From da4fcbac8becef637fb373283b2bb5ce42d2b0fe Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Mon, 18 Sep 2023 15:51:45 +0300 Subject: [PATCH] new: added policy ecc-aws-553-unused_clb --- policies/ecc-aws-553-unused_clb.yml | 17 +++++ terraform/ecc-aws-553-unused_clb/green/clb.tf | 24 +++++++ terraform/ecc-aws-553-unused_clb/green/ec2.tf | 52 ++++++++++++++ .../ecc-aws-553-unused_clb/green/provider.tf | 20 ++++++ .../green/terraform.tfvars | 2 + .../ecc-aws-553-unused_clb/green/userdata.sh | 7 ++ .../ecc-aws-553-unused_clb/green/variables.tf | 9 +++ .../iam/553-policy.json | 14 ++++ terraform/ecc-aws-553-unused_clb/red/clb.tf | 15 ++++ .../ecc-aws-553-unused_clb/red/provider.tf | 20 ++++++ .../red/terraform.tfvars | 2 + .../ecc-aws-553-unused_clb/red/variables.tf | 9 +++ terraform/ecc-aws-553-unused_clb/red2/clb.tf | 43 +++++++++++ .../ecc-aws-553-unused_clb/red2/provider.tf | 20 ++++++ .../red2/terraform.tfvars | 2 + .../ecc-aws-553-unused_clb/red2/variables.tf | 9 +++ ...loadbalancing.DescribeLoadBalancers_1.json | 72 +++++++++++++++++++ .../placebo-green/tagging.GetResources_1.json | 22 ++++++ ...loadbalancing.DescribeLoadBalancers_1.json | 71 ++++++++++++++++++ .../placebo-red/tagging.GetResources_1.json | 22 ++++++ .../ecc-aws-553-unused_clb/red_policy_test.py | 5 ++ 21 files changed, 457 insertions(+) create mode 100644 policies/ecc-aws-553-unused_clb.yml create mode 100644 terraform/ecc-aws-553-unused_clb/green/clb.tf create mode 100644 terraform/ecc-aws-553-unused_clb/green/ec2.tf create mode 100644 terraform/ecc-aws-553-unused_clb/green/provider.tf create mode 100644 terraform/ecc-aws-553-unused_clb/green/terraform.tfvars create mode 100644 terraform/ecc-aws-553-unused_clb/green/userdata.sh create mode 100644 terraform/ecc-aws-553-unused_clb/green/variables.tf create mode 100644 terraform/ecc-aws-553-unused_clb/iam/553-policy.json create mode 100644 terraform/ecc-aws-553-unused_clb/red/clb.tf create mode 100644 terraform/ecc-aws-553-unused_clb/red/provider.tf create mode 100644 terraform/ecc-aws-553-unused_clb/red/terraform.tfvars create mode 100644 terraform/ecc-aws-553-unused_clb/red/variables.tf create mode 100644 terraform/ecc-aws-553-unused_clb/red2/clb.tf create mode 100644 terraform/ecc-aws-553-unused_clb/red2/provider.tf create mode 100644 terraform/ecc-aws-553-unused_clb/red2/terraform.tfvars create mode 100644 terraform/ecc-aws-553-unused_clb/red2/variables.tf create mode 100644 tests/ecc-aws-553-unused_clb/placebo-green/elasticloadbalancing.DescribeLoadBalancers_1.json create mode 100644 tests/ecc-aws-553-unused_clb/placebo-green/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-553-unused_clb/placebo-red/elasticloadbalancing.DescribeLoadBalancers_1.json create mode 100644 tests/ecc-aws-553-unused_clb/placebo-red/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-553-unused_clb/red_policy_test.py diff --git a/policies/ecc-aws-553-unused_clb.yml b/policies/ecc-aws-553-unused_clb.yml new file mode 100644 index 000000000..f77017212 --- /dev/null +++ b/policies/ecc-aws-553-unused_clb.yml @@ -0,0 +1,17 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-553-unused_clb + comment: '010002022000' + description: | + Classic Load Balancers without attached instances + resource: aws.elb + filters: + - type: value + key: Instances + value: empty \ No newline at end of file diff --git a/terraform/ecc-aws-553-unused_clb/green/clb.tf b/terraform/ecc-aws-553-unused_clb/green/clb.tf new file mode 100644 index 000000000..b0855a1fd --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/green/clb.tf @@ -0,0 +1,24 @@ +data "aws_availability_zones" "this" { + state = "available" +} + +resource "aws_elb" "this" { + name = "clb-553-green" + subnets = [data.aws_subnets.this.ids[0]] + security_groups = ["${aws_security_group.this.id}"] + + listener { + instance_port = 80 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 3 + target = "HTTP:80/" + interval = 30 + } + instances = ["${aws_instance.this.id}"] +} diff --git a/terraform/ecc-aws-553-unused_clb/green/ec2.tf b/terraform/ecc-aws-553-unused_clb/green/ec2.tf new file mode 100644 index 000000000..fc47e9866 --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/green/ec2.tf @@ -0,0 +1,52 @@ +resource "aws_instance" "this" { + ami = data.aws_ami.this.id + instance_type = "t2.micro" + user_data = file("userdata.sh") + vpc_security_group_ids = ["${aws_security_group.this.id}"] + subnet_id = data.aws_subnets.this.ids[0] + key_name = "anna_shcherbak_key" + tags = { + Name = "553_instance_green" + } +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +data "aws_vpc" "default" { + default = true +} + +data "aws_subnets" "this" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } +} + +resource "aws_security_group" "this" { + name = "553_sg_green" + description = "http on port 80" + vpc_id = data.aws_vpc.default.id + + ingress { + from_port = 80 + to_port = 80 + protocol = "tcp" + cidr_blocks = ["0.0.0.0/0"] + } + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} diff --git a/terraform/ecc-aws-553-unused_clb/green/provider.tf b/terraform/ecc-aws-553-unused_clb/green/provider.tf new file mode 100644 index 000000000..ff6cdac7e --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-553-unused_clb" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-553-unused_clb/green/terraform.tfvars b/terraform/ecc-aws-553-unused_clb/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-553-unused_clb/green/userdata.sh b/terraform/ecc-aws-553-unused_clb/green/userdata.sh new file mode 100644 index 000000000..e21520d68 --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/green/userdata.sh @@ -0,0 +1,7 @@ +#!/bin/bash +sudo yum update -y +sudo yum install -y amazon-linux-extras +sudo amazon-linux-extras enable nginx1 +sudo amazon-linux-extras install nginx1 +sudo systemctl start nginx.service +sudo systemctl enable nginx.service \ No newline at end of file diff --git a/terraform/ecc-aws-553-unused_clb/green/variables.tf b/terraform/ecc-aws-553-unused_clb/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-553-unused_clb/iam/553-policy.json b/terraform/ecc-aws-553-unused_clb/iam/553-policy.json new file mode 100644 index 000000000..c29352b0e --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/iam/553-policy.json @@ -0,0 +1,14 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeTags", + "tag:GetResources" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-553-unused_clb/red/clb.tf b/terraform/ecc-aws-553-unused_clb/red/clb.tf new file mode 100644 index 000000000..4042722c0 --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/red/clb.tf @@ -0,0 +1,15 @@ +data "aws_availability_zones" "this" { + state = "available" +} + +resource "aws_elb" "this" { + name = "clb-553-red" + availability_zones = data.aws_availability_zones.this.names + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } +} diff --git a/terraform/ecc-aws-553-unused_clb/red/provider.tf b/terraform/ecc-aws-553-unused_clb/red/provider.tf new file mode 100644 index 000000000..c6682dd9f --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-553-unused_clb" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-553-unused_clb/red/terraform.tfvars b/terraform/ecc-aws-553-unused_clb/red/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-553-unused_clb/red/variables.tf b/terraform/ecc-aws-553-unused_clb/red/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-553-unused_clb/red2/clb.tf b/terraform/ecc-aws-553-unused_clb/red2/clb.tf new file mode 100644 index 000000000..e901ab88a --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/red2/clb.tf @@ -0,0 +1,43 @@ +resource "aws_instance" "this" { + ami = data.aws_ami.this.id + instance_type = "t2.micro" + + tags = { + Name = "553_instance_red" + } +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +data "aws_availability_zones" "this" { + state = "available" +} + +resource "aws_elb" "this" { + name = "clb-553-red2" + availability_zones = data.aws_availability_zones.this.names + + listener { + instance_port = 8000 + instance_protocol = "http" + lb_port = 80 + lb_protocol = "http" + } + + health_check { + healthy_threshold = 2 + unhealthy_threshold = 2 + timeout = 31 + target = "HTTP:8888/" + interval = 60 + } + instances = ["${aws_instance.this.id}"] +} diff --git a/terraform/ecc-aws-553-unused_clb/red2/provider.tf b/terraform/ecc-aws-553-unused_clb/red2/provider.tf new file mode 100644 index 000000000..c6682dd9f --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/red2/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-553-unused_clb" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-553-unused_clb/red2/terraform.tfvars b/terraform/ecc-aws-553-unused_clb/red2/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/red2/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-553-unused_clb/red2/variables.tf b/terraform/ecc-aws-553-unused_clb/red2/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-553-unused_clb/red2/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/tests/ecc-aws-553-unused_clb/placebo-green/elasticloadbalancing.DescribeLoadBalancers_1.json b/tests/ecc-aws-553-unused_clb/placebo-green/elasticloadbalancing.DescribeLoadBalancers_1.json new file mode 100644 index 000000000..a6abab2e5 --- /dev/null +++ b/tests/ecc-aws-553-unused_clb/placebo-green/elasticloadbalancing.DescribeLoadBalancers_1.json @@ -0,0 +1,72 @@ +{ + "status_code": 200, + "data": { + "LoadBalancerDescriptions": [ + { + "LoadBalancerName": "clb-553-http-green", + "DNSName": "clb-553-http-green-1394940984.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneName": "clb-553-http-green-1394940984.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneNameID": "Z35SXDOTRQ7X7K", + "ListenerDescriptions": [ + { + "Listener": { + "Protocol": "HTTP", + "LoadBalancerPort": 80, + "InstanceProtocol": "HTTP", + "InstancePort": 8000 + }, + "PolicyNames": [] + } + ], + "Policies": { + "AppCookieStickinessPolicies": [], + "LBCookieStickinessPolicies": [], + "OtherPolicies": [] + }, + "BackendServerDescriptions": [], + "AvailabilityZones": [ + "us-east-1a", + "us-east-1b", + "us-east-1c" + ], + "Subnets": [ + "subnet-24287df2a", + "subnet-525874f63", + "subnet-815872abc7" + ], + "VPCId": "vpc-281517", + "Instances": [ + { + "InstanceId": "i-0203f7f0abccbf67a" + } + ], + "HealthCheck": { + "Target": "TCP:8000", + "Interval": 30, + "Timeout": 5, + "UnhealthyThreshold": 2, + "HealthyThreshold": 10 + }, + "SourceSecurityGroup": { + "OwnerAlias": "123456789123", + "GroupName": "default_elb_fc2f8b95-5e14-38b7-80f6-2259e106c533" + }, + "SecurityGroups": [ + "sg-0146f212876718644b" + ], + "CreatedTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 18, + "hour": 10, + "minute": 8, + "second": 55, + "microsecond": 560000 + }, + "Scheme": "internet-facing" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-553-unused_clb/placebo-green/tagging.GetResources_1.json b/tests/ecc-aws-553-unused_clb/placebo-green/tagging.GetResources_1.json new file mode 100644 index 000000000..7da375651 --- /dev/null +++ b/tests/ecc-aws-553-unused_clb/placebo-green/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:elasticloadbalancing:us-east-1:123456789123:loadbalancer/clb-553-http-green", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-553-unused_clb" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-553-unused_clb/placebo-red/elasticloadbalancing.DescribeLoadBalancers_1.json b/tests/ecc-aws-553-unused_clb/placebo-red/elasticloadbalancing.DescribeLoadBalancers_1.json new file mode 100644 index 000000000..babdc70f3 --- /dev/null +++ b/tests/ecc-aws-553-unused_clb/placebo-red/elasticloadbalancing.DescribeLoadBalancers_1.json @@ -0,0 +1,71 @@ +{ + "status_code": 200, + "data": { + "LoadBalancerDescriptions": [ + { + "LoadBalancerName": "clb-553-http-red", + "DNSName": "clb-553-http-red-897742492.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneName": "clb-553-http-red-897742492.us-east-1.elb.amazonaws.com", + "CanonicalHostedZoneNameID": "Z35SXDFRRQ7X7K", + "ListenerDescriptions": [ + { + "Listener": { + "Protocol": "HTTP", + "LoadBalancerPort": 80, + "InstanceProtocol": "HTTP", + "InstancePort": 8000 + }, + "PolicyNames": [] + } + ], + "Policies": { + "AppCookieStickinessPolicies": [], + "LBCookieStickinessPolicies": [], + "OtherPolicies": [] + }, + "BackendServerDescriptions": [], + "AvailabilityZones": [ + "us-east-1a", + "us-east-1b", + "us-east-1c", + "us-east-1d", + "us-east-1e", + "us-east-1f" + ], + "Subnets": [ + "subnet-24287df2a", + "subnet-525874f63", + "subnet-815872abc7" + ], + "VPCId": "vpc-281517", + "Instances": [], + "HealthCheck": { + "Target": "TCP:8000", + "Interval": 30, + "Timeout": 5, + "UnhealthyThreshold": 2, + "HealthyThreshold": 10 + }, + "SourceSecurityGroup": { + "OwnerAlias": "123456789123", + "GroupName": "default_elb_fc2f8b95-5e14-38b7-80f6-2259e106c533" + }, + "SecurityGroups": [ + "sg-0146f212876718644b" + ], + "CreatedTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 18, + "hour": 8, + "minute": 32, + "second": 30, + "microsecond": 990000 + }, + "Scheme": "internet-facing" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-553-unused_clb/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-553-unused_clb/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..cf7717d4c --- /dev/null +++ b/tests/ecc-aws-553-unused_clb/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:elasticloadbalancing:us-east-1:123456789123:loadbalancer/clb-553-http-red", + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-553-unused_clb" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-553-unused_clb/red_policy_test.py b/tests/ecc-aws-553-unused_clb/red_policy_test.py new file mode 100644 index 000000000..5c779beaa --- /dev/null +++ b/tests/ecc-aws-553-unused_clb/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(len(resources[0]["Instances"]), 0)