skip: Merge pull request #34 from epam/feature/ecc-aws-571-stopped_rds_instances_removed

new: added policy ecc-aws-571-stopped_rds_instances_removed

Author: Astr1k

policies/ecc-aws-571-stopped_rds_instances_removed.yml

@@ -0,0 +1,22 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-571-stopped_rds_instances_removed
+    comment: '010002062000'
+    description: |
+      RDS DB instances 
+    resource: aws.rds
+    filters:
+      - type: value
+        key: DBInstanceStatus
+        value: stopped
+      - type: value
+        key: AutomaticRestartTime
+        value: 4
+        value_type: expiration
+        op: lte

terraform/ecc-aws-571-stopped_rds_instances_removed/green/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-571-stopped_rds_instances_removed"
+      ComplianceStatus = "Green"
+    }
+  }
+}

terraform/ecc-aws-571-stopped_rds_instances_removed/green/rds.tf

@@ -0,0 +1,20 @@
+resource "random_password" "this" {
+  length           = 12
+  special          = true
+  numeric          = true
+  override_special = "!#$%*()-_=+[]{}:?"
+}
+
+resource "aws_db_instance" "this" {
+  engine                  = "mysql"
+  engine_version          = "5.7"
+  instance_class          = "db.t2.micro"
+  allocated_storage       = 10
+  storage_type            = "gp2"
+  db_name                 = "database517green"
+  username                = "root"
+  password                = random_password.this.result
+  multi_az                = false
+  skip_final_snapshot     = true
+  identifier              = "db-instance-571-green"
+}

terraform/ecc-aws-571-stopped_rds_instances_removed/green/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-571-stopped_rds_instances_removed/green/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}

terraform/ecc-aws-571-stopped_rds_instances_removed/iam/571-policy.json

@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [ 
+                "rds:DescribeDBInstances"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

terraform/ecc-aws-571-stopped_rds_instances_removed/red/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-571-stopped_rds_instances_removed"
+      ComplianceStatus = "Red"
+    }
+  }
+}

terraform/ecc-aws-571-stopped_rds_instances_removed/red/rds.tf

@@ -0,0 +1,62 @@
+resource "random_password" "this" {
+  length           = 12
+  special          = true
+  numeric          = true
+  override_special = "!#$%*()-_=+[]{}:?"
+}
+
+resource "aws_db_instance" "this" {
+  engine                  = "mysql"
+  engine_version          = "5.7"
+  instance_class          = "db.t2.micro"
+  allocated_storage       = 10
+  storage_type            = "gp2"
+  db_name                 = "database517red"
+  username                = "root"
+  password                = random_password.this.result
+  multi_az                = false
+  skip_final_snapshot     = true
+  identifier              = "db-instance-571-red"
+}
+
+resource "null_resource" "cleanup_rds" {
+  depends_on = [
+    aws_db_instance.this
+  ]
+  triggers = {
+    profile   = var.profile
+    region = var.default-region
+    identifier = aws_db_instance.this.identifier
+  }
+  provisioner "local-exec" {
+    interpreter = ["/bin/bash", "-c"]
+    command     = <<EOF
+aws sts get-caller-identity
+export AWS_PROFILE=${self.triggers.profile}
+export AWS_REGION=${self.triggers.region}
+aws sts get-caller-identity
+
+while true; do
+  status="$(aws rds describe-db-instances --db-instance-identifier ${self.triggers.identifier} --query DBInstances[0].DBInstanceStatus --output text)"
+  if [ "$status" = "available" ]; then
+    aws rds stop-db-instance --db-instance-identifier ${self.triggers.identifier}
+    break
+  else
+    echo "Waiting for database: $rds to be available"
+    sleep 60
+  fi
+done
+while true; do
+  status="$(aws rds describe-db-instances --db-instance-identifier ${self.triggers.identifier} --query DBInstances[0].DBInstanceStatus --output text)"
+  if [ "$status" = "stopped" ]; then
+    break
+  else
+    echo "Waiting for database: $rds to be stopped"
+    sleep 60
+  fi
+done
+
+echo "RDS instance stopped."
+EOF
+  }
+}

terraform/ecc-aws-571-stopped_rds_instances_removed/red/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-571-stopped_rds_instances_removed/red/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}