From a5b7b3c1d842e4ee37cc3075532aac69f5bae191 Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Mon, 23 Sep 2024 17:53:33 +0300 Subject: [PATCH] upd: update policy 369 to be supported by open source Cloud Custodian --- ...-369-workspaces_cloudwatch_integration.yml | 14 ------- .../placebo-green/events.ListRules_1.json | 24 ------------ .../placebo-red/events.ListRules_1.json | 17 -------- .../red_policy_test.py | 6 --- ...-369-workspaces_cloudwatch_integration.yml | 39 +++++++++++++++++++ .../green/provider.tf | 2 +- .../green1/provider.tf | 2 +- .../red/provider.tf | 2 +- .../placebo-green/events.ListRules_1.json | 15 +++++++ .../iam.ListAccountAliases_1.json | 2 +- .../placebo-green/tagging.GetResources_1.json | 22 +++++++++++ .../placebo-green/tagging.GetResources_2.json | 22 +++++++++++ .../workspaces.DescribeWorkspaces_1.json | 18 +++++---- .../placebo-red/events.ListRules_1.json | 15 +++++++ .../iam.ListAccountAliases_1.json | 2 +- .../placebo-red/tagging.GetResources_1.json | 22 +++++++++++ .../placebo-red/tagging.GetResources_2.json | 22 +++++++++++ .../workspaces.DescribeWorkspaces_1.json | 18 +++++---- .../red_policy_test.py | 12 ++++++ 19 files changed, 196 insertions(+), 80 deletions(-) delete mode 100644 non-compatible/policies/ecc-aws-369-workspaces_cloudwatch_integration.yml delete mode 100644 non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/events.ListRules_1.json delete mode 100644 non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/events.ListRules_1.json delete mode 100644 non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/red_policy_test.py create mode 100644 policies/ecc-aws-369-workspaces_cloudwatch_integration.yml create mode 100644 tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/events.ListRules_1.json rename {non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red => tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green}/iam.ListAccountAliases_1.json (84%) create mode 100644 tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/tagging.GetResources_2.json rename {non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red => tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green}/workspaces.DescribeWorkspaces_1.json (52%) create mode 100644 tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/events.ListRules_1.json rename {non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green => tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red}/iam.ListAccountAliases_1.json (84%) create mode 100644 tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/tagging.GetResources_1.json create mode 100644 tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/tagging.GetResources_2.json rename {non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green => tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red}/workspaces.DescribeWorkspaces_1.json (52%) create mode 100644 tests/ecc-aws-369-workspaces_cloudwatch_integration/red_policy_test.py diff --git a/non-compatible/policies/ecc-aws-369-workspaces_cloudwatch_integration.yml b/non-compatible/policies/ecc-aws-369-workspaces_cloudwatch_integration.yml deleted file mode 100644 index d6ccbde23..000000000 --- a/non-compatible/policies/ecc-aws-369-workspaces_cloudwatch_integration.yml +++ /dev/null @@ -1,14 +0,0 @@ -# Copyright (c) 2023 EPAM Systems, Inc. -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, You can obtain one at http://mozilla.org/MPL/2.0/. - -policies: - - name: ecc-aws-369-workspaces_cloudwatch_integration - comment: '010019123100' - description: | - CloudWatch Events is not set up for successful logins to WorkSpaces - resource: account - filters: - - type: event-rule-filter diff --git a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/events.ListRules_1.json b/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/events.ListRules_1.json deleted file mode 100644 index c10f4ce9d..000000000 --- a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/events.ListRules_1.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "status_code": 200, - "data": { - "Rules": [ - { - "Name": "369_cloudwatch_rule_green", - "Arn": "arn:aws:events:us-east-1:644160558196:rule/369_cloudwatch_rule_green", - "EventPattern": "{\"detail-type\":[\"WorkSpaces Access\"],\"source\":[\"aws.workspaces\"]}", - "State": "ENABLED", - "EventBusName": "default" - }, - { - "Name": "AutoScalingManagedRule", - "Arn": "arn:aws:events:us-east-1:644160558196:rule/AutoScalingManagedRule", - "EventPattern": "{\"source\":[\"aws.ec2\"],\"detail-type\":[\"EC2 Instance Rebalance Recommendation\",\"EC2 Spot Instance Interruption Warning\"]}", - "State": "ENABLED", - "Description": "This rule is used to route Instance notifications to EC2 Auto Scaling", - "ManagedBy": "autoscaling.amazonaws.com", - "EventBusName": "default" - } - ], - "ResponseMetadata": {} - } -} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/events.ListRules_1.json b/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/events.ListRules_1.json deleted file mode 100644 index af24a8eee..000000000 --- a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/events.ListRules_1.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "status_code": 200, - "data": { - "Rules": [ - { - "Name": "AutoScalingManagedRule", - "Arn": "arn:aws:events:us-east-1:644160558196:rule/AutoScalingManagedRule", - "EventPattern": "{\"source\":[\"aws.ec2\"],\"detail-type\":[\"EC2 Instance Rebalance Recommendation\",\"EC2 Spot Instance Interruption Warning\"]}", - "State": "ENABLED", - "Description": "This rule is used to route Instance notifications to EC2 Auto Scaling", - "ManagedBy": "autoscaling.amazonaws.com", - "EventBusName": "default" - } - ], - "ResponseMetadata": {} - } -} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/red_policy_test.py b/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/red_policy_test.py deleted file mode 100644 index fbfb5177e..000000000 --- a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/red_policy_test.py +++ /dev/null @@ -1,6 +0,0 @@ -class PolicyTest(object): - - def test_resources_with_client(self, base_test, resources, local_session): - base_test.assertEqual(len(resources), 1) - rules = local_session.client("events").list_rules() - base_test.assertNotRegexpMatches(rules['Rules'][0]['EventPattern'], "{\\\"detail-type\\\":\[\\\"WorkSpaces Access\\\"\],\\\"source\\\":\[\\\"aws\.workspaces\\\"\]}") \ No newline at end of file diff --git a/policies/ecc-aws-369-workspaces_cloudwatch_integration.yml b/policies/ecc-aws-369-workspaces_cloudwatch_integration.yml new file mode 100644 index 000000000..25aff2940 --- /dev/null +++ b/policies/ecc-aws-369-workspaces_cloudwatch_integration.yml @@ -0,0 +1,39 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + +policies: + - name: ecc-aws-369-workspaces_cloudwatch_integration + comment: '010019123100' + description: | + CloudWatch Events is not set up for successful logins to WorkSpaces + resource: account + filters: + - not: + - type: missing + policy: + resource: workspaces + - type: missing + policy: + resource: aws.event-rule + filters: + - type: value + key: EventPattern + value: not-null + - type: value + key: from_json(EventPattern)."source" + op: in + value_type: swap + value: "aws.workspaces" + - or: + - type: value + key: from_json(EventPattern)."detail-type" + op: in + value_type: swap + value: "WorkSpaces Access" + - type: value + key: from_json(EventPattern)."detail-type" + value: absent + diff --git a/terraform/ecc-aws-369-workspaces_cloudwatch_integration/green/provider.tf b/terraform/ecc-aws-369-workspaces_cloudwatch_integration/green/provider.tf index fcf5a8732..a8c125bf1 100644 --- a/terraform/ecc-aws-369-workspaces_cloudwatch_integration/green/provider.tf +++ b/terraform/ecc-aws-369-workspaces_cloudwatch_integration/green/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4" + version = "~> 5" } } } diff --git a/terraform/ecc-aws-369-workspaces_cloudwatch_integration/green1/provider.tf b/terraform/ecc-aws-369-workspaces_cloudwatch_integration/green1/provider.tf index 46d5f3baf..7ec49a08e 100644 --- a/terraform/ecc-aws-369-workspaces_cloudwatch_integration/green1/provider.tf +++ b/terraform/ecc-aws-369-workspaces_cloudwatch_integration/green1/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4" + version = "~> 5" } } } diff --git a/terraform/ecc-aws-369-workspaces_cloudwatch_integration/red/provider.tf b/terraform/ecc-aws-369-workspaces_cloudwatch_integration/red/provider.tf index 97583ac98..f21bbef5a 100644 --- a/terraform/ecc-aws-369-workspaces_cloudwatch_integration/red/provider.tf +++ b/terraform/ecc-aws-369-workspaces_cloudwatch_integration/red/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "~> 4" + version = "~> 5" } } } diff --git a/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/events.ListRules_1.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/events.ListRules_1.json new file mode 100644 index 000000000..bbc4da978 --- /dev/null +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/events.ListRules_1.json @@ -0,0 +1,15 @@ +{ + "status_code": 200, + "data": { + "Rules": [ + { + "Name": "369_cloudwatch_rule_green", + "Arn": "arn:aws:events:us-east-1:111111111111:rule/369_cloudwatch_rule_green", + "EventPattern": "{\"detail-type\":[\"WorkSpaces Access\"],\"source\":[\"aws.workspaces\"]}", + "State": "ENABLED", + "EventBusName": "default" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/iam.ListAccountAliases_1.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/iam.ListAccountAliases_1.json similarity index 84% rename from non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/iam.ListAccountAliases_1.json rename to tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/iam.ListAccountAliases_1.json index ebbf1071c..3b408e3eb 100644 --- a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/iam.ListAccountAliases_1.json +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/iam.ListAccountAliases_1.json @@ -2,7 +2,7 @@ "status_code": 200, "data": { "AccountAliases": [ - "epmcsec-lab10" + "test" ], "IsTruncated": false, "ResponseMetadata": {} diff --git a/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/tagging.GetResources_1.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/tagging.GetResources_1.json new file mode 100644 index 000000000..d7268e05e --- /dev/null +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:workspaces:us-east-1:111111111111:workspace/ws-3zwmywlx2", + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "CustodiaRule", + "Value": "ecc-aws-541-workspaces_cloudwatch_integration" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/tagging.GetResources_2.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/tagging.GetResources_2.json new file mode 100644 index 000000000..d46df1319 --- /dev/null +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/tagging.GetResources_2.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:events:us-east-1:111111111111:rule/369_cloudwatch_rule_green", + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "CustodiaRule", + "Value": "ecc-aws-541-workspaces_cloudwatch_integration" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/workspaces.DescribeWorkspaces_1.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/workspaces.DescribeWorkspaces_1.json similarity index 52% rename from non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/workspaces.DescribeWorkspaces_1.json rename to tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/workspaces.DescribeWorkspaces_1.json index cb797ba5c..1911059a6 100644 --- a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/workspaces.DescribeWorkspaces_1.json +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/workspaces.DescribeWorkspaces_1.json @@ -3,20 +3,24 @@ "data": { "Workspaces": [ { - "WorkspaceId": "ws-2kl4hch4j", - "DirectoryId": "d-90674cc9a1", + "WorkspaceId": "ws-3zwmywlx2", + "DirectoryId": "d-9067d5a5a6", "UserName": "Administrator", - "IpAddress": "10.0.1.215", - "State": "STOPPED", + "IpAddress": "10.0.1.117", + "State": "AVAILABLE", "BundleId": "wsb-8pmj7b7pq", - "SubnetId": "subnet-014f50caf7d83d8f2", - "ComputerName": "A-346MMO8DR51LL", + "SubnetId": "subnet-066f3d1d03", + "ComputerName": "A-3IONU2C6Z2WZY", "WorkspaceProperties": { "RunningMode": "AUTO_STOP", "RunningModeAutoStopTimeoutInMinutes": 60, "RootVolumeSizeGib": 80, "UserVolumeSizeGib": 10, - "ComputeTypeName": "STANDARD" + "ComputeTypeName": "STANDARD", + "Protocols": [ + "PCOIP" + ], + "OperatingSystemName": "AMAZON_LINUX_2" }, "ModificationStates": [] } diff --git a/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/events.ListRules_1.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/events.ListRules_1.json new file mode 100644 index 000000000..1eed7b111 --- /dev/null +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/events.ListRules_1.json @@ -0,0 +1,15 @@ +{ + "status_code": 200, + "data": { + "Rules": [ + { + "Name": "369_cloudwatch_rule_red", + "Arn": "arn:aws:events:us-east-1:111111111111:rule/369_cloudwatch_rule_red", + "EventPattern": "{\"source\":[\"aws.appflow\"],\"detail-type\":[\"AppFlow Start Flow Run Report\"]}", + "State": "ENABLED", + "EventBusName": "default" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/iam.ListAccountAliases_1.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/iam.ListAccountAliases_1.json similarity index 84% rename from non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/iam.ListAccountAliases_1.json rename to tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/iam.ListAccountAliases_1.json index ebbf1071c..3b408e3eb 100644 --- a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/iam.ListAccountAliases_1.json +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/iam.ListAccountAliases_1.json @@ -2,7 +2,7 @@ "status_code": 200, "data": { "AccountAliases": [ - "epmcsec-lab10" + "test" ], "IsTruncated": false, "ResponseMetadata": {} diff --git a/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/tagging.GetResources_1.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/tagging.GetResources_1.json new file mode 100644 index 000000000..ce2fb47e6 --- /dev/null +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/tagging.GetResources_1.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:workspaces:us-east-1:111111111111:workspace/ws-3zwmywlx2", + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CustodiaRule", + "Value": "ecc-aws-541-workspaces_cloudwatch_integration" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/tagging.GetResources_2.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/tagging.GetResources_2.json new file mode 100644 index 000000000..d80b945e5 --- /dev/null +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/tagging.GetResources_2.json @@ -0,0 +1,22 @@ +{ + "status_code": 200, + "data": { + "PaginationToken": "", + "ResourceTagMappingList": [ + { + "ResourceARN": "arn:aws:events:us-east-1:111111111111:rule/369_cloudwatch_rule_red", + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CustodiaRule", + "Value": "ecc-aws-541-workspaces_cloudwatch_integration" + } + ] + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/workspaces.DescribeWorkspaces_1.json b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/workspaces.DescribeWorkspaces_1.json similarity index 52% rename from non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/workspaces.DescribeWorkspaces_1.json rename to tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/workspaces.DescribeWorkspaces_1.json index cb797ba5c..df18138d2 100644 --- a/non-compatible/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-green/workspaces.DescribeWorkspaces_1.json +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/placebo-red/workspaces.DescribeWorkspaces_1.json @@ -3,20 +3,24 @@ "data": { "Workspaces": [ { - "WorkspaceId": "ws-2kl4hch4j", - "DirectoryId": "d-90674cc9a1", + "WorkspaceId": "ws-3zwmywlx2", + "DirectoryId": "d-9067d5a5a6", "UserName": "Administrator", - "IpAddress": "10.0.1.215", - "State": "STOPPED", + "IpAddress": "10.0.1.117", + "State": "AVAILABLE", "BundleId": "wsb-8pmj7b7pq", - "SubnetId": "subnet-014f50caf7d83d8f2", - "ComputerName": "A-346MMO8DR51LL", + "SubnetId": "subnet-0775dd66f3d1d0c93", + "ComputerName": "A-3IONU2C6Z2WZY", "WorkspaceProperties": { "RunningMode": "AUTO_STOP", "RunningModeAutoStopTimeoutInMinutes": 60, "RootVolumeSizeGib": 80, "UserVolumeSizeGib": 10, - "ComputeTypeName": "STANDARD" + "ComputeTypeName": "STANDARD", + "Protocols": [ + "PCOIP" + ], + "OperatingSystemName": "AMAZON_LINUX_2" }, "ModificationStates": [] } diff --git a/tests/ecc-aws-369-workspaces_cloudwatch_integration/red_policy_test.py b/tests/ecc-aws-369-workspaces_cloudwatch_integration/red_policy_test.py new file mode 100644 index 000000000..2d5f15442 --- /dev/null +++ b/tests/ecc-aws-369-workspaces_cloudwatch_integration/red_policy_test.py @@ -0,0 +1,12 @@ +import json +class PolicyTest(object): + + def test_resources_with_client(self, base_test, resources, local_session): + base_test.assertEqual(len(resources), 1) + rules = local_session.client("events").list_rules() + pattern=json.loads(rules['Rules'][0]['EventPattern']) + base_test.assertNotEqual(pattern["detail-type"], "WorkSpaces Access") + base_test.assertNotEqual(pattern["source"], "aws.workspaces") + workspaces=local_session.client("workspaces").describe_workspaces().get("Workspaces",[]) + base_test.assertNotEqual(len(workspaces), 0) +