From 52540332468f03dfcc1a2b931e09181152b324f1 Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Thu, 21 Sep 2023 09:48:53 +0300 Subject: [PATCH] new: added policy ecc-aws-571-stopped_rds_instances_removed --- ...-aws-571-stopped_rds_instances_removed.yml | 22 +++ .../green/provider.tf | 20 +++ .../green/rds.tf | 20 +++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 + .../iam/571-policy.json | 12 ++ .../red/provider.tf | 20 +++ .../red/rds.tf | 62 +++++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 + .../green_policy_test.py | 7 + .../rds.DescribeDBInstances_1.json | 159 ++++++++++++++++ .../rds.DescribeDBInstances_1.json | 169 ++++++++++++++++++ .../red_policy_test.py | 15 ++ 14 files changed, 528 insertions(+) create mode 100644 policies/ecc-aws-571-stopped_rds_instances_removed.yml create mode 100644 terraform/ecc-aws-571-stopped_rds_instances_removed/green/provider.tf create mode 100644 terraform/ecc-aws-571-stopped_rds_instances_removed/green/rds.tf create mode 100644 terraform/ecc-aws-571-stopped_rds_instances_removed/green/terraform.tfvars create mode 100644 terraform/ecc-aws-571-stopped_rds_instances_removed/green/variables.tf create mode 100644 terraform/ecc-aws-571-stopped_rds_instances_removed/iam/571-policy.json create mode 100644 terraform/ecc-aws-571-stopped_rds_instances_removed/red/provider.tf create mode 100644 terraform/ecc-aws-571-stopped_rds_instances_removed/red/rds.tf create mode 100644 terraform/ecc-aws-571-stopped_rds_instances_removed/red/terraform.tfvars create mode 100644 terraform/ecc-aws-571-stopped_rds_instances_removed/red/variables.tf create mode 100644 tests/ecc-aws-571-stopped_rds_instances_removed/green_policy_test.py create mode 100644 tests/ecc-aws-571-stopped_rds_instances_removed/placebo-green/rds.DescribeDBInstances_1.json create mode 100644 tests/ecc-aws-571-stopped_rds_instances_removed/placebo-red/rds.DescribeDBInstances_1.json create mode 100644 tests/ecc-aws-571-stopped_rds_instances_removed/red_policy_test.py diff --git a/policies/ecc-aws-571-stopped_rds_instances_removed.yml b/policies/ecc-aws-571-stopped_rds_instances_removed.yml new file mode 100644 index 000000000..dc9ed25e4 --- /dev/null +++ b/policies/ecc-aws-571-stopped_rds_instances_removed.yml @@ -0,0 +1,22 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-571-stopped_rds_instances_removed + comment: '010002062000' + description: | + RDS DB instances + resource: aws.rds + filters: + - type: value + key: DBInstanceStatus + value: stopped + - type: value + key: AutomaticRestartTime + value: 4 + value_type: expiration + op: lte diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/green/provider.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/provider.tf new file mode 100644 index 000000000..fac14686d --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-571-stopped_rds_instances_removed" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/green/rds.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/rds.tf new file mode 100644 index 000000000..2d86be1b9 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/rds.tf @@ -0,0 +1,20 @@ +resource "random_password" "this" { + length = 12 + special = true + numeric = true + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_db_instance" "this" { + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + allocated_storage = 10 + storage_type = "gp2" + db_name = "database517green" + username = "root" + password = random_password.this.result + multi_az = false + skip_final_snapshot = true + identifier = "db-instance-571-green" +} \ No newline at end of file diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/green/terraform.tfvars b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/green/variables.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/iam/571-policy.json b/terraform/ecc-aws-571-stopped_rds_instances_removed/iam/571-policy.json new file mode 100644 index 000000000..021fa87cd --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/iam/571-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/red/provider.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/red/provider.tf new file mode 100644 index 000000000..47ff4b2f9 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-571-stopped_rds_instances_removed" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-571-stopped_rds_instances_removed/red/rds.tf b/terraform/ecc-aws-571-stopped_rds_instances_removed/red/rds.tf new file mode 100644 index 000000000..c1b8792c2 --- /dev/null +++ b/terraform/ecc-aws-571-stopped_rds_instances_removed/red/rds.tf @@ -0,0 +1,62 @@ +resource "random_password" "this" { + length = 12 + special = true + numeric = true + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_db_instance" "this" { + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t2.micro" + allocated_storage = 10 + storage_type = "gp2" + db_name = "database517red" + username = "root" + password = random_password.this.result + multi_az = false + skip_final_snapshot = true + identifier = "db-instance-571-red" +} + +resource "null_resource" "cleanup_rds" { + depends_on = [ + aws_db_instance.this + ] + triggers = { + profile = var.profile + region = var.default-region + identifier = aws_db_instance.this.identifier + } + provisioner "local-exec" { + interpreter = ["/bin/bash", "-c"] + command = <