Actualize policies that check latest versions

policies/ecc-aws-040-eks_cluster_version_latest.yml

@@ -14,5 +14,9 @@ policies:
     filters:
       - type: value
         key: version
-        value: "1.29"
+        value: "1.31"
         op: lt
+      - type: value
+        key: version
+        value: "1.28"
+        op: gte

policies/ecc-aws-283-elasticsearch_latest_version.yml

@@ -9,10 +9,10 @@ policies:
   - name: ecc-aws-283-elasticsearch_latest_version
     comment: '010021052000'
     description: |
-      ElasticSearch is not using the latest OpenSearch version
+      OpenSearch is not using the latest engine version
     resource: elasticsearch
     filters:
       - not:
           - type: value
             key: ElasticsearchVersion
-            value: 'OpenSearch_2.11'
+            value: 'OpenSearch_2.15'

policies/ecc-aws-434-mq_broker_latest_version.yml

@@ -18,15 +18,15 @@ policies:
                   - type: value
                     key: EngineVersion
                     op: regex
-                    value: 3.12.*
+                    value: 3.13.*
                   - type: value
                     key: EngineType
                     value: RabbitMQ
               - and:
                   - type: value
                     key: EngineVersion
                     op: regex
-                    value: 5.17.*
+                    value: 5.18.*
                   - type: value
                     key: EngineType
                     value: ActiveMQ

policies/ecc-aws-461-lambda_latest_runtime_environment_version.yml

@@ -15,8 +15,8 @@ policies:
       - type: value
         key: PackageType
         value: Zip
-      - not:
-          - type: value
-            key: Runtime
-            op: regex
-            value: '(nodejs20.x|python3.12|java21|dotnetcore3.1|dotnet6|go1.x|ruby3.2)'
+      - type: value
+        key: Runtime
+        op: in
+        value: [nodejs18.x, python3.11, python3.10, python3.9, java17, java11, java8.al2, dotnet6, ruby3.2, provided.al2]
+

policies/ecc-aws-497-eks_cluster_oldest_supported_version.yml

@@ -9,10 +9,10 @@ policies:
   - name: ecc-aws-497-eks_cluster_oldest_supported_version
     comment: '010021072000'
     description: |
-      EKS cluster is using unsupported version
+      EKS cluster is using extended support version
     resource: aws.eks
     filters:
       - type: value
         key: version
-        value: "1.23"
+        value: "1.28"
         op: lt

policies/ecc-aws-508-mwaa_latest_version.yml

@@ -15,4 +15,4 @@ policies:
       - not:
           - type: value
             key: AirflowVersion
-            value: '2.9.2'
+            value: '2.10.1'

policies/ecc-aws-536-lambda_function_settings_check.yml

@@ -9,7 +9,7 @@ policies:
   - name: ecc-aws-536-lambda_function_settings_check
     comment: '010028030400'
     description: |
-      Lambda functions should not use no longer supported runtimes
+      Lambda functions should not use deprecated runtimes
     resource: aws.lambda
     filters:
       - type: value
@@ -19,4 +19,4 @@ policies:
           - type: value
             key: Runtime
             op: in
-            value: [dotnet8, dotnet6, java21, java17, java11, java8.al2, nodejs20.x, nodejs18.x, nodejs16.x, python3.12, python3.11, python3.10, python3.9, python3.8, ruby3.3, ruby3.2]
+            value: [nodejs20.x, nodejs18.x, python3.12, python3.11, python3.10, python3.9, java21, java17, java11, java8.al2, dotnet8, dotnet6, ruby3.3, ruby3.2, provided.al2023, provided.al2]

policies/ecc-aws-549-ec2_instance_previous_generation.yml

@@ -19,4 +19,4 @@ policies:
       - type: value
         key: InstanceType
         op: regex
-        value: '(m1|m2|m3|m4|t1|c1|c2|c3|i2|cr1|r3|r4|hs1|g2|a1|d2).[^\s]+'
+        value: '(m1|m2|m3|m4|t1|c1|c2|c3|c4|cc2|i2|cr1|r3|r4|hs1|g2|a1|d2).[^\s]+'

policies/ecc-aws-598-redshift_instance_generation.yml

@@ -15,4 +15,4 @@ policies:
       - type: value
         key: NodeType
         op: regex
-        value: '(dc1|ds2).[^\s]+'
+        value: '(dc1|ds1|ds2).[^\s]+'

terraform/ecc-aws-013-remove_weak_ciphers_for_clb/green/lb.tf

@@ -13,9 +13,14 @@ data "aws_ami" "this" {
   }
 }
 
+data "aws_availability_zones" "this" {
+  state = "available"
+}
+
 resource "aws_elb" "this" {
   name               = "elb-013-http-green"
-  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
+  security_groups = [aws_security_group.this.id]
+  availability_zones = [data.aws_availability_zones.this.names[0], data.aws_availability_zones.this.names[1]]
 
   listener {
     instance_port      = 8000
@@ -32,6 +37,26 @@ resource "aws_elb" "this" {
   connection_draining_timeout = 400
 }
 
+resource "aws_load_balancer_policy" "this" {
+  load_balancer_name = aws_elb.this.name
+  policy_name        = "policygreen"
+  policy_type_name   = "SSLNegotiationPolicyType"
+
+  policy_attribute {
+    name  = "Reference-Security-Policy"
+    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
+  }
+}
+
+resource "aws_load_balancer_listener_policy" "this" {
+  load_balancer_name = aws_elb.this.name
+  load_balancer_port = 443
+
+  policy_names = [
+    aws_load_balancer_policy.this.policy_name,
+  ]
+}
+
 resource "tls_private_key" "this" {
   algorithm = "RSA"
 }
@@ -57,23 +82,3 @@ resource "aws_acm_certificate" "this" {
   private_key      = tls_private_key.this.private_key_pem
   certificate_body = tls_self_signed_cert.this.cert_pem
 }
-
-resource "aws_load_balancer_policy" "this" {
-  load_balancer_name = aws_elb.this.name
-  policy_name        = "policygreen"
-  policy_type_name   = "SSLNegotiationPolicyType"
-
-  policy_attribute {
-    name  = "Reference-Security-Policy"
-    value = "ELBSecurityPolicy-TLS-1-2-2017-01"
-  }
-}
-
-resource "aws_load_balancer_listener_policy" "this" {
-  load_balancer_name = aws_elb.this.name
-  load_balancer_port = 443
-
-  policy_names = [
-    aws_load_balancer_policy.this.policy_name,
-  ]
-}

terraform/ecc-aws-013-remove_weak_ciphers_for_clb/green/vpc.tf

@@ -0,0 +1,12 @@
+data "aws_vpc" "default" {
+  default = true
+}
+
+resource "aws_security_group" "this" {
+  name   = "013_security_group_green"
+  vpc_id = data.aws_vpc.default.id
+
+  tags = {
+    Name = "013_security_group_green"
+  }
+}

terraform/ecc-aws-013-remove_weak_ciphers_for_clb/red/lb.tf

@@ -15,7 +15,7 @@ data "aws_ami" "this" {
 
 resource "aws_elb" "this" {
   name               = "elb-013-http-red"
-  availability_zones = ["us-east-1a", "us-east-1b", "us-east-1c"]
+  availability_zones = [data.aws_availability_zones.this.names[0], data.aws_availability_zones.this.names[1]]
 
   listener {
     instance_port      = 8000
@@ -30,6 +30,14 @@ resource "aws_elb" "this" {
   idle_timeout                = 400
   connection_draining         = true
   connection_draining_timeout = 400
+  security_groups = [aws_security_group.this.id]
+}
+
+resource "aws_load_balancer_listener_policy" "this" {
+  load_balancer_name = aws_elb.this.name
+  load_balancer_port = 443
+
+  policy_names = ["ELBSecurityPolicy-2016-08"]
 }
 
 resource "tls_private_key" "this" {

terraform/ecc-aws-013-remove_weak_ciphers_for_clb/red/vpc.tf

@@ -0,0 +1,16 @@
+data "aws_vpc" "default" {
+  default = true
+}
+
+resource "aws_security_group" "this" {
+  name   = "013_security_group_red"
+  vpc_id = data.aws_vpc.default.id
+
+  tags = {
+    Name = "013_security_group_red"
+  }
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
+}

terraform/ecc-aws-040-eks_cluster_version_latest/green/eks.tf

@@ -1,7 +1,7 @@
 resource "aws_eks_cluster" "this" {
   name     = "040_eks_cluster_green"
   role_arn = aws_iam_role.this.arn
-  version  = "1.29"
+  version  = "1.31"
 
   vpc_config {
     subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
@@ -14,7 +14,6 @@ resource "aws_eks_cluster" "this" {
 
 resource "aws_iam_role" "this" {
   name = "eks-040-cluster-green"
-
   assume_role_policy = <<POLICY
 {
   "Version": "2012-10-17",
@@ -49,11 +48,15 @@ resource "aws_vpc" "this" {
 resource "aws_subnet" "subnet1" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-east-1a"
+  availability_zone = data.aws_availability_zones.this.names[0]
 }
 
 resource "aws_subnet" "subnet2" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-east-1b"
+  availability_zone = data.aws_availability_zones.this.names[1]
 }
+
+data "aws_availability_zones" "this" {
+  state = "available"
+}

terraform/ecc-aws-040-eks_cluster_version_latest/iam/040-policy.json

@@ -1,14 +1,13 @@
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [ 
-                "eks:DescribeCluster",
-                "eks:ListClusters",
-                "ec2:DescribeVpcs"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
+	"Version": "2012-10-17",
+	"Statement": [
+		{
+			"Effect": "Allow",
+			"Action": [
+				"eks:ListClusters",
+				"eks:DescribeCluster"
+			],
+			"Resource": "*"
+		}
+	]
+}

terraform/ecc-aws-040-eks_cluster_version_latest/red/eks.tf

@@ -1,7 +1,7 @@
 resource "aws_eks_cluster" "this" {
   name     = "040_eks_cluster_red"
   role_arn = aws_iam_role.this.arn
-  version  = "1.27"
+  version  = "1.28"
 
   vpc_config {
     subnet_ids = [aws_subnet.subnet1.id, aws_subnet.subnet2.id]
@@ -14,7 +14,6 @@ resource "aws_eks_cluster" "this" {
 
 resource "aws_iam_role" "this" {
   name = "eks-cluster-040-red"
-
   assume_role_policy = <<POLICY
 {
   "Version": "2012-10-17",
@@ -49,12 +48,16 @@ resource "aws_vpc" "this" {
 resource "aws_subnet" "subnet1" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.1.0/24"
-  availability_zone = "us-east-1a"
+  availability_zone = data.aws_availability_zones.this.names[0]
 }
 
 resource "aws_subnet" "subnet2" {
   vpc_id            = aws_vpc.this.id
   cidr_block        = "10.0.2.0/24"
-  availability_zone = "us-east-1b"
+  availability_zone = data.aws_availability_zones.this.names[1]
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
 }
 

terraform/ecc-aws-283-elasticsearch_latest_version/green/elasticsearch.tf

@@ -1,6 +1,8 @@
+# takes about 20 min to deploy
+
 resource "aws_elasticsearch_domain" "this" {
   domain_name           = "elasticsearch-283-green"
-  elasticsearch_version = "OpenSearch_2.11"
+  elasticsearch_version = "OpenSearch_2.15"
 
   ebs_options {
     ebs_enabled = true

terraform/ecc-aws-283-elasticsearch_latest_version/red/elasticsearch.tf

@@ -1,3 +1,5 @@
+# takes about 20 min to deploy
+
 resource "aws_elasticsearch_domain" "this" {
   domain_name           = "elasticsearch-283-red"
   elasticsearch_version = "7.4"

terraform/ecc-aws-434-mq_broker_latest_version/green/mq.tf

@@ -1,8 +1,11 @@
+# takes about 10 min to deploy
+
 resource "aws_mq_broker" "this" {
   broker_name = "mq-broker-active-434-green"
   engine_type                = "ActiveMQ"
-  engine_version             = "5.17.6"
+  engine_version             = "5.18"
   host_instance_type         = "mq.t2.micro"
+  auto_minor_version_upgrade = true
 
   user {
     username = "root"
@@ -13,9 +16,10 @@ resource "aws_mq_broker" "this" {
 resource "aws_mq_broker" "this1" {
   broker_name = "mq-broker-rabbit-434-green"
   engine_type                = "RabbitMQ"
-  engine_version             = "3.12.13"
+  engine_version             = "3.13"
   host_instance_type         = "mq.t3.micro"
   publicly_accessible        = true
+  auto_minor_version_upgrade = true
   user {
     username = "root"
     password = random_password.this.result

terraform/ecc-aws-434-mq_broker_latest_version/red/mq.tf

@@ -1,7 +1,9 @@
+# takes about 10 min to deploy
+
 resource "aws_mq_broker" "this" {
   broker_name                = "mq-broker-active-434-red"
   engine_type                = "ActiveMQ"
-  engine_version             = "5.15.9"
+  engine_version             = "5.17.6"
   host_instance_type         = "mq.t2.micro"
 
   user {
@@ -13,7 +15,7 @@ resource "aws_mq_broker" "this" {
 resource "aws_mq_broker" "this1" {
   broker_name                = "mq-broker-rabbit-434-red"
   engine_type                = "RabbitMQ"
-  engine_version             = "3.8.30"
+  engine_version             = "3.11.28"
   host_instance_type         = "mq.t3.micro"
   publicly_accessible        = true
   user {