From 8ba71116fcda57fd07757176ce533b176bed981f Mon Sep 17 00:00:00 2001 From: Vladyslav Yevsiukov Date: Wed, 9 Aug 2023 08:47:29 +0000 Subject: [PATCH] new: added policy ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2 --- ...volumes_are_of_type_gp3_instead_of_gp2.yml | 16 ++++++++ .../green/ebs.tf | 8 ++++ .../green/provider.tf | 20 +++++++++ .../green/terraform.tfvars | 2 + .../green/variables.tf | 9 ++++ .../iam/548-policy.json | 12 ++++++ .../red/ebs.tf | 5 +++ .../red/provider.tf | 20 +++++++++ .../red/terraform.tfvars | 2 + .../red/variables.tf | 9 ++++ .../placebo-green/ec2.DescribeVolumes_1.json | 40 ++++++++++++++++++ .../placebo-red/ec2.DescribeVolumes_1.json | 41 +++++++++++++++++++ .../red_policy_test.py | 5 +++ 13 files changed, 189 insertions(+) create mode 100644 policies/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2.yml create mode 100644 terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/ebs.tf create mode 100644 terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/provider.tf create mode 100644 terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/terraform.tfvars create mode 100644 terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/variables.tf create mode 100644 terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/iam/548-policy.json create mode 100644 terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/ebs.tf create mode 100644 terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/provider.tf create mode 100644 terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/terraform.tfvars create mode 100644 terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/variables.tf create mode 100644 tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/placebo-green/ec2.DescribeVolumes_1.json create mode 100644 tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/placebo-red/ec2.DescribeVolumes_1.json create mode 100644 tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red_policy_test.py diff --git a/policies/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2.yml b/policies/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2.yml new file mode 100644 index 000000000..6af2e3342 --- /dev/null +++ b/policies/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2.yml @@ -0,0 +1,16 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2 + resource: aws.ebs + description: | + EBS volumes are type of gp2 insted of gp3 + filters: + - type: value + key: VolumeType + value: gp2 \ No newline at end of file diff --git a/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/ebs.tf b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/ebs.tf new file mode 100644 index 000000000..b47188db8 --- /dev/null +++ b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/ebs.tf @@ -0,0 +1,8 @@ +resource "aws_ebs_volume" "this" { + availability_zone = data.aws_availability_zones.available.names[0] + size = 8 +} + +data "aws_availability_zones" "this" { + state = "available" +} \ No newline at end of file diff --git a/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/provider.tf b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/provider.tf new file mode 100644 index 000000000..0c9d5001d --- /dev/null +++ b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/terraform.tfvars b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/variables.tf b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/iam/548-policy.json b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/iam/548-policy.json new file mode 100644 index 000000000..f707deebd --- /dev/null +++ b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/iam/548-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVolumes" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/ebs.tf b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/ebs.tf new file mode 100644 index 000000000..e92bae242 --- /dev/null +++ b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/ebs.tf @@ -0,0 +1,5 @@ +resource "aws_ebs_volume" "this" { + availability_zone = data.aws_availability_zones.available.names[0] + size = 8 + type = "gp3" +} \ No newline at end of file diff --git a/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/provider.tf b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/provider.tf new file mode 100644 index 000000000..411c1ca6f --- /dev/null +++ b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/terraform.tfvars b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/variables.tf b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/placebo-green/ec2.DescribeVolumes_1.json b/tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/placebo-green/ec2.DescribeVolumes_1.json new file mode 100644 index 000000000..42c010c68 --- /dev/null +++ b/tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/placebo-green/ec2.DescribeVolumes_1.json @@ -0,0 +1,40 @@ +{ + "status_code": 200, + "data": { + "Volumes": [ + { + "Attachments": [], + "AvailabilityZone": "us-east-1a", + "CreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 8, + "day": 7, + "hour": 10, + "minute": 21, + "second": 26, + "microsecond": 451000 + }, + "Encrypted": false, + "Size": 8, + "SnapshotId": "", + "State": "available", + "VolumeId": "vol-0fb6c7480bfce553c", + "Iops": 100, + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2" + }, + { + "Key": "ComplianceStatus", + "Value": "Green" + } + ], + "VolumeType": "gp3", + "MultiAttachEnabled": false + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/placebo-red/ec2.DescribeVolumes_1.json b/tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/placebo-red/ec2.DescribeVolumes_1.json new file mode 100644 index 000000000..9c7e464c3 --- /dev/null +++ b/tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/placebo-red/ec2.DescribeVolumes_1.json @@ -0,0 +1,41 @@ +{ + "status_code": 200, + "data": { + "Volumes": [ + { + "Attachments": [], + "AvailabilityZone": "us-east-1a", + "CreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 8, + "day": 7, + "hour": 10, + "minute": 20, + "second": 53, + "microsecond": 24000 + }, + "Encrypted": false, + "Size": 8, + "SnapshotId": "", + "State": "available", + "VolumeId": "vol-02e08791159817fa1", + "Iops": 3000, + "Tags": [ + { + "Key": "CustodianRule", + "Value": "ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2" + }, + { + "Key": "ComplianceStatus", + "Value": "Red" + } + ], + "VolumeType": "gp2", + "MultiAttachEnabled": false, + "Throughput": 125 + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red_policy_test.py b/tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red_policy_test.py new file mode 100644 index 000000000..29572e3b9 --- /dev/null +++ b/tests/ecc-aws-548-ebs_volumes_are_of_type_gp3_instead_of_gp2/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['VolumeType'], "gp2") \ No newline at end of file