From e69a1aff8eae3b75b50bc778b383776b069b45f4 Mon Sep 17 00:00:00 2001 From: Anna Shcherbak Date: Fri, 31 May 2024 18:23:27 +0300 Subject: [PATCH] skip: update auto-test for rds, sns --- .github/workflows/tf_testing.yml | 2 +- auto_policy_testing/green/lambda/lambda.tf | 1 + auto_policy_testing/green/rds/rds_aurora-mysql.tf | 14 ++++++++++++++ auto_policy_testing/green/rds/rds_mariadb.tf | 2 +- auto_policy_testing/green/rds/rds_mysql.tf | 14 ++++++++++++++ auto_policy_testing/green/s3/lambda.tf | 1 + auto_policy_testing/green/sns/sns.tf | 3 ++- auto_policy_testing/red/lambda/lambda.tf | 1 + auto_policy_testing/scripts/exception_rules.py | 2 -- .../shared_tf_modules/naming/outputs.tf | 2 +- 10 files changed, 36 insertions(+), 6 deletions(-) diff --git a/.github/workflows/tf_testing.yml b/.github/workflows/tf_testing.yml index e8b4ddcd..c5a6503c 100644 --- a/.github/workflows/tf_testing.yml +++ b/.github/workflows/tf_testing.yml @@ -22,7 +22,7 @@ env: CORE_TESTING_FOLDER: ${{ github.workspace }} OUTPUT_DIR: ${{ github.workspace }}/auto_policy_testing/output AWS_DEFAULT_REGION: ${{ vars.AWS_REGION }} - resource_priority_list: 'sqs,sns' + resource_priority_list: 'rds' RED: '\033[0;31m' jobs: diff --git a/auto_policy_testing/green/lambda/lambda.tf b/auto_policy_testing/green/lambda/lambda.tf index df4c275b..bc3508c5 100644 --- a/auto_policy_testing/green/lambda/lambda.tf +++ b/auto_policy_testing/green/lambda/lambda.tf @@ -20,6 +20,7 @@ resource "aws_lambda_function" "this" { runtime = "python3.12" reserved_concurrent_executions = 1 layers = ["arn:aws:lambda:${var.region}:580247275435:layer:LambdaInsightsExtension:52"] + replace_security_groups_on_destroy = true vpc_config { security_group_ids = [aws_security_group.this.id] diff --git a/auto_policy_testing/green/rds/rds_aurora-mysql.tf b/auto_policy_testing/green/rds/rds_aurora-mysql.tf index 51fa332e..60d7af29 100644 --- a/auto_policy_testing/green/rds/rds_aurora-mysql.tf +++ b/auto_policy_testing/green/rds/rds_aurora-mysql.tf @@ -14,6 +14,20 @@ resource "aws_rds_cluster" "aurora-mysql" { backtrack_window = 600 copy_tags_to_snapshot = true port = 6033 + deletion_protection = true +} + +resource "null_resource" "this2" { + triggers = { + rds = aws_rds_cluster.aurora-mysql.cluster_identifier + } + + provisioner "local-exec" { + when = destroy + command = "aws rds modify-db-cluster --db-cluster-identifier ${self.triggers.rds} --no-deletion-protection" + } + + depends_on = [aws_rds_cluster.aurora-mysql] } data "aws_rds_engine_version" "aurora-mysql" { diff --git a/auto_policy_testing/green/rds/rds_mariadb.tf b/auto_policy_testing/green/rds/rds_mariadb.tf index ae23a495..1ffd6a73 100644 --- a/auto_policy_testing/green/rds/rds_mariadb.tf +++ b/auto_policy_testing/green/rds/rds_mariadb.tf @@ -1,7 +1,7 @@ resource "aws_db_instance" "mariadb" { identifier = "${module.naming.resource_prefix.rds_instance}-mariadb" engine = "mariadb" - engine_version = "10.6.10" + engine_version = "10.6.17" instance_class = "db.t3.micro" allocated_storage = 20 storage_type = "gp2" diff --git a/auto_policy_testing/green/rds/rds_mysql.tf b/auto_policy_testing/green/rds/rds_mysql.tf index 39de8305..a5fcc030 100644 --- a/auto_policy_testing/green/rds/rds_mysql.tf +++ b/auto_policy_testing/green/rds/rds_mysql.tf @@ -29,6 +29,7 @@ resource "aws_db_instance" "mysql" { parameter_group_name = aws_db_parameter_group.mysql.id iam_database_authentication_enabled = true auto_minor_version_upgrade = true + deletion_protection = true } resource "aws_db_parameter_group" "mysql" { @@ -63,3 +64,16 @@ resource "aws_db_snapshot" "mysql" { db_instance_identifier = aws_db_instance.mysql.identifier db_snapshot_identifier = "${module.naming.resource_prefix.rds_instance}-mysql" } + +resource "null_resource" "this1" { + triggers = { + rds = aws_db_instance.mysql.identifier + } + + provisioner "local-exec" { + when = destroy + command = "aws rds modify-db-instance --db-instance-identifier ${self.triggers.rds} --no-deletion-protection" + } + + depends_on = [aws_db_instance.mysql] +} \ No newline at end of file diff --git a/auto_policy_testing/green/s3/lambda.tf b/auto_policy_testing/green/s3/lambda.tf index 4a7f0414..0e7ab08e 100644 --- a/auto_policy_testing/green/s3/lambda.tf +++ b/auto_policy_testing/green/s3/lambda.tf @@ -5,6 +5,7 @@ resource "aws_lambda_function" "this" { handler = "func.lambda_handler" runtime = "python3.12" depends_on = [data.archive_file.this] + replace_security_groups_on_destroy = true } resource "aws_lambda_permission" "this" { diff --git a/auto_policy_testing/green/sns/sns.tf b/auto_policy_testing/green/sns/sns.tf index 312c3050..fc058c2f 100644 --- a/auto_policy_testing/green/sns/sns.tf +++ b/auto_policy_testing/green/sns/sns.tf @@ -21,7 +21,8 @@ resource "null_resource" "this" { "aws sns publish ", "--topic-arn ${aws_sns_topic.this.arn}", "--message 'Hello World!'", - "--region ${var.region}" + "--region ${var.region} ;", + "sleep 15m" ] ) } diff --git a/auto_policy_testing/red/lambda/lambda.tf b/auto_policy_testing/red/lambda/lambda.tf index 8daf95ba..d97b5f03 100644 --- a/auto_policy_testing/red/lambda/lambda.tf +++ b/auto_policy_testing/red/lambda/lambda.tf @@ -10,6 +10,7 @@ resource "aws_lambda_function" "this" { role = aws_iam_role.this.arn handler = "func.lambda_handler" runtime = "python3.8" + replace_security_groups_on_destroy = true vpc_config { security_group_ids = [aws_security_group.this.id] diff --git a/auto_policy_testing/scripts/exception_rules.py b/auto_policy_testing/scripts/exception_rules.py index a9bc4a8b..abbff048 100644 --- a/auto_policy_testing/scripts/exception_rules.py +++ b/auto_policy_testing/scripts/exception_rules.py @@ -3,8 +3,6 @@ "ecc-aws-015-ensure_mfa_is_enabled_for_the_root_account", "ecc-aws-112-s3_bucket_versioning_mfa_delete_enabled", #manual "ecc-aws-138-eliminate_use_root_user_for_administrative_and_daily_tasks", - "ecc-aws-200-rds_cluster_deletion_protection_enabled", - "ecc-aws-201-rds_instance_deletion_protection_enabled", "ecc-aws-207-rds_aurora_logging_enabled", "ecc-aws-286-workspaces_unused_instances", "ecc-aws-331-workspaces_images_not_older_than_90_days", diff --git a/auto_policy_testing/shared_tf_modules/naming/outputs.tf b/auto_policy_testing/shared_tf_modules/naming/outputs.tf index 6c0e9380..4e171397 100755 --- a/auto_policy_testing/shared_tf_modules/naming/outputs.tf +++ b/auto_policy_testing/shared_tf_modules/naming/outputs.tf @@ -45,7 +45,7 @@ output "resource_prefix" { backup_plan = "${local.suffix}_${var.resource_type}_plan_${local.compliance_status}" app_flow = "${local.suffix}-${var.resource_type}-appflow-${local.compliance_status}" cfn = "${local.suffix}-${var.resource_type}-cfn-${local.compliance_status}" - sns = "${local.suffix}_${var.resource_type}_sns_${local.compliance_status}" + sns = "${local.suffix}-${var.resource_type}_sns_${local.compliance_status}" sqs = "${local.suffix}-${var.resource_type}-sqs-${local.compliance_status}" kms_key = "${local.suffix}_${var.resource_type}_key_${local.compliance_status}" ami = "${local.suffix}_${var.resource_type}_ami_${local.compliance_status}"