From 720e200b3b6421354bd6cf1cdafe7ab9e6a4dfe3 Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Wed, 23 Aug 2023 13:07:02 +0000 Subject: [PATCH] new: added policy ecc-aws-547-rds_instance_generation --- .../ecc-aws-547-rds_instance_generation.yml | 18 ++ .../green/provider.tf | 20 +++ .../green/rds.tf | 18 ++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 + .../iam/547-policy.json | 13 ++ .../rds.DescribeDBInstances_1.json | 159 ++++++++++++++++++ .../rds.DescribeDBInstances_1.json | 159 ++++++++++++++++++ .../red_policy_test.py | 5 + 9 files changed, 403 insertions(+) create mode 100644 policies/ecc-aws-547-rds_instance_generation.yml create mode 100644 terraform/ecc-aws-547-rds_instance_generation/green/provider.tf create mode 100644 terraform/ecc-aws-547-rds_instance_generation/green/rds.tf create mode 100644 terraform/ecc-aws-547-rds_instance_generation/green/terraform.tfvars create mode 100644 terraform/ecc-aws-547-rds_instance_generation/green/variables.tf create mode 100644 terraform/ecc-aws-547-rds_instance_generation/iam/547-policy.json create mode 100644 tests/ecc-aws-547-rds_instance_generation/placebo-green/rds.DescribeDBInstances_1.json create mode 100644 tests/ecc-aws-547-rds_instance_generation/placebo-red/rds.DescribeDBInstances_1.json create mode 100644 tests/ecc-aws-547-rds_instance_generation/red_policy_test.py diff --git a/policies/ecc-aws-547-rds_instance_generation.yml b/policies/ecc-aws-547-rds_instance_generation.yml new file mode 100644 index 000000000..eab5fa652 --- /dev/null +++ b/policies/ecc-aws-547-rds_instance_generation.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-547-rds_instance_generation + description: | + RDS instance is not using last generation classes + resource: rds + filters: + - type: value + key: DBInstanceClass + op: regex + value: 'db.(m1|m2|m3|m4|r3|r4|cr1|t1|t2).[^\s]+' + comment: '0006062000' \ No newline at end of file diff --git a/terraform/ecc-aws-547-rds_instance_generation/green/provider.tf b/terraform/ecc-aws-547-rds_instance_generation/green/provider.tf new file mode 100644 index 000000000..f21a577dd --- /dev/null +++ b/terraform/ecc-aws-547-rds_instance_generation/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-547-rds_instance_generation" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-547-rds_instance_generation/green/rds.tf b/terraform/ecc-aws-547-rds_instance_generation/green/rds.tf new file mode 100644 index 000000000..b8d4b175b --- /dev/null +++ b/terraform/ecc-aws-547-rds_instance_generation/green/rds.tf @@ -0,0 +1,18 @@ +resource "random_password" "this" { + length = 12 + special = true + numeric = true + override_special = "!#$%*()-_=+[]{}:?" +} + +resource "aws_db_instance" "this" { + allocated_storage = 10 + engine = "mysql" + engine_version = "5.7" + instance_class = "db.t3.micro" + db_name = "database547green" + username = "root" + password = random_password.this.result + parameter_group_name = "default.mysql5.7" + skip_final_snapshot = true +} diff --git a/terraform/ecc-aws-547-rds_instance_generation/green/terraform.tfvars b/terraform/ecc-aws-547-rds_instance_generation/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-547-rds_instance_generation/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-547-rds_instance_generation/green/variables.tf b/terraform/ecc-aws-547-rds_instance_generation/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-547-rds_instance_generation/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-547-rds_instance_generation/iam/547-policy.json b/terraform/ecc-aws-547-rds_instance_generation/iam/547-policy.json new file mode 100644 index 000000000..805b5cf76 --- /dev/null +++ b/terraform/ecc-aws-547-rds_instance_generation/iam/547-policy.json @@ -0,0 +1,13 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "tag:GetResources" + ], + "Resource": "*" + } + ] +} diff --git a/tests/ecc-aws-547-rds_instance_generation/placebo-green/rds.DescribeDBInstances_1.json b/tests/ecc-aws-547-rds_instance_generation/placebo-green/rds.DescribeDBInstances_1.json new file mode 100644 index 000000000..76aa2f5ad --- /dev/null +++ b/tests/ecc-aws-547-rds_instance_generation/placebo-green/rds.DescribeDBInstances_1.json @@ -0,0 +1,159 @@ +{ + "status_code": 200, + "data": { + "DBInstances": [ + { + "DBInstanceIdentifier": "terraform-20230823091231067100000001", + "DBInstanceClass": "db.t3.micro", + "Engine": "mysql", + "DBInstanceStatus": "available", + "MasterUsername": "root", + "DBName": "database547green", + "Endpoint": { + "Address": "terraform-20230823091231067100000001.chhajgiktbgu.us-east-1.rds.amazonaws.com", + "Port": 3306, + "HostedZoneId": "Z2R2ITUGPM61AM" + }, + "AllocatedStorage": 10, + "InstanceCreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 8, + "day": 23, + "hour": 9, + "minute": 16, + "second": 59, + "microsecond": 464000 + }, + "PreferredBackupWindow": "10:24-10:54", + "BackupRetentionPeriod": 0, + "DBSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-a5befc90", + "Status": "active" + } + ], + "DBParameterGroups": [ + { + "DBParameterGroupName": "default.mysql5.7", + "ParameterApplyStatus": "in-sync" + } + ], + "AvailabilityZone": "us-east-1b", + "DBSubnetGroup": { + "DBSubnetGroupName": "default", + "DBSubnetGroupDescription": "default", + "VpcId": "vpc-ad9744d0", + "SubnetGroupStatus": "Complete", + "Subnets": [ + { + "SubnetIdentifier": "subnet-cd7af8ec", + "SubnetAvailabilityZone": { + "Name": "us-east-1c" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-fa9dcab7", + "SubnetAvailabilityZone": { + "Name": "us-east-1d" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-247c052a", + "SubnetAvailabilityZone": { + "Name": "us-east-1f" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-b045c2d6", + "SubnetAvailabilityZone": { + "Name": "us-east-1b" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-5264af63", + "SubnetAvailabilityZone": { + "Name": "us-east-1e" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-8158d8de", + "SubnetAvailabilityZone": { + "Name": "us-east-1a" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + } + ] + }, + "PreferredMaintenanceWindow": "thu:05:49-thu:06:19", + "PendingModifiedValues": {}, + "MultiAZ": false, + "EngineVersion": "5.7.42", + "AutoMinorVersionUpgrade": true, + "ReadReplicaDBInstanceIdentifiers": [], + "LicenseModel": "general-public-license", + "OptionGroupMemberships": [ + { + "OptionGroupName": "default:mysql-5-7", + "Status": "in-sync" + } + ], + "PubliclyAccessible": false, + "StorageType": "gp2", + "DbInstancePort": 0, + "StorageEncrypted": false, + "DbiResourceId": "db-5SO5CZSH3RYLAIOKDA376WTVBU", + "CACertificateIdentifier": "rds-ca-2019", + "DomainMemberships": [], + "CopyTagsToSnapshot": false, + "MonitoringInterval": 0, + "DBInstanceArn": "arn:aws:rds:us-east-1:111111111111:db:terraform-20230823091231067100000001", + "IAMDatabaseAuthenticationEnabled": false, + "PerformanceInsightsEnabled": false, + "DeletionProtection": false, + "AssociatedRoles": [], + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-547-rds_instance_generation" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ], + "CustomerOwnedIpEnabled": false, + "ActivityStreamStatus": "stopped", + "BackupTarget": "region", + "NetworkType": "IPV4", + "StorageThroughput": 0, + "CertificateDetails": { + "CAIdentifier": "rds-ca-2019", + "ValidTill": { + "__class__": "datetime", + "year": 2024, + "month": 8, + "day": 22, + "hour": 17, + "minute": 8, + "second": 50, + "microsecond": 0 + } + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-547-rds_instance_generation/placebo-red/rds.DescribeDBInstances_1.json b/tests/ecc-aws-547-rds_instance_generation/placebo-red/rds.DescribeDBInstances_1.json new file mode 100644 index 000000000..e500b2d95 --- /dev/null +++ b/tests/ecc-aws-547-rds_instance_generation/placebo-red/rds.DescribeDBInstances_1.json @@ -0,0 +1,159 @@ +{ + "status_code": 200, + "data": { + "DBInstances": [ + { + "DBInstanceIdentifier": "terraform-20230823091231061100000001", + "DBInstanceClass": "db.t1.micro", + "Engine": "mysql", + "DBInstanceStatus": "available", + "MasterUsername": "root", + "DBName": "database547red", + "Endpoint": { + "Address": "terraform-20230823091231061100000001.chhajgiktbgu.us-east-1.rds.amazonaws.com", + "Port": 3306, + "HostedZoneId": "Z2R2ITUGPM61AM" + }, + "AllocatedStorage": 10, + "InstanceCreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 8, + "day": 23, + "hour": 9, + "minute": 16, + "second": 59, + "microsecond": 464000 + }, + "PreferredBackupWindow": "10:24-10:54", + "BackupRetentionPeriod": 0, + "DBSecurityGroups": [], + "VpcSecurityGroups": [ + { + "VpcSecurityGroupId": "sg-a5befc90", + "Status": "active" + } + ], + "DBParameterGroups": [ + { + "DBParameterGroupName": "default.mysql5.7", + "ParameterApplyStatus": "in-sync" + } + ], + "AvailabilityZone": "us-east-1b", + "DBSubnetGroup": { + "DBSubnetGroupName": "default", + "DBSubnetGroupDescription": "default", + "VpcId": "vpc-ad9744d0", + "SubnetGroupStatus": "Complete", + "Subnets": [ + { + "SubnetIdentifier": "subnet-cd7af8ec", + "SubnetAvailabilityZone": { + "Name": "us-east-1c" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-fa9dcab7", + "SubnetAvailabilityZone": { + "Name": "us-east-1d" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-247c052a", + "SubnetAvailabilityZone": { + "Name": "us-east-1f" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-b045c2d6", + "SubnetAvailabilityZone": { + "Name": "us-east-1b" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-5264af63", + "SubnetAvailabilityZone": { + "Name": "us-east-1e" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + }, + { + "SubnetIdentifier": "subnet-8158d8de", + "SubnetAvailabilityZone": { + "Name": "us-east-1a" + }, + "SubnetOutpost": {}, + "SubnetStatus": "Active" + } + ] + }, + "PreferredMaintenanceWindow": "thu:05:49-thu:06:19", + "PendingModifiedValues": {}, + "MultiAZ": false, + "EngineVersion": "5.7.42", + "AutoMinorVersionUpgrade": true, + "ReadReplicaDBInstanceIdentifiers": [], + "LicenseModel": "general-public-license", + "OptionGroupMemberships": [ + { + "OptionGroupName": "default:mysql-5-7", + "Status": "in-sync" + } + ], + "PubliclyAccessible": false, + "StorageType": "gp2", + "DbInstancePort": 0, + "StorageEncrypted": false, + "DbiResourceId": "db-5SO5CZSH3RYLAIOKDA376WTVBU", + "CACertificateIdentifier": "rds-ca-2019", + "DomainMemberships": [], + "CopyTagsToSnapshot": false, + "MonitoringInterval": 0, + "DBInstanceArn": "arn:aws:rds:us-east-1:111111111111:db:terraform-20230823091231061100000001", + "IAMDatabaseAuthenticationEnabled": false, + "PerformanceInsightsEnabled": false, + "DeletionProtection": false, + "AssociatedRoles": [], + "TagList": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-547-rds_instance_generation" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ], + "CustomerOwnedIpEnabled": false, + "ActivityStreamStatus": "stopped", + "BackupTarget": "region", + "NetworkType": "IPV4", + "StorageThroughput": 0, + "CertificateDetails": { + "CAIdentifier": "rds-ca-2019", + "ValidTill": { + "__class__": "datetime", + "year": 2024, + "month": 8, + "day": 22, + "hour": 17, + "minute": 8, + "second": 50, + "microsecond": 0 + } + } + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-547-rds_instance_generation/red_policy_test.py b/tests/ecc-aws-547-rds_instance_generation/red_policy_test.py new file mode 100644 index 000000000..a96721e1d --- /dev/null +++ b/tests/ecc-aws-547-rds_instance_generation/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['DBInstanceClass'], 'db.t1.micro') \ No newline at end of file