upd: update policy 005 to be supported by open source Cloud Custodian

non-compatible/policies/ecc-aws-005-rds_not_open_to_large_scope.yml → policies/ecc-aws-005-rds_not_open_to_large_scope.yml

@@ -11,9 +11,9 @@ policies:
       RDS is open to a large scope
     resource: aws.rds
     filters:
-      - type: rds-vpc-filter
-        key: SecurityGroups[].IpPermissions[].IpRanges[].CidrIp
-        op: in
+      - type: security-group
+        key: '[IpPermissions[].IpRanges[].CidrIp,IpPermissions[].Ipv6Ranges[].CidrIpv6][]'
+        op: intersect
         value:
           - "0.0.0.0/0"
-          - "::/0"
+          - "::/0"

terraform/ecc-aws-005-rds_not_open_to_large_scope/green/rds.tf

@@ -1,33 +1,27 @@
-resource "aws_security_group" "this" {
-  name        = "005_security_group_green"
-  description = "Restrict inbound traffic"
-
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = ["89.162.139.30/32"]
-  }
-}
 
 resource "random_password" "this" {
   length           = 12
+  lower            = true
+  min_lower        = 1
+  upper            = true
+  min_upper        = 1
   special          = true
+  min_special      = 1
   numeric          = true
+  min_numeric      = 1
   override_special = "!#$%*()-_=+[]{}:?"
 }
 
 resource "aws_db_instance" "this" {
-  identifier           = "database-005-green"
-  engine               = "mysql"
-  engine_version       = "5.7"
-  instance_class       = "db.t2.micro"
-  allocated_storage    = 20
-  storage_type         = "gp2"
-  db_name              = "database005green"
-  username             = "root"
-  password             = random_password.this.result
-  parameter_group_name = "default.mysql5.7"
-  skip_final_snapshot  = true
-  vpc_security_group_ids = ["${aws_security_group.this.id}"]
+  identifier               = "database-005-green"
+  engine                   = "mysql"
+  instance_class           = "db.t4g.micro"
+  allocated_storage        = 20
+  storage_type             = "gp2"
+  username                 = "root"
+  password                 = random_password.this.result
+  skip_final_snapshot      = true
+  backup_retention_period  = 0
+  engine_lifecycle_support = "open-source-rds-extended-support-disabled"
+  vpc_security_group_ids   = ["${aws_security_group.this.id}"]
 }

terraform/ecc-aws-005-rds_not_open_to_large_scope/green/terraform.tfvars

@@ -1,2 +1,2 @@
-profile        = "c7n"
+profile        = "Administrator"
 default-region = "us-east-1"

terraform/ecc-aws-005-rds_not_open_to_large_scope/green/vpc.tf

@@ -0,0 +1,90 @@
+data "aws_vpc" "default" {
+  default = true
+}
+
+data "aws_availability_zones" "this" {
+  state = "available"
+}
+
+data "aws_subnets" "this" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
+  filter {
+    name   = "availability-zone"
+    values = data.aws_availability_zones.this.names
+  }
+  filter {
+    name   = "map-public-ip-on-launch"
+    values = ["true"]
+  }
+}
+
+data "aws_security_group" "this" {
+  filter {
+    name   = "vpc-id"
+    values = [data.aws_vpc.default.id]
+  }
+
+  filter {
+    name   = "group-name"
+    values = ["default"]
+  }
+}
+
+resource "aws_security_group" "this" {
+  name        = "005_security_group_green"
+  description = "Allow all inbound traffic"
+
+  tags = {
+    Name = "005_security_group_green"
+  }
+}
+
+resource "aws_vpc_security_group_ingress_rule" "this1" {
+  security_group_id = aws_security_group.this.id
+  cidr_ipv4         = data.aws_vpc.default.cidr_block
+  from_port         = 443
+  ip_protocol       = "tcp"
+  to_port           = 443
+}
+
+resource "aws_vpc_security_group_egress_rule" "this2" {
+  security_group_id = aws_security_group.this.id
+  cidr_ipv4         = "0.0.0.0/0"
+  ip_protocol       = "-1" 
+}
+
+resource "aws_vpc_security_group_egress_rule" "this3" {
+  security_group_id = aws_security_group.this.id
+  cidr_ipv6         = "::/0"
+  ip_protocol       = "-1" 
+}
+
+resource "aws_vpc_security_group_ingress_rule" "this4" {
+  security_group_id            = aws_security_group.this.id
+  referenced_security_group_id = data.aws_security_group.this.id
+  from_port                    = 443
+  ip_protocol                  = "tcp"
+  to_port                      = 443
+}
+
+resource "aws_vpc_security_group_ingress_rule" "this5" {
+  security_group_id = aws_security_group.this.id
+  prefix_list_id    = aws_ec2_managed_prefix_list.this.id
+  from_port         = 443
+  ip_protocol       = "tcp"
+  to_port           = 443
+}
+
+resource "aws_ec2_managed_prefix_list" "this" {
+  name           = "005_prefix_list_green"
+  address_family = "IPv4"
+  max_entries    = 5
+
+  entry {
+    cidr        = data.aws_vpc.default.cidr_block
+    description = "test"
+  }
+}

terraform/ecc-aws-005-rds_not_open_to_large_scope/iam/005-policy.json

@@ -4,12 +4,10 @@
         {
             "Effect": "Allow",
             "Action": [
-                "tag:GetResources",
                 "rds:DescribeDBInstances",
-                "ec2:DescribeSecurityGroups",
-                "ec2:DescribeSecurityGroupRules"
+                "ec2:DescribeSecurityGroups"
             ],
             "Resource": "*"
         }
     ]
-}
+}

terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/provider.tf

@@ -7,10 +7,10 @@ terraform {
   }
 }
 
-provider "aws"{
+provider "aws" {
   profile = var.profile
   region  = var.default-region
-  
+
   default_tags {
     tags = {
       CustodianRule    = "ecc-aws-005-rds_not_open_to_large_scope"

terraform/ecc-aws-005-rds_not_open_to_large_scope/red1/rds.tf

@@ -1,33 +1,27 @@
-resource "aws_security_group" "this" {
-  name        = "005_security_group_red1"
-  description = "Allow all inbound traffic"
-
-  ingress {
-    from_port   = 22
-    to_port     = 22
-    protocol    = "tcp"
-    cidr_blocks = ["0.0.0.0/0"]
-  }
-}
 
 resource "random_password" "this" {
   length           = 12
+  lower            = true
+  min_lower        = 1
+  upper            = true
+  min_upper        = 1
   special          = true
+  min_special      = 1
   numeric          = true
+  min_numeric      = 1
   override_special = "!#$%*()-_=+[]{}:?"
 }
 
 resource "aws_db_instance" "this" {
-  identifier           = "database-005-red1"
-  engine               = "mysql"
-  engine_version       = "5.7"
-  instance_class       = "db.t2.micro"
-  allocated_storage    = 20
-  db_name              = "database005red1"
-  storage_type         = "gp2"
-  username             = "root"
-  password             = random_password.this.result
-  parameter_group_name = "default.mysql5.7"
-  skip_final_snapshot  = true
-  vpc_security_group_ids = ["${aws_security_group.this.id}"]
+  identifier               = "database-005-red1"
+  engine                   = "mysql"
+  instance_class           = "db.t4g.micro"
+  allocated_storage        = 20
+  storage_type             = "gp2"
+  username                 = "root"
+  password                 = random_password.this.result
+  skip_final_snapshot      = true
+  backup_retention_period  = 0
+  engine_lifecycle_support = "open-source-rds-extended-support-disabled"
+  vpc_security_group_ids   = ["${aws_security_group.this.id}"]
 }