new: added policy ecc-aws-576-ec2_instance_dedicated_tenancy

Author: anna-shcherbak

policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml

@@ -0,0 +1,20 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-576-ec2_instance_dedicated_tenancy
+    comment: '010006032000'
+    description: |
+      Amazon EC2 instances with dedicated tenancy
+    resource: aws.ec2
+    filters:
+      - type: value
+        key: Placement.Tenancy
+        op: in
+        value:
+          - dedicated 
+          - host

terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/ec2.tf

@@ -0,0 +1,46 @@
+resource "aws_instance" "this" {
+  ami                    = data.aws_ami.this.id
+  instance_type          = "a1.medium"
+  vpc_security_group_ids = ["${aws_security_group.this.id}"]
+  subnet_id              = data.aws_subnets.this.ids[0]
+  tags = {
+    Name = "576_instance_green"
+  }
+}
+
+data "aws_ami" "this" {
+  most_recent = true
+  owners      = ["amazon"]
+  filter {
+    name   = "architecture"
+    values = ["arm64"]
+  }
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-hvm*"]
+  }
+}
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnets" "this" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
+}
+
+resource "aws_security_group" "this" {
+  name        = "576_sg_green"
+  description = "576_sg_green"
+  vpc_id      = data.aws_vpc.default.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}

terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-576-ec2_instance_dedicated_tenancy"
+      ComplianceStatus = "Green"
+    }
+  }
+}

terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}

terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json

@@ -0,0 +1,12 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeInstances"
+            ],
+            "Resource": "*"
+        }
+    ]
+}

terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/ec2.tf

@@ -0,0 +1,47 @@
+resource "aws_instance" "this" {
+  ami                    = data.aws_ami.this.id
+  instance_type          = "a1.medium"
+  vpc_security_group_ids = ["${aws_security_group.this.id}"]
+  subnet_id              = data.aws_subnets.this.ids[0]
+  tenancy                = "dedicated"
+  tags = {
+    Name = "576_instance_red"
+  }
+}
+
+data "aws_ami" "this" {
+  most_recent = true
+  owners      = ["amazon"]
+  filter {
+    name   = "architecture"
+    values = ["arm64"]
+  }
+  filter {
+    name   = "name"
+    values = ["amzn2-ami-hvm*"]
+  }
+}
+
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_subnets" "this" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
+}
+
+resource "aws_security_group" "this" {
+  name        = "576_sg_red"
+  description = "576_sg_red"
+  vpc_id      = data.aws_vpc.default.id
+
+  egress {
+    from_port   = 0
+    to_port     = 0
+    protocol    = "-1"
+    cidr_blocks = ["0.0.0.0/0"]
+  }
+}

terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws" {
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-576-ec2_instance_dedicated_tenancy"
+      ComplianceStatus = "Red"
+    }
+  }
+}

terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"

terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/variables.tf

@@ -0,0 +1,9 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}