feat(fsx): Add check logic with respective unit test. Add metadata too

prowler-cloud · Oct 15, 2024 · c95296b · c95296b
1 parent 88f5f01
commit c95296b
Show file tree

Hide file tree

Showing 4 changed files with 361 additions and 0 deletions.
diff --git a/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/__init__.py b/prowler/providers/aws/services/fsx/fsx_file_system_copy_tags_to_backups_enabled/__init__.py
diff --git a/...m_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json b/...m_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.metadata.json
@@ -0,0 +1,32 @@
+{
+  "Provider": "aws",
+  "CheckID": "fsx_file_system_copy_tags_to_backups_enabled",
+  "CheckTitle": "Check if FSx file systems are configured to copy tags to backups.",
+  "CheckType": [
+    "Software and Configuration Checks/Vulnerabilities"
+  ],
+  "ServiceName": "fsx",
+  "SubServiceName": "",
+  "ResourceIdTemplate": "arn:aws:fsx:{region}:{account-id}:file-system/{file-system-id}",
+  "Severity": "low",
+  "ResourceType": "AwsFSxFileSystem",
+  "Description": "Check if an Amazon FSx file system is configured to copy tags to backups. The control fails if this configuration isn't enabled.",
+  "Risk": "Without tag copying, managing and tracking your resources could be more difficult, impacting your governance and inventory management processes.",
+  "RelatedUrl": "https://docs.aws.amazon.com/config/latest/developerguide/fsx-lustre-copy-tags-to-backups.html",
+  "Remediation": {
+    "Code": {
+      "CLI": "aws fsx update-file-system --file-system-id <file-system-id> filesystemtypeconfiguration <copy-tags-to-backups: true>",
+      "NativeIaC": "",
+      "Other": "https://docs.aws.amazon.com/securityhub/latest/userguide/fsx-controls.html#fsx-2",
+      "Terraform": ""
+    },
+    "Recommendation": {
+      "Text": "Configure your FSx file system to copy tags to backups to improve resource management and tracking.",
+      "Url": "https://docs.aws.amazon.com/fsx/latest/OpenZFSGuide/updating-file-system.html"
+    }
+  },
+  "Categories": [],
+  "DependsOn": [],
+  "RelatedTo": [],
+  "Notes": ""
+}
diff --git a/..._file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.py b/..._file_system_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled.py
@@ -0,0 +1,24 @@
+from prowler.lib.check.models import Check, Check_Report_AWS
+from prowler.providers.aws.services.fsx.fsx_client import fsx_client
+
+
+class fsx_file_system_copy_tags_to_backups_enabled(Check):
+    def execute(self):
+        findings = []
+        for file_system in fsx_client.file_systems.values():
+            if file_system.type in ["OPENZFS", "LUSTRE", "WINDOWS"]:
+                report = Check_Report_AWS(self.metadata())
+                report.region = file_system.region
+                report.resource_id = file_system.id
+                report.resource_arn = file_system.arn
+                report.resource_tags = file_system.tags
+                report.status = "PASS"
+                report.status_extended = f"FSx file system {file_system.id} has copy tags to backups enabled."
+
+                if not file_system.copy_tags_to_backups:
+                    report.status = "FAIL"
+                    report.status_extended = f"FSx file system {file_system.id} does not have copy tags to backups enabled."
+
+                findings.append(report)
+
+        return findings
diff --git a/...systems_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled_test.py b/...systems_copy_tags_to_backups_enabled/fsx_file_system_copy_tags_to_backups_enabled_test.py
@@ -0,0 +1,305 @@
+from unittest import mock
+
+from boto3 import client
+from moto import mock_aws
+
+from prowler.providers.aws.services.fsx.fsx_service import FSx
+from tests.providers.aws.utils import AWS_REGION_EU_WEST_1, set_mocked_aws_provider
+
+
+class Test_fsx_file_system_copy_tags_to_backups_enabled:
+    @mock_aws
+    def test_fsx_no_file_system(self):
+        client("fsx", region_name=AWS_REGION_EU_WEST_1)
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import (
+                fsx_file_system_copy_tags_to_backups_enabled,
+            )
+
+            check = fsx_file_system_copy_tags_to_backups_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    @mock_aws
+    def test_ontap(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        fsx_client.create_file_system(
+            FileSystemType="ONTAP",
+            StorageCapacity=1200,
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import (
+                fsx_file_system_copy_tags_to_backups_enabled,
+            )
+
+            check = fsx_file_system_copy_tags_to_backups_enabled()
+            result = check.execute()
+            assert len(result) == 0
+
+    @mock_aws
+    def test_openzfs_copy_tags_to_backups_disabled(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        file_system = fsx_client.create_file_system(
+            FileSystemType="OPENZFS",
+            StorageCapacity=1200,
+            OpenZFSConfiguration={
+                "CopyTagsToBackups": False,
+                "DeploymentType": "SINGLE_AZ_1",
+                "ThroughputCapacity": 12,
+            },
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import (
+                fsx_file_system_copy_tags_to_backups_enabled,
+            )
+
+            check = fsx_file_system_copy_tags_to_backups_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"FSx file system {file_system['FileSystem']['FileSystemId']} does not have copy tags to backups enabled."
+            )
+            assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"]
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}"
+            )
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    @mock_aws
+    def test_openzfs_copy_tags_to_backups_enabled(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        file_system = fsx_client.create_file_system(
+            FileSystemType="OPENZFS",
+            StorageCapacity=1200,
+            OpenZFSConfiguration={
+                "CopyTagsToBackups": True,
+                "DeploymentType": "SINGLE_AZ_1",
+                "ThroughputCapacity": 12,
+            },
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import (
+                fsx_file_system_copy_tags_to_backups_enabled,
+            )
+
+            check = fsx_file_system_copy_tags_to_backups_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"FSx file system {file_system['FileSystem']['FileSystemId']} has copy tags to backups enabled."
+            )
+            assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"]
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}"
+            )
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    @mock_aws
+    def test_lustre_copy_tags_to_backups_disabled(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        file_system = fsx_client.create_file_system(
+            FileSystemType="LUSTRE",
+            StorageCapacity=1200,
+            LustreConfiguration={"CopyTagsToBackups": False},
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import (
+                fsx_file_system_copy_tags_to_backups_enabled,
+            )
+
+            check = fsx_file_system_copy_tags_to_backups_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"FSx file system {file_system['FileSystem']['FileSystemId']} does not have copy tags to backups enabled."
+            )
+            assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"]
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}"
+            )
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    @mock_aws
+    def test_lustre_copy_tags_to_backups_enabled(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        file_system = fsx_client.create_file_system(
+            FileSystemType="LUSTRE",
+            StorageCapacity=1200,
+            LustreConfiguration={"CopyTagsToBackups": True},
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import (
+                fsx_file_system_copy_tags_to_backups_enabled,
+            )
+
+            check = fsx_file_system_copy_tags_to_backups_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"FSx file system {file_system['FileSystem']['FileSystemId']} has copy tags to backups enabled."
+            )
+            assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"]
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}"
+            )
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    @mock_aws
+    def test_windows_copy_tags_to_backups_disabled(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        file_system = fsx_client.create_file_system(
+            FileSystemType="WINDOWS",
+            StorageCapacity=1200,
+            WindowsConfiguration={
+                "CopyTagsToBackups": False,
+                "ThroughputCapacity": 12,
+            },
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import (
+                fsx_file_system_copy_tags_to_backups_enabled,
+            )
+
+            check = fsx_file_system_copy_tags_to_backups_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "FAIL"
+            assert (
+                result[0].status_extended
+                == f"FSx file system {file_system['FileSystem']['FileSystemId']} does not have copy tags to backups enabled."
+            )
+            assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"]
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}"
+            )
+            assert result[0].region == AWS_REGION_EU_WEST_1
+
+    @mock_aws
+    def test_windows_copy_tags_to_backups_enabled(self):
+        fsx_client = client("fsx", region_name=AWS_REGION_EU_WEST_1)
+        file_system = fsx_client.create_file_system(
+            FileSystemType="WINDOWS",
+            StorageCapacity=1200,
+            WindowsConfiguration={
+                "CopyTagsToBackups": True,
+                "ThroughputCapacity": 12,
+            },
+            Tags=[{"Key": "Name", "Value": "Test"}],
+            SubnetIds=["subnet-12345678"],
+        )
+
+        aws_provider = set_mocked_aws_provider([AWS_REGION_EU_WEST_1])
+
+        with mock.patch(
+            "prowler.providers.common.provider.Provider.get_global_provider",
+            return_value=aws_provider,
+        ), mock.patch(
+            "prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled.fsx_client",
+            new=FSx(aws_provider),
+        ):
+            from prowler.providers.aws.services.fsx.fsx_file_system_copy_tags_to_backups_enabled.fsx_file_system_copy_tags_to_backups_enabled import (
+                fsx_file_system_copy_tags_to_backups_enabled,
+            )
+
+            check = fsx_file_system_copy_tags_to_backups_enabled()
+            result = check.execute()
+            assert len(result) == 1
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"FSx file system {file_system['FileSystem']['FileSystemId']} has copy tags to backups enabled."
+            )
+            assert result[0].resource_id == file_system["FileSystem"]["FileSystemId"]
+            assert (
+                result[0].resource_arn
+                == f"arn:aws:fsx:{AWS_REGION_EU_WEST_1}:123456789012:file-system/{file_system['FileSystem']['FileSystemId']}"
+            )
+            assert result[0].region == AWS_REGION_EU_WEST_1