new: added policy ecc-aws-1005-ebs_volumes_too_old_snapshots

anna-shcherbak · Aug 21, 2023 · 4d48faf · 4d48faf
1 parent fc3909d
commit 4d48faf
Show file tree

Hide file tree

Showing 18 changed files with 259 additions and 0 deletions.
diff --git a/policies/ecc-aws-1005-ebs_volumes_too_old_snapshots.yml b/policies/ecc-aws-1005-ebs_volumes_too_old_snapshots.yml
@@ -0,0 +1,23 @@
+# Copyright (c) 2023 EPAM Systems, Inc.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+
+policies:
+  - name: ecc-aws-1005-ebs_volumes_too_old_snapshots
+    description: |
+      EBS Snapshots older than 30 days
+    resource: aws.ebs-snapshot
+    filters:
+      - type: age
+        days: 30
+        op: ge
+      - type: value
+        key: State
+        value: completed
+      - type: unused
+        value: true
+      - type: skip-ami-snapshots
+        value: true
diff --git a/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/green/ebs.tf b/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/green/ebs.tf
@@ -0,0 +1,12 @@
+resource "aws_ebs_volume" "this" {
+  availability_zone = var.default-az
+  size              = 8
+
+  tags = {
+    Name = "1005_ebs_volume_Green"
+  }
+}
+
+resource "aws_ebs_snapshot" "this" {
+  volume_id = aws_ebs_volume.this.id
+}
diff --git a/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/green/provider.tf b/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/green/provider.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws"{
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-1005-ebs_volumes_too_old_snapshots"
+      ComplianceStatus = "Green"
+    }
+  }
+}
diff --git a/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/green/terraform.tfvars b/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/green/terraform.tfvars
@@ -0,0 +1,3 @@
+profile        = "c7n"
+default-region = "us-east-1"
+default-az     = "us-east-1a"
diff --git a/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/green/variables.tf b/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/green/variables.tf
@@ -0,0 +1,14 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}
+
+variable "default-az" {
+  type        = string
+  description = "Default availability zone for resources"
+}
diff --git a/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/iam/1005-policy.json b/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/iam/1005-policy.json
@@ -0,0 +1,15 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "Stmt1684842287073",
+            "Action": [
+                "ec2:DescribeSnapshots",
+                "ec2:DescribeImages",
+                "autoscaling:DescribeAutoScalingGroups"
+            ],
+            "Effect": "Allow",
+            "Resource": "*"
+        }
+    ]
+}
diff --git a/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/red/ebs.tf b/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/red/ebs.tf
@@ -0,0 +1,12 @@
+resource "aws_ebs_volume" "this" {
+  availability_zone = var.default-az
+  size              = 8
+
+  tags = {
+    Name = "1005_ebs_volume_Green"
+  }
+}
+
+resource "aws_ebs_snapshot" "this" {
+  volume_id = aws_ebs_volume.this.id
+}
diff --git a/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/red/provider.tf b/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/red/provider.tf
@@ -0,0 +1,20 @@
+terraform {
+  required_providers {
+    aws = {
+      source  = "hashicorp/aws"
+      version = "~> 4"
+    }
+  }
+}
+
+provider "aws"{
+  profile = var.profile
+  region  = var.default-region
+
+  default_tags {
+    tags = {
+      CustodianRule    = "ecc-aws-1005-ebs_volumes_too_old_snapshots"
+      ComplianceStatus = "Red"
+    }
+  }
+}
diff --git a/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/red/terraform.tfvars b/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/red/terraform.tfvars
@@ -0,0 +1,3 @@
+profile        = "c7n"
+default-region = "us-east-1"
+default-az     = "us-east-1a"
diff --git a/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/red/variables.tf b/terraform/epam-aws-1005-ebs_volumes_too_old_snapshots/red/variables.tf
@@ -0,0 +1,14 @@
+variable "default-region" {
+  type        = string
+  description = "Default region for resources will be created"
+}
+
+variable "profile" {
+  type        = string
+  description = "Profile name configured before running apply"
+}
+
+variable "default-az" {
+  type        = string
+  description = "Default availability zone for resources"
+}
diff --git a/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/green_policy_test.py b/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/green_policy_test.py
@@ -0,0 +1,7 @@
+class PolicyTest(object):
+
+    def test_resources(self, base_test, resources):
+        base_test.assertEqual(len(resources), 0)
+
+    def mock_time(self):
+        return 2023, 7, 21
diff --git a/...-ebs_volumes_too_old_snapshots/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json b/...-ebs_volumes_too_old_snapshots/placebo-green/autoscaling.DescribeAutoScalingGroups_1.json
@@ -0,0 +1,7 @@
+{
+    "status_code": 200,
+    "data": {
+        "AutoScalingGroups": [],
+        "ResponseMetadata": {}
+    }
+}
diff --git a/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/placebo-green/ec2.DescribeImages_1.json b/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/placebo-green/ec2.DescribeImages_1.json
@@ -0,0 +1,7 @@
+{
+    "status_code": 200,
+    "data": {
+        "Images": [],
+        "ResponseMetadata": {}
+    }
+}
diff --git a/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/placebo-green/ec2.DescribeSnapshots_1.json b/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/placebo-green/ec2.DescribeSnapshots_1.json
@@ -0,0 +1,39 @@
+{
+    "status_code": 200,
+    "data": {
+        "Snapshots": [
+            {
+                "Description": "",
+                "Encrypted": false,
+                "OwnerId": "111111111111",
+                "Progress": "100%",
+                "SnapshotId": "snap-017930ee30036ecd6",
+                "StartTime": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 7,
+                    "day": 21,
+                    "hour": 13,
+                    "minute": 28,
+                    "second": 11,
+                    "microsecond": 792000
+                },
+                "State": "completed",
+                "VolumeId": "vol-086820785f5facb7b",
+                "VolumeSize": 8,
+                "Tags": [
+                    {
+                        "Key": "ComplianceStatus",
+                        "Value": "Green"
+                    },
+                    {
+                        "Key": "CustodianRule",
+                        "Value": "ecc-aws-1005-ebs_volumes_too_old_snapshots"
+                    }
+                ],
+                "StorageTier": "standard"
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}
diff --git a/...05-ebs_volumes_too_old_snapshots/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json b/...05-ebs_volumes_too_old_snapshots/placebo-red/autoscaling.DescribeAutoScalingGroups_1.json
@@ -0,0 +1,7 @@
+{
+    "status_code": 200,
+    "data": {
+        "AutoScalingGroups": [],
+        "ResponseMetadata": {}
+    }
+}
diff --git a/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/placebo-red/ec2.DescribeImages_1.json b/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/placebo-red/ec2.DescribeImages_1.json
@@ -0,0 +1,7 @@
+{
+    "status_code": 200,
+    "data": {
+        "Images": [],
+        "ResponseMetadata": {}
+    }
+}
diff --git a/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/placebo-red/ec2.DescribeSnapshots_1.json b/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/placebo-red/ec2.DescribeSnapshots_1.json
@@ -0,0 +1,39 @@
+{
+    "status_code": 200,
+    "data": {
+        "Snapshots": [
+            {
+                "Description": "",
+                "Encrypted": false,
+                "OwnerId": "111111111111",
+                "Progress": "100%",
+                "SnapshotId": "snap-022dc2a681fa8a1d1",
+                "StartTime": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 5,
+                    "day": 21,
+                    "hour": 13,
+                    "minute": 27,
+                    "second": 14,
+                    "microsecond": 480000
+                },
+                "State": "completed",
+                "VolumeId": "vol-0590bbd50c29f927f",
+                "VolumeSize": 8,
+                "Tags": [
+                    {
+                        "Key": "ComplianceStatus",
+                        "Value": "Red"
+                    },
+                    {
+                        "Key": "CustodianRule",
+                        "Value": "ecc-aws-1005-ebs_volumes_too_old_snapshots"
+                    }
+                ],
+                "StorageTier": "standard"
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}
diff --git a/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/red_policy_test.py b/tests/ecc-aws-1005-ebs_volumes_too_old_snapshots/red_policy_test.py
@@ -0,0 +1,10 @@
+from datetime import datetime, timedelta
+
+class PolicyTest(object):
+
+    def test_resources(self, base_test, resources):
+        base_test.assertEqual(len(resources), 1)
+        LastAccessedDate=datetime.fromisoformat(str(resources[0]['StartTime']))
+        time_now= datetime.fromisoformat('2023-07-21 13:27:14.283+00:00')
+        datatime30ago=time_now-timedelta(days=30)
+        base_test.assertFalse(LastAccessedDate>datatime30ago)