diff --git a/policies/ecc-aws-571-stopped_rds_instances_removed.yml b/policies/ecc-aws-571-stopped_rds_instances_removed.yml new file mode 100644 index 000000000..dc9ed25e4 --- /dev/null +++ b/policies/ecc-aws-571-stopped_rds_instances_removed.yml @@ -0,0 +1,22 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-571-stopped_rds_instances_removed + comment: '010002062000' + description: | + RDS DB instances + resource: aws.rds + filters: + - type: value + key: DBInstanceStatus + value: stopped + - type: value + key: AutomaticRestartTime + value: 4 + value_type: expiration + op: lte diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/green/provider.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/provider.tf new file mode 100644 index 000000000..fac14686d --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-571-stopped_rds_instances_removed" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/green/rds.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/rds.tf new file mode 100644 index 000000000..2d86be1b9 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/rds.tf @@ -0,0 +1,20 @@ +resource "random_password" "this" { + length = 12 + special = true + numeric = true + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_db_instance" "this" { + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + allocated_storage = 10 + storage_type = "gp2" + db_name = "database517green" + username = "root" + password = random_password.this.result + multi_az = false + skip_final_snapshot = true + identifier = "db-instance-571-green" +} \ No newline at end of file diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/green/terraform.tfvars b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/green/variables.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/iam/571-policy.json b/terraform/ecc-aws-571-stopped_rds_instances_removed/iam/571-policy.json new file mode 100644 index 000000000..021fa87cd --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/iam/571-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/red/provider.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/red/provider.tf new file mode 100644 index 000000000..47ff4b2f9 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-571-stopped_rds_instances_removed" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/red/rds.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/red/rds.tf new file mode 100644 index 000000000..c1b8792c2 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/red/rds.tf @@ -0,0 +1,62 @@ +resource "random_password" "this" { + length = 12 + special = true + numeric = true + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_db_instance" "this" { + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + allocated_storage = 10 + storage_type = "gp2" + db_name = "database517red" + username = "root" + password = random_password.this.result + multi_az = false + skip_final_snapshot = true + identifier = "db-instance-571-red" +} + +resource "null_resource" "cleanup_rds" { + depends_on = [ + aws_db_instance.this + ] + triggers = { + profile = var.profile + region = var.default-region + identifier = aws_db_instance.this.identifier + } + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = <