Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(config): add support for eks-cluster-xxx-version managed rule #21344

Merged
merged 2 commits into from
Jul 28, 2022
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions packages/@aws-cdk/aws-config/lib/rule.ts
Original file line number Diff line number Diff line change
Expand Up @@ -783,6 +783,16 @@ export class ManagedRuleIdentifiers {
* @see https://docs.aws.amazon.com/config/latest/developerguide/ec2-imdsv2-check.html
*/
public static readonly EC2_IMDSV2_CHECK = 'EC2_IMDSV2_CHECK';
/**
* Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running the oldest supported version.
* @see https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-oldest-supported-version.html
*/
public static readonly EKS_CLUSTER_OLDEST_SUPPORTED_VERSION = 'EKS_CLUSTER_OLDEST_SUPPORTED_VERSION';
/**
* Checks if an Amazon Elastic Kubernetes Service (EKS) cluster is running a supported Kubernetes version.
* @see https://docs.aws.amazon.com/config/latest/developerguide/eks-cluster-supported-version.html
*/
public static readonly EKS_CLUSTER_SUPPORTED_VERSION = 'EKS_CLUSTER_SUPPORTED_VERSION';
/**
* Checks whether Amazon Elastic Kubernetes Service (Amazon EKS) endpoint is not publicly accessible.
* @see https://docs.aws.amazon.com/config/latest/developerguide/eks-endpoint-no-public-access.html
Expand Down Expand Up @@ -1322,6 +1332,8 @@ export class ResourceType {
public static readonly EC2_VPC_ENDPOINT_SERVICE = new ResourceType('AWS::EC2::VPCEndpointService');
/** EC2 VPC peering connection */
public static readonly EC2_VPC_PEERING_CONNECTION = new ResourceType('AWS::EC2::VPCPeeringConnection');
/** Amazon Elastic Kubernetes Service cluster */
public static readonly EKS_CLUSTER = new ResourceType('AWS::EKS::Cluster');
/** Amazon ElasticSearch domain */
public static readonly ELASTICSEARCH_DOMAIN = new ResourceType('AWS::Elasticsearch::Domain');
/** Amazon QLDB ledger */
Expand Down
34 changes: 34 additions & 0 deletions packages/@aws-cdk/aws-config/test/rule.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -264,4 +264,38 @@ describe('rule', () => {
},
});
});

test('Add EKS Cluster check to ManagedRule', () => {
// GIVEN
const stack1 = new cdk.Stack();
const stack2 = new cdk.Stack();

// WHEN
new config.ManagedRule(stack1, 'RuleEksClusterOldest', {
identifier: config.ManagedRuleIdentifiers.EKS_CLUSTER_OLDEST_SUPPORTED_VERSION,
ruleScope: config.RuleScope.fromResource(config.ResourceType.EKS_CLUSTER),
});
new config.ManagedRule(stack2, 'RuleEksClusterVersion', {
identifier: config.ManagedRuleIdentifiers.EKS_CLUSTER_SUPPORTED_VERSION,
ruleScope: config.RuleScope.fromResources([config.ResourceType.EKS_CLUSTER]),
});

// THEN
Template.fromStack(stack1).hasResourceProperties('AWS::Config::ConfigRule', {
Source: {
SourceIdentifier: 'EKS_CLUSTER_OLDEST_SUPPORTED_VERSION',
},
Scope: {
ComplianceResourceTypes: ['AWS::EKS::Cluster'],
},
});
Template.fromStack(stack2).hasResourceProperties('AWS::Config::ConfigRule', {
Source: {
SourceIdentifier: 'EKS_CLUSTER_SUPPORTED_VERSION',
},
Scope: {
ComplianceResourceTypes: ['AWS::EKS::Cluster'],
},
});
});
});