upd: update policies 040, 497

anna-shcherbak · anna-shcherbak · commit 1c835cee5d57 · 2024-11-08T23:21:26.000+02:00
Policy 040 was updated to check the latest EKS version.
Policy 497 was updated to check extended support EKS versions.
diff --git a/policies/ecc-aws-040-eks_cluster_version_latest.yml b/policies/ecc-aws-040-eks_cluster_version_latest.yml
@@ -14,5 +14,9 @@ policies:
     filters:
       - type: value
         key: version
-        value: "1.29"
+        value: "1.31"
         op: lt
+      - type: value
+        key: version
+        value: "1.28"
+        op: gte
diff --git a/policies/ecc-aws-497-eks_cluster_oldest_supported_version.yml b/policies/ecc-aws-497-eks_cluster_oldest_supported_version.yml
@@ -9,10 +9,10 @@ policies:
   - name: ecc-aws-497-eks_cluster_oldest_supported_version
     comment: '010021072000'
     description: |
-      EKS cluster is using unsupported version
+      EKS cluster is using extended support version
     resource: aws.eks
     filters:
       - type: value
         key: version
-        value: "1.23"
+        value: "1.28"
         op: lt
diff --git a/terraform/ecc-aws-040-eks_cluster_version_latest/green/eks.tf b/terraform/ecc-aws-040-eks_cluster_version_latest/green/eks.tf
@@ -1,7 +1,7 @@
 resource "aws_eks_cluster" "this" {
   name     = "040_eks_cluster_green"
   role_arn = aws_iam_role.this.arn
-  version  = "1.29"
+  version  = "1.31"
 
   vpc_config {
     subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
@@ -14,7 +14,6 @@ resource "aws_eks_cluster" "this" {
 
 resource "aws_iam_role" "this" {
   name = "eks-040-cluster-green"
-
   assume_role_policy = <<POLICY
 {
   "Version": "2012-10-17",
@@ -49,11 +48,15 @@ resource "aws_vpc" "this" {
 resource "aws_subnet" "subnet1" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-east-1a"
+  availability_zone = data.aws_availability_zones.this.names[0]
 }
 
 resource "aws_subnet" "subnet2" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-east-1b"
+  availability_zone = data.aws_availability_zones.this.names[1]
 }
+
+data "aws_availability_zones" "this" {
+  state = "available"
+}
diff --git a/terraform/ecc-aws-040-eks_cluster_version_latest/iam/040-policy.json b/terraform/ecc-aws-040-eks_cluster_version_latest/iam/040-policy.json
@@ -1,14 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [ 
-                "eks:DescribeCluster",
-                "eks:ListClusters",
-                "ec2:DescribeVpcs"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"eks:ListClusters",
+				"eks:DescribeCluster"
+			],
+			"Resource": "*"
+		}
+	]
+}
diff --git a/terraform/ecc-aws-040-eks_cluster_version_latest/red/eks.tf b/terraform/ecc-aws-040-eks_cluster_version_latest/red/eks.tf
@@ -1,7 +1,7 @@
 resource "aws_eks_cluster" "this" {
   name     = "040_eks_cluster_red"
   role_arn = aws_iam_role.this.arn
-  version  = "1.27"
+  version  = "1.28"
 
   vpc_config {
     subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
@@ -14,7 +14,6 @@ resource "aws_eks_cluster" "this" {
 
 resource "aws_iam_role" "this" {
   name = "eks-cluster-040-red"
-
   assume_role_policy = <<POLICY
 {
   "Version": "2012-10-17",
@@ -49,12 +48,16 @@ resource "aws_vpc" "this" {
 resource "aws_subnet" "subnet1" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-east-1a"
+  availability_zone = data.aws_availability_zones.this.names[0]
 }
 
 resource "aws_subnet" "subnet2" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-east-1b"
+  availability_zone = data.aws_availability_zones.this.names[1]
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
 }
 
diff --git a/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/green/eks.tf b/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/green/eks.tf
@@ -1,6 +1,7 @@
 resource "aws_eks_cluster" "this" {
   name     = "497_eks_cluster_green"
   role_arn = aws_iam_role.this.arn
+  version  = "1.30"
 
   vpc_config {
     subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
@@ -13,7 +14,7 @@ resource "aws_eks_cluster" "this" {
 
 resource "aws_iam_role" "this" {
   name = "eks-497-cluster-green"
-
+  
   assume_role_policy = <<POLICY
 {
   "Version": "2012-10-17",
@@ -48,11 +49,15 @@ resource "aws_vpc" "this" {
 resource "aws_subnet" "subnet1" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-east-1a"
+  availability_zone = data.aws_availability_zones.this.names[0]
 }
 
 resource "aws_subnet" "subnet2" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-east-1b"
+  availability_zone = data.aws_availability_zones.this.names[1]
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
 }
diff --git a/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/green/provider.tf b/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/green/provider.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4"
+      version = "~> 5"
     }
   }
 }
diff --git a/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/eks.tf b/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/eks.tf
@@ -0,0 +1,64 @@
+resource "aws_eks_cluster" "this" {
+  name     = "497_eks_cluster_red"
+  role_arn = aws_iam_role.this.arn
+  version  = "1.27"
+
+  vpc_config {
+    subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
+  }
+  depends_on = [
+    aws_iam_role_policy_attachment.Cluster_Policy,
+    aws_iam_role_policy_attachment.Service_Policy,
+  ]
+}
+
+resource "aws_iam_role" "this" {
+  name = "eks-497-cluster-red"
+  permissions_boundary = "arn:aws:iam::703671910212:policy/eo_role_boundary"
+
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "Cluster_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.this.name
+}
+
+resource "aws_iam_role_policy_attachment" "Service_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
+  role       = aws_iam_role.this.name
+}
+
+resource "aws_vpc" "this" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_hostnames = true
+}
+
+resource "aws_subnet" "subnet1" {
+  vpc_id            = aws_vpc.this.id
+  cidr_block        = "10.0.1.0/24"
+  availability_zone = data.aws_availability_zones.this.names[0]
+}
+
+resource "aws_subnet" "subnet2" {
+  vpc_id            = aws_vpc.this.id
+  cidr_block        = "10.0.2.0/24"
+  availability_zone = data.aws_availability_zones.this.names[1]
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
+}
diff --git a/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/provider.tf b/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/provider.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws"{
+  profile = var.profile
+  region  = var.default-region
+  
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-497-eks_cluster_oldest_supported_version"
+      ComplianceStatus = "Red"
+    }
+  }
+}
diff --git a/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/terraform.tfvars b/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/terraform.tfvars
@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"
diff --git a/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/variables.tf b/terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/variables.tf
@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}
diff --git a/tests/ecc-aws-040-eks_cluster_version_latest/placebo-green/eks.DescribeCluster_1.json b/tests/ecc-aws-040-eks_cluster_version_latest/placebo-green/eks.DescribeCluster_1.json
diff --git a/tests/ecc-aws-040-eks_cluster_version_latest/placebo-green/eks.ListClusters_1.json b/tests/ecc-aws-040-eks_cluster_version_latest/placebo-green/eks.ListClusters_1.json
diff --git a/tests/ecc-aws-040-eks_cluster_version_latest/red_policy_test.py b/tests/ecc-aws-040-eks_cluster_version_latest/red_policy_test.py
diff --git a/tests/ecc-aws-497-eks_cluster_oldest_supported_version/red_policy_test.py b/tests/ecc-aws-497-eks_cluster_oldest_supported_version/red_policy_test.py

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,7 @@ terraform {`
`2`	`2`	`required_providers {`
`3`	`3`	`aws = {`
`4`	`4`	`source = "hashicorp/aws"`
`5`		`- version = "~> 4"`
	`5`	`+ version = "~> 5"`
`6`	`6`	`}`
`7`	`7`	`}`
`8`	`8`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+profile = "c7n"`
	`2`	`+default-region = "us-east-1"`