-
Notifications
You must be signed in to change notification settings - Fork 56
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Create new stack name rule. * remove unused import * review comments * lint error * add new db encryption rule * remove changes from other pr * Update lint-and-test.yml (#247) * Update lint-and-test.yml * Update pyyaml dependency * Update README.md (#246) * Update README.md * Add license badge * rebase * rebase onto master * rebase * make lint * remove duplicate test * update changelog * add comment as for stack name rule * make format * rule not invoked for aurora * make templates valid cloud formations (except for aurora one) * make templates valid cloud formations * Update tests/rules/test_StorageEncryptedRule.py Co-authored-by: Ignacio Bolonio <[email protected]> * add aurora comment --------- Co-authored-by: Jordi Soucheiron <[email protected]> Co-authored-by: Ignacio Bolonio <[email protected]>
- Loading branch information
3 people
authored
Nov 16, 2023
1 parent
66d15bf
commit d7848ba
Showing
9 changed files
with
236 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,40 @@ | ||
| from typing import Dict, Optional | ||
|
|
||
| from pycfmodel.model.cf_model import CFModel | ||
|
|
||
| from cfripper.model.enums import RuleGranularity, RuleMode, RuleRisk | ||
| from cfripper.model.result import Result | ||
| from cfripper.rules.base_rules import Rule | ||
|
|
||
|
|
||
| class StorageEncryptedRule(Rule): | ||
| RULE_MODE = RuleMode.DEBUG # for demonstration purposes | ||
| RISK_VALUE = RuleRisk.LOW | ||
| REASON = ( | ||
| "The database {} does not seem to be encrypted. Database resources should be encrypted and have the property " | ||
| "StorageEncrypted set to True." | ||
| ) | ||
| GRANULARITY = RuleGranularity.RESOURCE | ||
|
|
||
| def invoke(self, cfmodel: CFModel, extras: Optional[Dict] = None) -> Result: | ||
| result = Result() | ||
|
|
||
| for resource in cfmodel.Resources.values(): | ||
| is_encrypted = getattr(resource.Properties, "StorageEncrypted", False) | ||
| db_name = getattr(resource.Properties, "DBName", "(could not get DB name)") | ||
| if ( | ||
| resource.Type == "AWS::RDS::DBInstance" | ||
| and not is_encrypted | ||
| and not getattr(resource.Properties, "Engine", "").startswith( | ||
| "aurora" | ||
| ) # not applicable for aurora since the encryption for DB instances is managed by the DB cluster | ||
| ): | ||
|
|
||
| self.add_failure_to_result( | ||
| result, | ||
| self.REASON.format(db_name), | ||
| context={"config": self._config, "extras": extras}, | ||
| resource_types={resource.Type}, | ||
| ) | ||
|
|
||
| return result |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| import pytest | ||
|
|
||
| from cfripper.model.enums import RuleGranularity, RuleMode, RuleRisk | ||
| from cfripper.model.result import Failure | ||
| from cfripper.rules.storage_encrypted_rule import StorageEncryptedRule | ||
| from tests.utils import get_cfmodel_from | ||
|
|
||
|
|
||
| def test_storage_encrypted_rule_valid_results(): | ||
| rule = StorageEncryptedRule(None) | ||
| model = get_cfmodel_from("rules/StorageEncryptedRule/encrypted_db_resource.yml") | ||
| resolved_model = model.resolve() | ||
| result = rule.invoke(resolved_model) | ||
|
|
||
| assert result.valid | ||
| assert result.failures == [] | ||
|
|
||
|
|
||
| def test_rule_not_failing_for_aurora(): | ||
| rule = StorageEncryptedRule(None) | ||
| model = get_cfmodel_from("rules/StorageEncryptedRule/aurora_engine_used.yml") | ||
| resolved_model = model.resolve() | ||
| result = rule.invoke(resolved_model) | ||
|
|
||
| assert result.valid | ||
| assert result.failures == [] | ||
|
|
||
|
|
||
| @pytest.mark.parametrize( | ||
| "template, failures", | ||
| [ | ||
| ( | ||
| "rules/StorageEncryptedRule/missing_storage_encrypted_flag.yml", | ||
| [ | ||
| Failure( | ||
| granularity=RuleGranularity.RESOURCE, | ||
| reason="The database some-name does not seem to be encrypted. Database resources should be " | ||
| "encrypted and have the property StorageEncrypted set to True.", | ||
| risk_value=RuleRisk.LOW, | ||
| rule="StorageEncryptedRule", | ||
| rule_mode=RuleMode.DEBUG, | ||
| actions=None, | ||
| resource_ids=None, | ||
| resource_types={"AWS::RDS::DBInstance"}, | ||
| ) | ||
| ], | ||
| ), | ||
| ( | ||
| "rules/StorageEncryptedRule/two_resources_not_encrypted.yml", | ||
| [ | ||
| Failure( | ||
| granularity=RuleGranularity.RESOURCE, | ||
| reason="The database some-name does not seem to be encrypted. Database resources should be " | ||
| "encrypted and have the property StorageEncrypted set to True.", | ||
| risk_value=RuleRisk.LOW, | ||
| rule="StorageEncryptedRule", | ||
| rule_mode=RuleMode.DEBUG, | ||
| actions=None, | ||
| resource_ids=None, | ||
| resource_types={"AWS::RDS::DBInstance"}, | ||
| ), | ||
| Failure( | ||
| granularity=RuleGranularity.RESOURCE, | ||
| reason="The database some-name-backup does not seem to be encrypted. Database resources should be " | ||
| "encrypted and have the property StorageEncrypted set to True.", | ||
| risk_value=RuleRisk.LOW, | ||
| rule="StorageEncryptedRule", | ||
| rule_mode=RuleMode.DEBUG, | ||
| actions=None, | ||
| resource_ids=None, | ||
| resource_types={"AWS::RDS::DBInstance"}, | ||
| ), | ||
| ], | ||
| ), | ||
| ( | ||
| "rules/StorageEncryptedRule/no_db_resource.yml", | ||
| [], | ||
| ), | ||
| ], | ||
| ) | ||
| def test_add_failure_if_db_resource_not_encrypted(template, failures): | ||
| rule = StorageEncryptedRule(None) | ||
| model = get_cfmodel_from(template) | ||
| resolved_model = model.resolve() | ||
| result = rule.invoke(resolved_model) | ||
|
|
||
| assert result.valid | ||
| assert result.failures == failures |
15 changes: 15 additions & 0 deletions
15
tests/test_templates/rules/StorageEncryptedRule/aurora_engine_used.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,15 @@ | ||
| Resources: | ||
| DBMaster: | ||
| Type: AWS::RDS::DBInstance | ||
| Properties: | ||
| AllowMajorVersionUpgrade: false | ||
| AutoMinorVersionUpgrade: true | ||
| DBInstanceIdentifier: !Sub ${AWS::StackName}-master | ||
| DBName: "some-name" | ||
| Engine: aurora-postgresql | ||
| EngineVersion: "13.2" | ||
| KmsKeyId: "some-kms-key" | ||
| MultiAZ: true | ||
| Tags: | ||
| - Key: Name | ||
| Value: !Sub ${AWS::StackName}-master |
18 changes: 18 additions & 0 deletions
18
tests/test_templates/rules/StorageEncryptedRule/encrypted_db_resource.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| Resources: | ||
| DBMaster: | ||
| Type: AWS::RDS::DBInstance | ||
| Properties: | ||
| AllocatedStorage: "100" | ||
| AllowMajorVersionUpgrade: false | ||
| AutoMinorVersionUpgrade: true | ||
| BackupRetentionPeriod: 14 | ||
| DBInstanceIdentifier: !Sub ${AWS::StackName}-master | ||
| DBName: "some-name" | ||
| Engine: mysql | ||
| EngineVersion: "13.2" | ||
| KmsKeyId: "some-kms-key" | ||
| MultiAZ: true | ||
| StorageEncrypted: true | ||
| Tags: | ||
| - Key: Name | ||
| Value: !Sub ${AWS::StackName}-master |
17 changes: 17 additions & 0 deletions
17
tests/test_templates/rules/StorageEncryptedRule/missing_storage_encrypted_flag.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,17 @@ | ||
| Resources: | ||
| DBMaster: | ||
| Type: AWS::RDS::DBInstance | ||
| Properties: | ||
| AllocatedStorage: "100" | ||
| AllowMajorVersionUpgrade: false | ||
| AutoMinorVersionUpgrade: true | ||
| BackupRetentionPeriod: 14 | ||
| DBInstanceIdentifier: !Sub ${AWS::StackName}-master | ||
| DBName: "some-name" | ||
| Engine: mysql | ||
| EngineVersion: "13.2" | ||
| KmsKeyId: "some-kms-key" | ||
| MultiAZ: true | ||
| Tags: | ||
| - Key: Name | ||
| Value: !Sub ${AWS::StackName}-master |
16 changes: 16 additions & 0 deletions
16
tests/test_templates/rules/StorageEncryptedRule/no_db_resource.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| Resources: | ||
| SomeResource: | ||
| Type: AWS::RDS::DBCluster | ||
| Properties: | ||
| AllocatedStorage: "100" | ||
| AutoMinorVersionUpgrade: true | ||
| BackupRetentionPeriod: 14 | ||
| DBClusterIdentifier: !Sub ${AWS::StackName}-master | ||
| DatabaseName: "some-name" | ||
| Engine: mysql | ||
| EngineVersion: "13.2" | ||
| KmsKeyId: "some-kms-key" | ||
| StorageEncrypted: false | ||
| Tags: | ||
| - Key: Name | ||
| Value: !Sub ${AWS::StackName}-master |
35 changes: 35 additions & 0 deletions
35
tests/test_templates/rules/StorageEncryptedRule/two_resources_not_encrypted.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| Resources: | ||
| DBMaster: | ||
| Type: AWS::RDS::DBInstance | ||
| Properties: | ||
| AllocatedStorage: "100" | ||
| AllowMajorVersionUpgrade: false | ||
| AutoMinorVersionUpgrade: true | ||
| BackupRetentionPeriod: 14 | ||
| DBInstanceIdentifier: !Sub ${AWS::StackName}-master | ||
| DBName: "some-name" | ||
| Engine: mysql | ||
| EngineVersion: "13.2" | ||
| KmsKeyId: "some-kms-key" | ||
| MultiAZ: true | ||
| StorageEncrypted: false | ||
| Tags: | ||
| - Key: Name | ||
| Value: !Sub ${AWS::StackName}-master | ||
| DBBackup: | ||
| Type: AWS::RDS::DBInstance | ||
| Properties: | ||
| AllocatedStorage: "100" | ||
| AllowMajorVersionUpgrade: true | ||
| AutoMinorVersionUpgrade: false | ||
| BackupRetentionPeriod: 7 | ||
| DBInstanceIdentifier: !Sub ${AWS::StackName}-backup | ||
| DBName: "some-name-backup" | ||
| Engine: mysql | ||
| EngineVersion: "13.2" | ||
| KmsKeyId: "some-kms-key" | ||
| MultiAZ: true | ||
| StorageEncrypted: false | ||
| Tags: | ||
| - Key: Name | ||
| Value: !Sub ${AWS::StackName}-backup |