DMSReplicationInstanceNotPublicRule (#529)

* wip DMSReplicationInstanceNotPublicRule
#503

* #503 tests

lib/cfn-nag/custom_rules/DMSReplicationInstanceNotPublicRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/util/truthy'
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class DMSReplicationInstanceNotPublicRule < BaseRule
+  def rule_text
+    'Database Migration Service replication instances are public, property PubliclyAccessible should be set to false'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W91'
+  end
+
+  def audit_impl(cfn_model)
+    violating_replications = cfn_model.resources_by_type('AWS::DMS::ReplicationInstance').select do |replication|
+      replication.publiclyAccessible.nil? || truthy?(replication.publiclyAccessible)
+    end
+
+    violating_replications.map(&:logical_resource_id)
+  end
+end

spec/custom_rules/DMSReplicationInstanceNotPublicRule_spec.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'cfn-model'
+require 'cfn-nag/custom_rules/DMSReplicationInstanceNotPublicRule'
+
+describe DMSReplicationInstanceNotPublicRule do
+
+  describe 'AWS::DMS::ReplicationInstance' do
+    context 'when Database Migration Service replication instances are not public' do
+      it 'does not return an offending logical resource id' do
+        cfn_model = CfnParser.new.parse read_test_template('json/dms_replication_instance/dms-replication-instance-is-not-public.json')
+        actual_logical_resource_ids = DMSReplicationInstanceNotPublicRule.new.audit_impl cfn_model
+
+        expect(actual_logical_resource_ids).to eq []
+      end
+    end
+  end
+
+  describe 'AWS::DMS::ReplicationInstance' do
+    context 'when Database Migration Service replication instance is public' do
+      it 'does return an offending logical resource id' do
+        cfn_model = CfnParser.new.parse read_test_template('json/dms_replication_instance/dms-replication-instance-public.json')
+        actual_logical_resource_ids = DMSReplicationInstanceNotPublicRule.new.audit_impl cfn_model
+
+        expect(actual_logical_resource_ids).to eq ["BasicReplicationInstance"]
+      end
+    end
+   end
+
+end

spec/test_templates/json/dms_replication_instance/dms-replication-instance-is-not-public.json

@@ -0,0 +1,12 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "BasicReplicationInstance": {
+            "Type": "AWS::DMS::ReplicationInstance",
+            "Properties": {
+                "ReplicationInstanceClass": "dms.t2.small",
+                "PubliclyAccessible": false
+            }
+        }
+    }
+}

spec/test_templates/json/dms_replication_instance/dms-replication-instance-public.json

@@ -0,0 +1,11 @@
+{
+    "AWSTemplateFormatVersion": "2010-09-09",
+    "Resources": {
+        "BasicReplicationInstance": {
+            "Type": "AWS::DMS::ReplicationInstance",
+            "Properties": {
+                "ReplicationInstanceClass": "dms.t2.small"
+            }
+        }
+    }
+}