diff --git a/policies/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1.yml b/policies/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1.yml new file mode 100644 index 000000000..ce8b421f6 --- /dev/null +++ b/policies/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1.yml @@ -0,0 +1,18 @@ +# Copyright (c) 2023 EPAM Systems, Inc. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. + + +policies: + - name: ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1 + comment: '010007042000' + description: | + EBS volumes are type of io1 or io2 instead of gp3 + resource: aws.ebs + filters: + - type: value + key: VolumeType + op: regex + value: '(io1|io2)' diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/ebs.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/ebs.tf new file mode 100644 index 000000000..a5d709514 --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/ebs.tf @@ -0,0 +1,12 @@ +resource "aws_ebs_volume" "this" { + availability_zone = data.aws_availability_zones.this.names[0] + size = 8 + type = "gp3" + tags = { + Name = "570-ebs_volume-green" + } +} + +data "aws_availability_zones" "this" { + state = "available" +} \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/provider.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/provider.tf new file mode 100644 index 000000000..8a5de251e --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1" + ComplianceStatus = "Green" + } + } +} diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/terraform.tfvars b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/variables.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/green/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/iam/570-policy.json b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/iam/570-policy.json new file mode 100644 index 000000000..f707deebd --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/iam/570-policy.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "ec2:DescribeVolumes" + ], + "Resource": "*" + } + ] +} \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/ebs.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/ebs.tf new file mode 100644 index 000000000..7115338df --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/ebs.tf @@ -0,0 +1,13 @@ +resource "aws_ebs_volume" "this" { + availability_zone = data.aws_availability_zones.this.names[0] + size = 8 + type = "io1" + iops = 100 + tags = { + Name = "570-ebs_volume-red" + } +} + +data "aws_availability_zones" "this" { + state = "available" +} \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/provider.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/provider.tf new file mode 100644 index 000000000..67178a6d4 --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/provider.tf @@ -0,0 +1,20 @@ +terraform { + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 4" + } + } +} + +provider "aws" { + profile = var.profile + region = var.default-region + + default_tags { + tags = { + CustodianRule = "ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1" + ComplianceStatus = "Red" + } + } +} diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/terraform.tfvars b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/terraform.tfvars new file mode 100644 index 000000000..368bc468f --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/terraform.tfvars @@ -0,0 +1,2 @@ +profile = "c7n" +default-region = "us-east-1" \ No newline at end of file diff --git a/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/variables.tf b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/variables.tf new file mode 100644 index 000000000..948c49afd --- /dev/null +++ b/terraform/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red/variables.tf @@ -0,0 +1,9 @@ +variable "default-region" { + type = string + description = "Default region for resources will be created" +} + +variable "profile" { + type = string + description = "Profile name configured before running apply" +} \ No newline at end of file diff --git a/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-green/ec2.DescribeVolumes_1.json b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-green/ec2.DescribeVolumes_1.json new file mode 100644 index 000000000..c3f0ad344 --- /dev/null +++ b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-green/ec2.DescribeVolumes_1.json @@ -0,0 +1,41 @@ +{ + "status_code": 200, + "data": { + "Volumes": [ + { + "Attachments": [], + "AvailabilityZone": "us-east-1a", + "CreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 14, + "hour": 13, + "minute": 49, + "second": 12, + "microsecond": 551000 + }, + "Encrypted": false, + "Size": 8, + "SnapshotId": "", + "State": "available", + "VolumeId": "vol-012d727c7534061d4", + "Iops": 3000, + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Green" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1" + } + ], + "VolumeType": "gp3", + "MultiAttachEnabled": false, + "Throughput": 125 + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-red/ec2.DescribeVolumes_1.json b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-red/ec2.DescribeVolumes_1.json new file mode 100644 index 000000000..1ab9c5243 --- /dev/null +++ b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/placebo-red/ec2.DescribeVolumes_1.json @@ -0,0 +1,40 @@ +{ + "status_code": 200, + "data": { + "Volumes": [ + { + "Attachments": [], + "AvailabilityZone": "us-east-1a", + "CreateTime": { + "__class__": "datetime", + "year": 2023, + "month": 11, + "day": 14, + "hour": 14, + "minute": 1, + "second": 31, + "microsecond": 420000 + }, + "Encrypted": false, + "Size": 8, + "SnapshotId": "", + "State": "available", + "VolumeId": "vol-00926f59f3b171f3b", + "Iops": 100, + "Tags": [ + { + "Key": "ComplianceStatus", + "Value": "Red" + }, + { + "Key": "CustodianRule", + "Value": "ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1" + } + ], + "VolumeType": "io1", + "MultiAttachEnabled": false + } + ], + "ResponseMetadata": {} + } +} \ No newline at end of file diff --git a/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red_policy_test.py b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red_policy_test.py new file mode 100644 index 000000000..3dce85a5f --- /dev/null +++ b/tests/ecc-aws-570-ebs_volumes_are_of_type_gp3_instead_of_io1/red_policy_test.py @@ -0,0 +1,5 @@ +class PolicyTest(object): + + def test_resources(self, base_test, resources): + base_test.assertEqual(len(resources), 1) + base_test.assertEqual(resources[0]['VolumeType'], "io1") \ No newline at end of file