diff --git a/policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml b/policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml new file mode 100644 index 000000000..9d577ba52 --- /dev/null +++ b/policies/ecc-aws-576-ec2_instance_dedicated_tenancy.yml @@ -0,0 +1,20 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-576-ec2_instance_dedicated_tenancy + comment: '010006032000' + description: | + Amazon EC2 instances with dedicated tenancy + resource: aws.ec2 + filters: + - type: value + key: Placement.Tenancy + op: in + value: + - dedicated + - host diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/ec2.tf b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/ec2.tf new file mode 100644 index 000000000..bc164a218 --- /dev/null +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/ec2.tf @@ -0,0 +1,46 @@ +resource "aws_instance" "this" { + ami = data.aws_ami.this.id + instance_type = "a1.medium" + vpc_security_group_ids = ["${aws_security_group.this.id}"] + subnet_id = data.aws_subnets.this.ids[0] + tags = { + Name = "576_instance_green" + } +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + filter { + name = "architecture" + values = ["arm64"] + } + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +data "aws_vpc" "default" { + default = true +} + +data "aws_subnets" "this" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } +} + +resource "aws_security_group" "this" { + name = "576_sg_green" + description = "576_sg_green" + vpc_id = data.aws_vpc.default.id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/provider.tf b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/provider.tf new file mode 100644 index 000000000..8dff007be --- /dev/null +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-576-ec2_instance_dedicated_tenancy" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/terraform.tfvars b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/variables.tf b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json new file mode 100644 index 000000000..c86a0cb6b --- /dev/null +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/iam/576-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/ec2.tf b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/ec2.tf new file mode 100644 index 000000000..383478930 --- /dev/null +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/ec2.tf @@ -0,0 +1,47 @@ +resource "aws_instance" "this" { + ami = data.aws_ami.this.id + instance_type = "a1.medium" + vpc_security_group_ids = ["${aws_security_group.this.id}"] + subnet_id = data.aws_subnets.this.ids[0] + tenancy = "dedicated" + tags = { + Name = "576_instance_red" + } +} + +data "aws_ami" "this" { + most_recent = true + owners = ["amazon"] + filter { + name = "architecture" + values = ["arm64"] + } + filter { + name = "name" + values = ["amzn2-ami-hvm*"] + } +} + +data "aws_vpc" "default" { + default = true +} + +data "aws_subnets" "this" { + filter { + name = "vpc-id" + values = [data.aws_vpc.default.id] + } +} + +resource "aws_security_group" "this" { + name = "576_sg_red" + description = "576_sg_red" + vpc_id = data.aws_vpc.default.id + + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = ["0.0.0.0/0"] + } +} diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/provider.tf b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/provider.tf new file mode 100644 index 000000000..cf950fabb --- /dev/null +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-576-ec2_instance_dedicated_tenancy" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/terraform.tfvars b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/terraform.tfvars new file mode 100644 index 000000000..e1e2d2fa8 --- /dev/null +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" diff --git a/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/variables.tf b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/variables.tf new file mode 100644 index 000000000..c8b410c24 --- /dev/null +++ b/terraform/ecc-aws-576-ec2_instance_dedicated_tenancy/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} diff --git a/tests/ecc-aws-576-ec2_instance_dedicated_tenancy/placebo-green/ec2.DescribeInstances_1.json b/tests/ecc-aws-576-ec2_instance_dedicated_tenancy/placebo-green/ec2.DescribeInstances_1.json new file mode 100644 index 000000000..a072c91a2 --- /dev/null +++ b/tests/ecc-aws-576-ec2_instance_dedicated_tenancy/placebo-green/ec2.DescribeInstances_1.json @@ -0,0 +1,199 @@ +{ + "status_code": 200, + "data": { + "Reservations": [ + { + "Groups": [], + "Instances": [ + { + "AmiLaunchIndex": 0, + "ImageId": "ami-0c3176eab51aef17b", + "InstanceId": "i-034819c878399dd8f", + "InstanceType": "a1.medium", + "LaunchTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 25, + "hour": 9, + "minute": 32, + "second": 47, + "microsecond": 0 + }, + "Monitoring": { + "State": "disabled" + }, + "Placement": { + "AvailabilityZone": "us-east-1c", + "GroupName": "", + "Tenancy": "default" + }, + "PrivateDnsName": "ip-172-31-84-218.ec2.internal", + "PrivateIpAddress": "172.31.84.218", + "ProductCodes": [], + "PublicDnsName": "ec2-44-201-150-77.compute-1.amazonaws.com", + "PublicIpAddress": "44.201.150.77", + "State": { + "Code": 16, + "Name": "running" + }, + "StateTransitionReason": "", + "SubnetId": "subnet-cd582ec", + "VpcId": "vpc-ad982874d0", + "Architecture": "arm64", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 25, + "hour": 9, + "minute": 32, + "second": 48, + "microsecond": 0 + }, + "DeleteOnTermination": true, + "Status": "attached", + "VolumeId": "vol-07e3cace702504c69" + } + } + ], + "ClientToken": "terraform-20230925093245651100000001", + "EbsOptimized": false, + "EnaSupport": true, + "Hypervisor": "xen", + "NetworkInterfaces": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-44-201-150-77.compute-1.amazonaws.com", + "PublicIp": "44.201.150.77" + }, + "Attachment": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 25, + "hour": 9, + "minute": 32, + "second": 47, + "microsecond": 0 + }, + "AttachmentId": "eni-attach-0657a09b2b6b9a5a8", + "DeleteOnTermination": true, + "DeviceIndex": 0, + "Status": "attached", + "NetworkCardIndex": 0 + }, + "Description": "", + "Groups": [ + { + "GroupName": "576_sg_green", + "GroupId": "sg-043109728735e5c8" + } + ], + "Ipv6Addresses": [], + "MacAddress": "12:e2:e0:e7:6b:d5", + "NetworkInterfaceId": "eni-0b16667b4ebec488f", + "OwnerId": "644160558196", + "PrivateDnsName": "ip-172-31-84-218.ec2.internal", + "PrivateIpAddress": "172.31.84.218", + "PrivateIpAddresses": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-44-201-150-77.compute-1.amazonaws.com", + "PublicIp": "44.201.150.77" + }, + "Primary": true, + "PrivateDnsName": "ip-172-31-84-218.ec2.internal", + "PrivateIpAddress": "172.31.84.218" + } + ], + "SourceDestCheck": true, + "Status": "in-use", + "SubnetId": "subnet-c572ec", + "VpcId": "vpc-ad975270", + "InterfaceType": "interface" + } + ], + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SecurityGroups": [ + { + "GroupName": "576_sg_green", + "GroupId": "sg-0427272635e5c8" + } + ], + "SourceDestCheck": true, + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-576-ec2_instance_dedicated_tenancy" + }, + { + "Key": "Name", + "Value": "576_instance_green" + } + ], + "VirtualizationType": "hvm", + "CpuOptions": { + "CoreCount": 1, + "ThreadsPerCore": 1 + }, + "CapacityReservationSpecification": { + "CapacityReservationPreference": "open" + }, + "HibernationOptions": { + "Configured": false + }, + "MetadataOptions": { + "State": "applied", + "HttpTokens": "optional", + "HttpPutResponseHopLimit": 1, + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "InstanceMetadataTags": "disabled" + }, + "EnclaveOptions": { + "Enabled": false + }, + "BootMode": "uefi", + "PlatformDetails": "Linux/UNIX", + "UsageOperation": "RunInstances", + "UsageOperationUpdateTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 25, + "hour": 9, + "minute": 32, + "second": 47, + "microsecond": 0 + }, + "PrivateDnsNameOptions": { + "HostnameType": "ip-name", + "EnableResourceNameDnsARecord": false, + "EnableResourceNameDnsAAAARecord": false + }, + "MaintenanceOptions": { + "AutoRecovery": "default" + }, + "CurrentInstanceBootMode": "uefi" + } + ], + "OwnerId": "644160558196", + "ReservationId": "r-0f9c5e1ad17afe4c6" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-576-ec2_instance_dedicated_tenancy/placebo-red/ec2.DescribeInstances_1.json b/tests/ecc-aws-576-ec2_instance_dedicated_tenancy/placebo-red/ec2.DescribeInstances_1.json new file mode 100644 index 000000000..d29091df2 --- /dev/null +++ b/tests/ecc-aws-576-ec2_instance_dedicated_tenancy/placebo-red/ec2.DescribeInstances_1.json @@ -0,0 +1,199 @@ +{ + "status_code": 200, + "data": { + "Reservations": [ + { + "Groups": [], + "Instances": [ + { + "AmiLaunchIndex": 0, + "ImageId": "ami-0c3176eab51aef17b", + "InstanceId": "i-034819c878399dd8f", + "InstanceType": "a1.medium", + "LaunchTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 25, + "hour": 9, + "minute": 32, + "second": 47, + "microsecond": 0 + }, + "Monitoring": { + "State": "disabled" + }, + "Placement": { + "AvailabilityZone": "us-east-1c", + "GroupName": "", + "Tenancy": "dedicated" + }, + "PrivateDnsName": "ip-172-31-84-218.ec2.internal", + "PrivateIpAddress": "172.31.84.218", + "ProductCodes": [], + "PublicDnsName": "ec2-44-201-150-77.compute-1.amazonaws.com", + "PublicIpAddress": "44.201.150.77", + "State": { + "Code": 16, + "Name": "running" + }, + "StateTransitionReason": "", + "SubnetId": "subnet-cd582ec", + "VpcId": "vpc-ad982874d0", + "Architecture": "arm64", + "BlockDeviceMappings": [ + { + "DeviceName": "/dev/xvda", + "Ebs": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 25, + "hour": 9, + "minute": 32, + "second": 48, + "microsecond": 0 + }, + "DeleteOnTermination": true, + "Status": "attached", + "VolumeId": "vol-07e3cace702504c69" + } + } + ], + "ClientToken": "terraform-20230925093245651100000001", + "EbsOptimized": false, + "EnaSupport": true, + "Hypervisor": "xen", + "NetworkInterfaces": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-44-201-150-77.compute-1.amazonaws.com", + "PublicIp": "44.201.150.77" + }, + "Attachment": { + "AttachTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 25, + "hour": 9, + "minute": 32, + "second": 47, + "microsecond": 0 + }, + "AttachmentId": "eni-attach-0657a09b2b6b9a5a8", + "DeleteOnTermination": true, + "DeviceIndex": 0, + "Status": "attached", + "NetworkCardIndex": 0 + }, + "Description": "", + "Groups": [ + { + "GroupName": "576_sg_red", + "GroupId": "sg-043109728735e5c8" + } + ], + "Ipv6Addresses": [], + "MacAddress": "12:e2:e0:e7:6b:d5", + "NetworkInterfaceId": "eni-0b16667b4ebec488f", + "OwnerId": "644160558196", + "PrivateDnsName": "ip-172-31-84-218.ec2.internal", + "PrivateIpAddress": "172.31.84.218", + "PrivateIpAddresses": [ + { + "Association": { + "IpOwnerId": "amazon", + "PublicDnsName": "ec2-44-201-150-77.compute-1.amazonaws.com", + "PublicIp": "44.201.150.77" + }, + "Primary": true, + "PrivateDnsName": "ip-172-31-84-218.ec2.internal", + "PrivateIpAddress": "172.31.84.218" + } + ], + "SourceDestCheck": true, + "Status": "in-use", + "SubnetId": "subnet-c572ec", + "VpcId": "vpc-ad975270", + "InterfaceType": "interface" + } + ], + "RootDeviceName": "/dev/xvda", + "RootDeviceType": "ebs", + "SecurityGroups": [ + { + "GroupName": "576_sg_red", + "GroupId": "sg-0427272635e5c8" + } + ], + "SourceDestCheck": true, + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-576-ec2_instance_dedicated_tenancy" + }, + { + "Key": "Name", + "Value": "576_instance_red" + } + ], + "VirtualizationType": "hvm", + "CpuOptions": { + "CoreCount": 1, + "ThreadsPerCore": 1 + }, + "CapacityReservationSpecification": { + "CapacityReservationPreference": "open" + }, + "HibernationOptions": { + "Configured": false + }, + "MetadataOptions": { + "State": "applied", + "HttpTokens": "optional", + "HttpPutResponseHopLimit": 1, + "HttpEndpoint": "enabled", + "HttpProtocolIpv6": "disabled", + "InstanceMetadataTags": "disabled" + }, + "EnclaveOptions": { + "Enabled": false + }, + "BootMode": "uefi", + "PlatformDetails": "Linux/UNIX", + "UsageOperation": "RunInstances", + "UsageOperationUpdateTime": { + "__class__": "datetime", + "year": 2023, + "month": 9, + "day": 25, + "hour": 9, + "minute": 32, + "second": 47, + "microsecond": 0 + }, + "PrivateDnsNameOptions": { + "HostnameType": "ip-name", + "EnableResourceNameDnsARecord": false, + "EnableResourceNameDnsAAAARecord": false + }, + "MaintenanceOptions": { + "AutoRecovery": "default" + }, + "CurrentInstanceBootMode": "uefi" + } + ], + "OwnerId": "644160558196", + "ReservationId": "r-0f9c5e1ad17afe4c6" + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-576-ec2_instance_dedicated_tenancy/red_policy_test.py b/tests/ecc-aws-576-ec2_instance_dedicated_tenancy/red_policy_test.py new file mode 100644 index 000000000..32f355759 --- /dev/null +++ b/tests/ecc-aws-576-ec2_instance_dedicated_tenancy/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertIn(resources[0]['Placement']['Tenancy'], ["dedicated", "host"])