From d5c66b19a33455f3492987437b453458ff3b90d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?James=20Pether=20S=C3=B6rling?= Date: Mon, 5 Apr 2021 15:43:38 +0200 Subject: [PATCH] Elasticsearch domain inside vpc (#528) https://github.com/stelligent/cfn_nag/issues/503 --- .../ElasticsearchDomainInsideVPCRule.rb | 26 ++++++++++++++++ .../ElasticsearchDomainInsideVPCRule_spec.rb | 31 +++++++++++++++++++ .../elasticsearch_inside_vpc.json | 14 +++++++++ .../elasticsearch_not_inside_vpc.json | 10 ++++++ 4 files changed, 81 insertions(+) create mode 100644 lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb create mode 100644 spec/custom_rules/ElasticsearchDomainInsideVPCRule_spec.rb create mode 100644 spec/test_templates/json/elasticsearch/elasticsearch_inside_vpc.json create mode 100644 spec/test_templates/json/elasticsearch/elasticsearch_not_inside_vpc.json diff --git a/lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb b/lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb new file mode 100644 index 00000000..e9f4ce3b --- /dev/null +++ b/lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb @@ -0,0 +1,26 @@ +# frozen_string_literal: true + +require 'cfn-nag/violation' +require_relative 'base' + +class ElasticsearchDomainInsideVPCRule < BaseRule + def rule_text + 'ElasticsearchcDomain should be inside vpc, should specify VPCOptions' + end + + def rule_type + Violation::WARNING + end + + def rule_id + 'W90' + end + + def audit_impl(cfn_model) + violating_domains = cfn_model.resources_by_type('AWS::Elasticsearch::Domain').select do |domain| + domain.vPCOptions.nil? + end + + violating_domains.map(&:logical_resource_id) + end +end diff --git a/spec/custom_rules/ElasticsearchDomainInsideVPCRule_spec.rb b/spec/custom_rules/ElasticsearchDomainInsideVPCRule_spec.rb new file mode 100644 index 00000000..0a65bd5f --- /dev/null +++ b/spec/custom_rules/ElasticsearchDomainInsideVPCRule_spec.rb @@ -0,0 +1,31 @@ +# frozen_string_literal: true + +require 'spec_helper' +require 'cfn-model' +require 'cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule' + +describe ElasticsearchDomainInsideVPCRule do + + describe 'AWS::Elasticsearch::Domain' do + context 'when Elasticsearch domain is inside VPC' do + it 'does not return an offending logical resource id' do + cfn_model = CfnParser.new.parse read_test_template('json/elasticsearch/elasticsearch_inside_vpc.json') + actual_logical_resource_ids = ElasticsearchDomainInsideVPCRule.new.audit_impl cfn_model + + expect(actual_logical_resource_ids).to eq [] + end + end + end + + describe 'AWS::Elasticsearch::Domain' do + context 'when Elasticsearch domain is not inside VPC' do + it 'does return an offending logical resource id' do + cfn_model = CfnParser.new.parse read_test_template('json/elasticsearch/elasticsearch_not_inside_vpc.json') + actual_logical_resource_ids = ElasticsearchDomainInsideVPCRule.new.audit_impl cfn_model + + expect(actual_logical_resource_ids).to eq ["ElasticsearchDomainNotInVPC"] + end + end + end + +end \ No newline at end of file diff --git a/spec/test_templates/json/elasticsearch/elasticsearch_inside_vpc.json b/spec/test_templates/json/elasticsearch/elasticsearch_inside_vpc.json new file mode 100644 index 00000000..6028a6f2 --- /dev/null +++ b/spec/test_templates/json/elasticsearch/elasticsearch_inside_vpc.json @@ -0,0 +1,14 @@ +{ + "Resources": { + "ElasticsearchDomainInVPC": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "DomainName": "nameddomain", + "VPCOptions" : { + "SecurityGroupIds": ["secgroup"], + "SubnetIds": ["subnetid"] + } + } + } + } +} diff --git a/spec/test_templates/json/elasticsearch/elasticsearch_not_inside_vpc.json b/spec/test_templates/json/elasticsearch/elasticsearch_not_inside_vpc.json new file mode 100644 index 00000000..031bffef --- /dev/null +++ b/spec/test_templates/json/elasticsearch/elasticsearch_not_inside_vpc.json @@ -0,0 +1,10 @@ +{ + "Resources": { + "ElasticsearchDomainNotInVPC": { + "Type": "AWS::Elasticsearch::Domain", + "Properties": { + "DomainName": "nameddomain" + } + } + } +}