upd: update policies 040, 497

Policy 040 was updated to check the latest EKS version.
Policy 497 was updated to check extended support EKS versions.

Author: anna-shcherbak

policies/ecc-aws-040-eks_cluster_version_latest.yml

@@ -14,5 +14,9 @@ policies:
     filters:
       - type: value
         key: version
-        value: "1.29"
+        value: "1.31"
         op: lt
+      - type: value
+        key: version
+        value: "1.28"
+        op: gte

policies/ecc-aws-497-eks_cluster_oldest_supported_version.yml

@@ -9,10 +9,10 @@ policies:
   - name: ecc-aws-497-eks_cluster_oldest_supported_version
     comment: '010021072000'
     description: |
-      EKS cluster is using unsupported version
+      EKS cluster is using extended support version
     resource: aws.eks
     filters:
       - type: value
         key: version
-        value: "1.23"
+        value: "1.28"
         op: lt

terraform/ecc-aws-040-eks_cluster_version_latest/green/eks.tf

@@ -1,7 +1,7 @@
 resource "aws_eks_cluster" "this" {
   name     = "040_eks_cluster_green"
   role_arn = aws_iam_role.this.arn
-  version  = "1.29"
+  version  = "1.31"
 
   vpc_config {
     subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
@@ -14,7 +14,6 @@ resource "aws_eks_cluster" "this" {
 
 resource "aws_iam_role" "this" {
   name = "eks-040-cluster-green"
-
   assume_role_policy = <<POLICY
 {
   "Version": "2012-10-17",
@@ -49,11 +48,15 @@ resource "aws_vpc" "this" {
 resource "aws_subnet" "subnet1" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-east-1a"
+  availability_zone = data.aws_availability_zones.this.names[0]
 }
 
 resource "aws_subnet" "subnet2" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-east-1b"
+  availability_zone = data.aws_availability_zones.this.names[1]
 }
+
+data "aws_availability_zones" "this" {
+  state = "available"
+}

terraform/ecc-aws-040-eks_cluster_version_latest/iam/040-policy.json

@@ -1,14 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [ 
-                "eks:DescribeCluster",
-                "eks:ListClusters",
-                "ec2:DescribeVpcs"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"eks:ListClusters",
+				"eks:DescribeCluster"
+			],
+			"Resource": "*"
+		}
+	]
+}

terraform/ecc-aws-040-eks_cluster_version_latest/red/eks.tf

@@ -1,7 +1,7 @@
 resource "aws_eks_cluster" "this" {
   name     = "040_eks_cluster_red"
   role_arn = aws_iam_role.this.arn
-  version  = "1.27"
+  version  = "1.28"
 
   vpc_config {
     subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
@@ -14,7 +14,6 @@ resource "aws_eks_cluster" "this" {
 
 resource "aws_iam_role" "this" {
   name = "eks-cluster-040-red"
-
   assume_role_policy = <<POLICY
 {
   "Version": "2012-10-17",
@@ -49,12 +48,16 @@ resource "aws_vpc" "this" {
 resource "aws_subnet" "subnet1" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-east-1a"
+  availability_zone = data.aws_availability_zones.this.names[0]
 }
 
 resource "aws_subnet" "subnet2" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-east-1b"
+  availability_zone = data.aws_availability_zones.this.names[1]
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
 }
 

terraform/ecc-aws-497-eks_cluster_oldest_supported_version/green/eks.tf

@@ -1,6 +1,7 @@
 resource "aws_eks_cluster" "this" {
   name     = "497_eks_cluster_green"
   role_arn = aws_iam_role.this.arn
+  version  = "1.30"
 
   vpc_config {
     subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
@@ -13,7 +14,6 @@ resource "aws_eks_cluster" "this" {
 
 resource "aws_iam_role" "this" {
   name = "eks-497-cluster-green"
-
   assume_role_policy = <<POLICY
 {
   "Version": "2012-10-17",
@@ -48,11 +48,15 @@ resource "aws_vpc" "this" {
 resource "aws_subnet" "subnet1" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-east-1a"
+  availability_zone = data.aws_availability_zones.this.names[0]
 }
 
 resource "aws_subnet" "subnet2" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-east-1b"
+  availability_zone = data.aws_availability_zones.this.names[1]
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
 }

terraform/ecc-aws-497-eks_cluster_oldest_supported_version/green/provider.tf

@@ -2,7 +2,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4"
+      version = "~> 5"
     }
   }
 }

terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/eks.tf

@@ -0,0 +1,62 @@
+resource "aws_eks_cluster" "this" {
+  name     = "497_eks_cluster_red"
+  role_arn = aws_iam_role.this.arn
+  version  = "1.27"
+
+  vpc_config {
+    subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
+  }
+  depends_on = [
+    aws_iam_role_policy_attachment.Cluster_Policy,
+    aws_iam_role_policy_attachment.Service_Policy,
+  ]
+}
+
+resource "aws_iam_role" "this" {
+  name = "eks-497-cluster-red"
+  assume_role_policy = <<POLICY
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "eks.amazonaws.com"
+      },
+      "Action": "sts:AssumeRole"
+    }
+  ]
+}
+POLICY
+}
+
+resource "aws_iam_role_policy_attachment" "Cluster_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
+  role       = aws_iam_role.this.name
+}
+
+resource "aws_iam_role_policy_attachment" "Service_Policy" {
+  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
+  role       = aws_iam_role.this.name
+}
+
+resource "aws_vpc" "this" {
+  cidr_block           = "10.0.0.0/16"
+  enable_dns_hostnames = true
+}
+
+resource "aws_subnet" "subnet1" {
+  vpc_id            = aws_vpc.this.id
+  cidr_block        = "10.0.1.0/24"
+  availability_zone = data.aws_availability_zones.this.names[0]
+}
+
+resource "aws_subnet" "subnet2" {
+  vpc_id            = aws_vpc.this.id
+  cidr_block        = "10.0.2.0/24"
+  availability_zone = data.aws_availability_zones.this.names[1]
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
+}

terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/provider.tf

@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 5"
+    }
+  }
+}
+
+provider "aws"{
+  profile = var.profile
+  region  = var.default-region
+  
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-497-eks_cluster_oldest_supported_version"
+      ComplianceStatus = "Red"
+    }
+  }
+}

terraform/ecc-aws-497-eks_cluster_oldest_supported_version/red/terraform.tfvars

@@ -0,0 +1,2 @@
+profile        = "c7n"
+default-region = "us-east-1"