] | ||
assert ( | ||
result[0].resource_arn | ||
== f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}" | ||
) | ||
assert result[0].region == AWS_REGION_EU_WEST_1 |