upd

.github/workflows/auto-test.yml

@@ -24,10 +24,10 @@ env:
   TF_BACKEND_STORAGE_NAME: ${{ secrets.TF_BACKEND_STORAGE_NAME }}
   TF_CLI_ARGS: "-no-color"
   AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
-  default_resource_priority_list: "['account', 'app-flow', 'cfn', 'cloudtrail', 'distribution', 'dynamodb-table', 'ebs', 'ec2', 'ecs', 'network', 'sqs']"
+  default_resource_priority_list: "['account', 'dynamodb', 'ebs']"
   #'[ "account", "acm", "airflow", "ami", "apigwv2", "app-elb", "app-flow", "asg", "backup", "cfn", "cloudtrail", "codebuild", "codedeploy", "codepipeline", "dax", "directory", "distribution", "dlm", "dms", "dynamodb", "ebs", "ec2", "ecr", "ecs", "efs", "eip", "eks", "elasticache", "elasticbeanstalk", "elasticsearch", "elb", "emr", "eni", "event", "firehose", "fsx", "glacier", "glue", "graphql", "hostedzone", "iam", "internet", "kafka", "key", "kinesis", "kms", "lambda", "launch", "lightsail", "log", "message", "nat", "network", "peering", "r53domain", "rds", "redshift", "rest", "route", "rrset", "s3", "sagemaker", "secrets", "security-group", "sns", "sqs", "step", "subnet", "transit", "vpc", "vpn", "waf"]'
   RED: '\033[0;31m'
-  ACTIONS_REPO_BRANCH: "main" 
+  ACTIONS_REPO_BRANCH: "upd_aws_autotests" 
 
 permissions:
   contents: "read"

auto_policy_testing/green/account/x-ray.tf

@@ -1,14 +1,14 @@
 # Removing this resource from Terraform has no effect to the encryption configuration within X-Ray.
-# resource "aws_xray_encryption_config" "this" {
-#   type   = "KMS"
-#   key_id = data.terraform_remote_state.common.outputs.kms_key_arn
-# }
+resource "aws_xray_encryption_config" "this" {
+  type   = "KMS"
+  key_id = data.terraform_remote_state.common.outputs.kms_key_arn
+}
 
-# resource "null_resource" "disable_xray_encryption" {
-#   provisioner "local-exec" {
-#     when    = destroy
-#     command = "aws xray put-encryption-config --type NONE"
-#   }
+resource "null_resource" "disable_xray_encryption" {
+  provisioner "local-exec" {
+    when    = destroy
+    command = "aws xray put-encryption-config --type NONE"
+  }
 
-#   depends_on = [aws_xray_encryption_config.this]
-# }
+  depends_on = [aws_xray_encryption_config.this]
+}

auto_policy_testing/red/ebs/ebs.tf

@@ -5,6 +5,7 @@ resource "aws_ebs_volume" "this" {
   size              = 4
   type              = "io1"
   iops              = 100
+  encrypted         = false
 
   tags = {
     Name = "${module.naming.resource_prefix.ebs_volume}"
@@ -30,6 +31,7 @@ resource "aws_ebs_snapshot" "this" {
   provider  = aws.provider2
 }
 
+
 resource "null_resource" "this" {
   provisioner "local-exec" {
     command     = "aws ec2 modify-snapshot-attribute --snapshot-id ${aws_ebs_snapshot.this.id} --attribute createVolumePermission --operation-type add  --group-names all"

terraform/ecc-aws-022-ebs_volumes_too_old_snapshots/iam/022-policy.json

@@ -6,7 +6,8 @@
             "Action": [
                 "ec2:DescribeSnapshots",
                 "ec2:DescribeImages",
-                "autoscaling:DescribeAutoScalingGroups"
+                "autoscaling:DescribeAutoScalingGroups",
+                "ec2:DescribeLaunchTemplateVersions"
             ],
             "Effect": "Allow",
             "Resource": "*"

terraform/ecc-aws-118-ecs_cluster_have_empty_roles_for_service_task_definitions/iam/118-policy.json

@@ -3,11 +3,13 @@
     "Statement": [
         {
             "Effect": "Allow",
-            "Action": [ 
+            "Action": [
                 "ecs:ListTaskDefinitions",
-                "ecs:DescribeTaskDefinition"
+                "ecs:DescribeTaskDefinition",
+                "ecs:ListClusters",
+                "ecs:ListServices"
             ],
             "Resource": "*"
         }
     ]
-}
+}