cfn-nag 0.5.53 → 0.5.54
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/cfn-nag/custom_rules/RDSInstanceDeletionProtectionRule.rb +28 -10
- metadata +1 -1
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 8232b564687290f3dd3b3e1c269ab6c1dbcd69ed7c63239dcf85f91afc4c687b
|
4
|
+
data.tar.gz: 705772c9cabfb4f41332ea8cb0b4d21b46b5a8ef3bcb6789f7f9f77decb1bdf9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: e56d4d946f611a683a9b4f87954eaf8f65ad7dc904cf1c151f7d5f318ca9951a21daf4bcf6c933b010cd10291028e2657f782d75db5b54df519f89f92f9d008f
|
7
|
+
data.tar.gz: e18d8150848d43a2e7fb2ac5c0c5f79dde276b6c528b0218fe19cf07d596dbc3ae0f0e18561f4f4c517e3c069c1858926c922d661d9c31250acc503451e32c5e
|
@@ -1,21 +1,14 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
|
3
|
+
require_relative 'base'
|
4
|
+
require 'cfn-nag/util/truthy.rb'
|
3
5
|
require 'cfn-nag/violation'
|
4
|
-
require_relative 'boolean_base_rule'
|
5
6
|
|
6
|
-
class RDSInstanceDeletionProtectionRule <
|
7
|
+
class RDSInstanceDeletionProtectionRule < BaseRule
|
7
8
|
def rule_text
|
8
9
|
'RDS instance should have deletion protection enabled'
|
9
10
|
end
|
10
11
|
|
11
|
-
def resource_type
|
12
|
-
'AWS::RDS::DBInstance'
|
13
|
-
end
|
14
|
-
|
15
|
-
def boolean_property
|
16
|
-
:deletionProtection
|
17
|
-
end
|
18
|
-
|
19
12
|
def rule_type
|
20
13
|
Violation::FAILING_VIOLATION
|
21
14
|
end
|
@@ -23,4 +16,29 @@ class RDSInstanceDeletionProtectionRule < BooleanBaseRule
|
|
23
16
|
def rule_id
|
24
17
|
'F80'
|
25
18
|
end
|
19
|
+
|
20
|
+
def audit_impl(cfn_model)
|
21
|
+
rds_dbinstances = cfn_model.resources_by_type('AWS::RDS::DBInstance')
|
22
|
+
|
23
|
+
violating_rdsinstances = rds_dbinstances.select do |instance|
|
24
|
+
not_protected?(instance) && !aurora?(instance)
|
25
|
+
end
|
26
|
+
|
27
|
+
violating_rdsinstances.map(&:logical_resource_id)
|
28
|
+
end
|
29
|
+
|
30
|
+
private
|
31
|
+
|
32
|
+
def not_protected?(instance)
|
33
|
+
not_truthy?(instance.deletionProtection) || instance.deletionProtection == { 'Ref' => 'AWS::NoValue' }
|
34
|
+
end
|
35
|
+
|
36
|
+
def aurora?(db_instance)
|
37
|
+
aurora_engines = %w[
|
38
|
+
aurora
|
39
|
+
aurora-mysql
|
40
|
+
aurora-postgresql
|
41
|
+
]
|
42
|
+
aurora_engines.include? db_instance.engine
|
43
|
+
end
|
26
44
|
end
|