inspec · Nirbhay1997 · Dec 2, 2021 · Nov 21, 2021 · Nov 21, 2021 · Nov 24, 2021
@@ -0,0 +1,102 @@
+---
+title: About the aws_rds_db_proxy Resource
+platform: aws
+---
+
+# aws_rds_db_proxy
+
+Use the `aws_rds_db_proxy` InSpec audit resource to test properties of a single AWS Relational Database Service (RDS) database proxy.
+
+The `AWS::RDS::DBProxy` resource creates or updates an RDS DB proxy.
+
+## Syntax
+
+Ensure that the db proxy exists.
+
+    describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do
+      it { should exist }
+    end
+
+## Parameters
+
+`db_proxy_name` _(required)_
+
+The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region.
+
+For additional information, see the [AWS documentation on AWS RDS DBProxy](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-dbproxy.html).
+
+## Properties
+
+| Property | Description |
+| --- | --- |
+| db_proxy_name | The identifier for the proxy. This name must be unique for all proxies owned by your AWS account in the specified AWS Region. |
+| db_proxy_arn | The Amazon Resource Name (ARN) for the proxy. |
+| status | The current status of this proxy. |
+| engine_family | The engine family applies to MySQL and PostgreSQL for both RDS and Aurora. |
+| vpc_id | The VPC id. |
+| vpc_security_group_ids | Provides a list of VPC security groups that the proxy belongs to. |
+| vpc_subnet_ids | The EC2 subnet IDs for the proxy. |
+| auth_descriptions | A user-specified description about the authentication used by a proxy to log in as a specific database user. |
+| auth_user_names | The name of the database user to which the proxy connects. |
+| auth_schemes | The type of authentication that the proxy uses for connections from the proxy to the underlying database. |
+| auth_secret_arns | The Amazon Resource Name (ARN) representing the secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager. |
+| auth_iam_auths | Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. |
+| role_arn | The Amazon Resource Name (ARN) for the IAM role that the proxy uses to access Amazon Secrets Manager. |
+| endpoint | The endpoint that you can use to connect to the proxy. You include the endpoint value in the connection string for a database client application. |
+| require_tls | Indicates whether Transport Layer Security (TLS) encryption is required for connections to the proxy. |
+| idle_client_timeout | The number of seconds a connection to the proxy can have no activity before the proxy drops the client connection. |
+| debug_logging | Whether the proxy includes detailed information about SQL statements in its logs. |
+| created_date | The date and time when the proxy was first created. |
+| updated_date | The date and time when the proxy was last updated. |
+
+## Examples
+
+### Ensure a db proxy name is available.
+
+    describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do
+      its('db_proxy_name') { should eq 'DB_PROXY_NAME' }
+    end
+
+### Ensure a db proxy arn is available.
+
+    describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do
+      its('db_proxy_arn') { should eq 'DB_PROXY_ARN' }
+    end
+
+### Ensure a status is `available`.
+
+    describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do
+      its('status') { should eq 'available' }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+The controls will pass if the `describe` method returns at least one result.
+
+### exist
+
+Use `should` to test that the entity exists.
+
+    describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do
+      it { should exist }
+    end
+
+Use `should_not` to test the entity does not exist.
+
+    describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do
+      it { should_not exist }
+    end
+
+### be_available
+
+Use `should` to check if the entity is available.
+
+    describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do
+      it { should be_available }
+    end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `RDS:Client:DescribeDBProxiesResponse` action with `Effect` set to `Allow`.
@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'aws_backend'
+
+class AWSRDSProxy < AwsResourceBase
+  name 'aws_rds_db_proxy'
+  desc 'Returns information about DB proxies.'
+
+  example "
+    describe aws_rds_db_proxy(db_proxy_name: 'DB_PROXY_NAME') do
+      it { should exist }
+    end
+  "
+
+  def initialize(opts = {})
+    super(opts)
+    validate_parameters(required: %i(db_proxy_name))
+    raise ArgumentError, "#{@__resource_name__}: db_proxy_name must be provided" unless opts[:db_proxy_name] && !opts[:db_proxy_name].empty?
+    @display_name = opts[:db_proxy_name]
+    catch_aws_errors do
+      resp = @aws.rds_client.describe_db_proxies({ db_proxy_name: opts[:db_proxy_name] })
+      @res = resp.db_proxies[0].to_h
+      create_resource_methods(@res)
+    end
+  end
+
+  def db_proxy_name
+    return nil unless exists?
+    @res[:db_proxy_name]
+  end
+
+  def exists?
+    !@res.nil? && !@res.empty?
+  end
+
+  def to_s
+    "DB Proxy Name: #{@display_name}"
+  end
+
+  def auth_descriptions
+    auth.map(&:description)
+  end
+
+  def auth_user_names
+    auth.map(&:user_name)
+  end
+
+  def auth_schemes
+    auth.map(&:auth_scheme)
+  end
+
+  def auth_secret_arns
+    auth.map(&:secret_arn)
+  end
+
+  def auth_iam_auths
+    auth.map(&:iam_auth)
+  end
+end
@@ -5344,4 +5344,111 @@ resource "aws_ec2_fleet" "aws_ec2_fleet_test1" {
 resource "aws_placement_group" "aws_placement_group_test1" {
   name     = "placement-group-test1"
   strategy = "cluster"
-}
+}
+
+#AWS:RDS:Proxy
+
+resource "aws_db_proxy" "for_proxy" {
+  name                   = "example"
+  debug_logging          = false
+  engine_family          = "MYSQL"
+  idle_client_timeout    = 1800
+  require_tls            = true
+  role_arn               = "arn:aws:iam::112758395563:role/service-role/rds-proxy-role-1609863739417"
+  vpc_security_group_ids = [aws_security_group.allow_proxy.id]
+  vpc_subnet_ids         = [aws_subnet.for_proxy.id,aws_subnet.for_proxy-2.id]
+
+  auth {
+    auth_scheme = "SECRETS"
+    description = "example"
+    iam_auth    = "DISABLED"
+    secret_arn  ="arn:aws:secretsmanager:us-east-2:112758395563:secret:test1-sJ9Lur"
+  }
+
+  tags = {
+    Name = "example"
+    Key  = "value"
+  }
+}
+
+resource "aws_vpc" "for_proxy" {
+  cidr_block = "10.0.0.0/16"
+}
+
+
+resource "aws_subnet" "for_proxy" {
+  vpc_id            = aws_vpc.for_proxy.id
+  cidr_block        = "10.0.16.0/20"
+
+
+  tags = {
+    Name = "forproxy1"
+  }
+}
+
+resource "aws_subnet" "for_proxy-2" {
+  vpc_id            = aws_vpc.for_proxy.id
+  cidr_block        = "10.0.32.0/20"
+
+
+  tags = {
+    Name ="forproxy"
+  }
+}
+
+
+resource "aws_security_group" "allow_proxy" {
+  name        = "allow_proxy"
+  description = "Allow all inbound traffic"
+  vpc_id      = aws_vpc.for_proxy.id
+
+  ingress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+  }
+
+  egress {
+    from_port        = 0
+    to_port          = 0
+    protocol         = "-1"
+    cidr_blocks      = ["0.0.0.0/0"]
+  }
+
+  tags = {
+    Name = "allow_tls"
+  }
+}
+
+#AWS::RDS::TargetGroup
+resource "aws_db_proxy_default_target_group" "for_proxy" {
+  db_proxy_name = aws_db_proxy.for_proxy.name
+
+  connection_pool_config {
+    connection_borrow_timeout    = 120
+    init_query                   = "SET x=1, y=2"
+    max_connections_percent      = 100
+    max_idle_connections_percent = 50
+    session_pinning_filters      = ["EXCLUDE_VARIABLE_SETS"]
+  }
+}
+
+resource "aws_db_proxy_target" "for_proxy" {
+  db_instance_identifier = aws_db_instance.for_proxy.id
+  db_proxy_name          = aws_db_proxy.for_proxy.name
+  target_group_name      = aws_db_proxy_default_target_group.for_proxy.name
+}
+
+
+resource "aws_db_instance" "for_proxy" {
+  allocated_storage    = 10
+  engine               = "mysql"
+  engine_version       = "5.7"
+  instance_class       = "db.t3.micro"
+  name                 = "mydb"
+  username             = "test"
+  password             = "foobarbaz"
+  parameter_group_name = "default.mysql5.7"
+  skip_final_snapshot  = true
+}
@@ -1300,4 +1300,7 @@ output "aws_eip_association_id" {
 
 output "aws_placement_group_placement_group_id" {
   value = aws_placement_group.aws_placement_group_test1.placement_group_id
-}
+}
+ output "aws_proxy_name" {
+   value = aws_db_proxy.for_proxy.name
+ }
@@ -0,0 +1,29 @@
+aws_proxy_name = attribute(:aws_proxy_name, value: '')
+control 'aws-rds-db-proxy-1.0' do
+  impact 1.0
+  title 'Test the properties of the rds db proxy.'
+
+  describe aws_rds_db_proxy(db_proxy_name: aws_proxy_name) do
+    it { should exist }
+  end
+
+  describe aws_rds_db_proxy(db_proxy_name: aws_proxy_name) do
+    its('db_proxy_name') { should eq aws_proxy_name }
+    its('db_proxy_arn') { should_not eq 'arn:aws:rds:us-east-2:84946t3466:db-proxy:prx-0ec29b6fdc6515d9c' }
+    its('status') { should eq 'available' }
+    its('engine_family') { should_not eq 'POSTGRESQL' }
+    its('vpc_id') { should_not eq 'vpc-6d9d7505' }
+    its('vpc_security_group_ids') { should_not be_empty }
+    its('vpc_subnet_ids') { should_not be_empty }
+    its('auth_description') { should_not be_empty }
+    its('auth_user_name') { should_not be_empty }
+    its('auth_scheme') { should include 'SECRETS' }
+    its('auth_secret_arn') { should_not include 'arn:aws:secretsmanager:us-east-2:456489375435:secret:automate-pg-key-wq150x' }
+    its('auth_iam_auth') { should_not include 'DISABLED' }
+    its('role_arn') { should_not eq 'arn:aws:iam::454375843759:role/service-role/rds-proxy-role-1609863739417' }
+    its('endpoint') { should_not eq 'automate-pg-proxy.proxy-cvjb1wur4wqf.us-east-2.rds.amazonaws.com' }
+    its('require_tls') { should eq false }
+    its('idle_client_timeout') { should eq 1800 }
+    its('debug_logging') { should eq false }
+  end
+end