Skip to content

Commit

Permalink
new: added policy ecc-aws-571-stopped_rds_instances_removed
Browse files Browse the repository at this point in the history
  • Loading branch information
@anna-shcherbak
anna-shcherbak committed Sep 21, 2023
1 parent 35fc023 commit 5254033
Show file tree
Hide file tree
Showing 14 changed files with 528 additions and 0 deletions.
22 changes: 22 additions & 0 deletions policies/ecc-aws-571-stopped_rds_instances_removed.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
# Copyright (c) 2023 EPAM Systems, Inc.
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.


policies:
- name: ecc-aws-571-stopped_rds_instances_removed
comment: '010002062000'
description: |
RDS DB instances
resource: aws.rds
filters:
- type: value
key: DBInstanceStatus
value: stopped
- type: value
key: AutomaticRestartTime
value: 4
value_type: expiration
op: lte
20 changes: 20 additions & 0 deletions terraform/ecc-aws-571-stopped_rds_instances_removed/green/provider.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4"
}
}
}

provider "aws" {
profile = var.profile
region = var.default-region

default_tags {
tags = {
CustodianRule = "ecc-aws-571-stopped_rds_instances_removed"
ComplianceStatus = "Green"
}
}
}
20 changes: 20 additions & 0 deletions terraform/ecc-aws-571-stopped_rds_instances_removed/green/rds.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
resource "random_password" "this" {
length = 12
special = true
numeric = true
override_special = "!#$%*()-_=+[]{}:?"
}

resource "aws_db_instance" "this" {
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
allocated_storage = 10
storage_type = "gp2"
db_name = "database517green"
username = "root"
password = random_password.this.result
multi_az = false
skip_final_snapshot = true
identifier = "db-instance-571-green"
}
2 changes: 2 additions & 0 deletions terraform/ecc-aws-571-stopped_rds_instances_removed/green/terraform.tfvars
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
profile = "c7n"
default-region = "us-east-1"
9 changes: 9 additions & 0 deletions terraform/ecc-aws-571-stopped_rds_instances_removed/green/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
variable "default-region" {
type = string
description = "Default region for resources will be created"
}

variable "profile" {
type = string
description = "Profile name configured before running apply"
}
12 changes: 12 additions & 0 deletions terraform/ecc-aws-571-stopped_rds_instances_removed/iam/571-policy.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances"
],
"Resource": "*"
}
]
}
20 changes: 20 additions & 0 deletions terraform/ecc-aws-571-stopped_rds_instances_removed/red/provider.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4"
}
}
}

provider "aws" {
profile = var.profile
region = var.default-region

default_tags {
tags = {
CustodianRule = "ecc-aws-571-stopped_rds_instances_removed"
ComplianceStatus = "Red"
}
}
}
62 changes: 62 additions & 0 deletions terraform/ecc-aws-571-stopped_rds_instances_removed/red/rds.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
resource "random_password" "this" {
length = 12
special = true
numeric = true
override_special = "!#$%*()-_=+[]{}:?"
}

resource "aws_db_instance" "this" {
engine = "mysql"
engine_version = "5.7"
instance_class = "db.t2.micro"
allocated_storage = 10
storage_type = "gp2"
db_name = "database517red"
username = "root"
password = random_password.this.result
multi_az = false
skip_final_snapshot = true
identifier = "db-instance-571-red"
}

resource "null_resource" "cleanup_rds" {
depends_on = [
aws_db_instance.this
]
triggers = {
profile = var.profile
region = var.default-region
identifier = aws_db_instance.this.identifier
}
provisioner "local-exec" {
interpreter = ["/bin/bash", "-c"]
command = <<EOF
aws sts get-caller-identity
export AWS_PROFILE=${self.triggers.profile}
export AWS_REGION=${self.triggers.region}
aws sts get-caller-identity
while true; do
status="$(aws rds describe-db-instances --db-instance-identifier ${self.triggers.identifier} --query DBInstances[0].DBInstanceStatus --output text)"
if [ "$status" = "available" ]; then
aws rds stop-db-instance --db-instance-identifier ${self.triggers.identifier}
break
else
echo "Waiting for database: $rds to be available"
sleep 60
fi
done
while true; do
status="$(aws rds describe-db-instances --db-instance-identifier ${self.triggers.identifier} --query DBInstances[0].DBInstanceStatus --output text)"
if [ "$status" = "stopped" ]; then
break
else
echo "Waiting for database: $rds to be stopped"
sleep 60
fi
done
echo "RDS instance stopped."
EOF
}
}
2 changes: 2 additions & 0 deletions terraform/ecc-aws-571-stopped_rds_instances_removed/red/terraform.tfvars
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
profile = "c7n"
default-region = "us-east-1"
9 changes: 9 additions & 0 deletions terraform/ecc-aws-571-stopped_rds_instances_removed/red/variables.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
variable "default-region" {
type = string
description = "Default region for resources will be created"
}

variable "profile" {
type = string
description = "Profile name configured before running apply"
}
7 changes: 7 additions & 0 deletions tests/ecc-aws-571-stopped_rds_instances_removed/green_policy_test.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
class PolicyTest(object):

def test_resources(self, base_test, resources):
base_test.assertEqual(len(resources), 0)

def mock_time(self):
return 2023, 9, 20
159 changes: 159 additions & 0 deletions tests/ecc-aws-571-stopped_rds_instances_removed/placebo-green/rds.DescribeDBInstances_1.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,159 @@
{
"status_code": 200,
"data": {
"DBInstances": [
{
"DBInstanceIdentifier": "db-instance-571-green",
"DBInstanceClass": "db.t2.micro",
"Engine": "mysql",
"DBInstanceStatus": "available",
"MasterUsername": "root",
"DBName": "database517green",
"Endpoint": {
"Address": "db-instance-571-green.chhajgiktbgu.us-east-1.rds.amazonaws.com",
"Port": 3306,
"HostedZoneId": "Z2R2ITUGPM61AM"
},
"AllocatedStorage": 10,
"InstanceCreateTime": {
"__class__": "datetime",
"year": 2023,
"month": 9,
"day": 20,
"hour": 11,
"minute": 10,
"second": 50,
"microsecond": 101000
},
"PreferredBackupWindow": "06:41-07:11",
"BackupRetentionPeriod": 0,
"DBSecurityGroups": [],
"VpcSecurityGroups": [
{
"VpcSecurityGroupId": "sg-a5hni90",
"Status": "active"
}
],
"DBParameterGroups": [
{
"DBParameterGroupName": "default.mysql5.7",
"ParameterApplyStatus": "in-sync"
}
],
"AvailabilityZone": "us-east-1d",
"DBSubnetGroup": {
"DBSubnetGroupName": "default",
"DBSubnetGroupDescription": "default",
"VpcId": "vpc-a525544d0",
"SubnetGroupStatus": "Complete",
"Subnets": [
{
"SubnetIdentifier": "subnet-cd736528ec",
"SubnetAvailabilityZone": {
"Name": "us-east-1c"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-fa28887",
"SubnetAvailabilityZone": {
"Name": "us-east-1d"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-24222252a",
"SubnetAvailabilityZone": {
"Name": "us-east-1f"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-b043336",
"SubnetAvailabilityZone": {
"Name": "us-east-1b"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-555563",
"SubnetAvailabilityZone": {
"Name": "us-east-1e"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
},
{
"SubnetIdentifier": "subnet-82222de",
"SubnetAvailabilityZone": {
"Name": "us-east-1a"
},
"SubnetOutpost": {},
"SubnetStatus": "Active"
}
]
},
"PreferredMaintenanceWindow": "wed:07:46-wed:08:16",
"PendingModifiedValues": {},
"MultiAZ": false,
"EngineVersion": "5.7.42",
"AutoMinorVersionUpgrade": true,
"ReadReplicaDBInstanceIdentifiers": [],
"LicenseModel": "general-public-license",
"OptionGroupMemberships": [
{
"OptionGroupName": "default:mysql-5-7",
"Status": "in-sync"
}
],
"PubliclyAccessible": false,
"StorageType": "gp2",
"DbInstancePort": 0,
"StorageEncrypted": false,
"DbiResourceId": "db-6LJIUNBB42MF4W5OLEL46YRVKM",
"CACertificateIdentifier": "rds-ca-2019",
"DomainMemberships": [],
"CopyTagsToSnapshot": false,
"MonitoringInterval": 0,
"DBInstanceArn": "arn:aws:rds:us-east-1:111111111111:db:db-instance-571-green",
"IAMDatabaseAuthenticationEnabled": false,
"PerformanceInsightsEnabled": false,
"DeletionProtection": false,
"AssociatedRoles": [],
"TagList": [
{
"Key": "CustodianRule",
"Value": "ecc-aws-571-stopped_rds_instances_removed"
},
{
"Key": "ComplianceStatus",
"Value": "Green"
}
],
"CustomerOwnedIpEnabled": false,
"ActivityStreamStatus": "stopped",
"BackupTarget": "region",
"NetworkType": "IPV4",
"StorageThroughput": 0,
"CertificateDetails": {
"CAIdentifier": "rds-ca-2019",
"ValidTill": {
"__class__": "datetime",
"year": 2024,
"month": 8,
"day": 22,
"hour": 17,
"minute": 8,
"second": 50,
"microsecond": 0
}
}
}
],
"ResponseMetadata": {}
}
}
Loading

0 comments on commit 5254033

Please sign in to comment.