inspec · soumyo13 · Dec 5, 2021 · Nov 24, 2021 · Nov 25, 2021 · Nov 25, 2021
@@ -0,0 +1,99 @@
+---
+title: About the aws_rds_global_cluster Resource
+platform: aws
+---
+
+# aws_rds_global_cluster
+
+Use the `aws_rds_global_cluster` InSpec audit resource to test properties of a single Amazon Aurora global database cluster.
+
+The `AWS::RDS::GlobalCluster` resource creates or updates an Amazon Aurora global database spread across multiple AWS Regions.
+
+## Syntax
+
+Ensure that the global cluster exists.
+
+    describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER') do
+      it { should exist }
+    end
+
+## Parameters
+
+`global_cluster_identifier` _(required)_
+
+The cluster identifier of the global database cluster.
+
+For additional information, see the [AWS documentation on the `AWS::RDS::GlobalCluster` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html).
+
+## Properties
+
+| Property | Description |
+| --- | --- |
+| global_cluster_identifier | The list of global clusters returned by this request. |
+| global_cluster_resource_id | Contains a user-supplied global database cluster identifier. This identifier is the unique key that identifies a global database cluster. |
+| global_cluster_arn | The Amazon Web Services Region-unique, immutable identifier for the global database cluster. |
+| status | Specifies the current state of this global database cluster. |
+| engine | The Aurora database engine used by the global database cluster. |
+| engine_version | Indicates the database engine version. |
+| database_name | The default database name within the new global database cluster. |
+| storage_encrypted | The storage encryption setting for the global database cluster. |
+| deletion_protection | The deletion protection setting for the new global database cluster. |
+| failover_state.status | The current status of the Aurora global database ( GlobalCluster ). |
+| failover_state.from_db_cluster_arn | The Amazon Resource Name (ARN) of the Aurora DB cluster that is currently being demoted, and which is associated with this state. |
+| failover_state.to_db_cluster_arn | The Amazon Resource Name (ARN) of the Aurora DB cluster that is currently being promoted, and which is associated with this state.|
+| global_cluster_members.db_cluster_arn | The Amazon Resource Name (ARN) for each Aurora cluster. |
+| global_cluster_members.readers | The Amazon Resource Name (ARN) for each read-only secondary cluster associated with the Aurora global database. |
+| global_cluster_members.is_writer | Specifies whether the Aurora cluster is the primary cluster (that is, has read-write capability) for the Aurora global database with which it is associated. |
+| global_cluster_members.global_write_forwarding_status | Specifies whether a secondary cluster in an Aurora global database has write forwarding enabled, not enabled, or is in the process of enabling it. |
+
+## Examples
+
+### Ensure a DB global cluster is available.
+
+    describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
+      its('global_cluster_resource_id') { should eq 'GLOBAL_CLUSTER_ID' }
+    end
+
+### Ensure a global cluster engine is available.
+
+    describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
+      its('engine') { should eq 'ENGINE' }
+    end
+
+### Ensure a status is `available`.
+
+    describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
+      its('status') { should eq 'available' }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+The controls will pass if the `describe` method returns at least one result.
+
+### exist
+
+Use `should` to test that the entity exists.
+
+    describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
+      it { should exist }
+    end
+
+Use `should_not` to test the entity does not exist.
+
+    describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER'') do
+      it { should_not exist }
+    end
+
+### be_available
+
+Use `should` to check if the entity is available.
+
+    describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER') do
+      it { should be_available }
+    end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `RDS:Client:DescribeGlobalClustersMessage` action with `Effect` set to `Allow`.
@@ -0,0 +1,86 @@
+---
+title: About the aws_rds_global_clusters Resource
+platform: aws
+---
+
+# aws_rds_global_clusters
+
+Use the `aws_rds_global_clusters` InSpec audit resource to test properties of multiple Amazon Aurora global database clusters.
+
+The AWS::RDS::GlobalCluster resource creates or updates an Amazon Aurora global database spread across multiple AWS Regions.
+
+## Syntax
+
+Ensure that the global cluster exists.
+
+    aws_rds_global_clusters do
+      it { should exist }
+    end
+
+For additional information, see the [AWS documentation on the `AWS::RDS::GlobalCluster` resource type](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-rds-globalcluster.html).
+
+## Properties
+
+| Property | Description | Fields |
+| --- | --- | --- |
+| global_cluster_identifiers | The list of global clusters returned by this request. | global_cluster_identifier |
+| global_cluster_resource_ids | Contains a user-supplied global database cluster identifier. | global_cluster_resource_id |
+| global_cluster_arns | The Amazon Web Services Region-unique, immutable identifier for the global database cluster. | global_cluster_arn |
+| statuses | Specifies the current state of this global database cluster. | status |
+| engines | The Aurora database engine used by the global database cluster. | engine |
+| engine_versions | Indicates the database engine version. | engine_version |
+| database_names | The default database name within the new global database cluster. | database_name |
+| storage_encrypted | The storage encryption setting for the global database cluster. | storage_encrypted |
+| deletion_protections | The deletion protection setting for the new global database cluster. | deletion_protection |
+
+## Examples
+
+### Ensure global cluster resource ID is available.
+
+    describe aws_rds_global_clusters do
+      its('global_cluster_identifiers') { should include 'GLOBAL_CLUSTER_IDENTIFIER' }
+    end
+
+### Ensure global cluster resource ID is available.
+
+    describe aws_rds_global_clusters do
+      its('global_cluster_resource_ids') { should include 'GLOBAL_CLUSTER_RESOURCE_ID' }
+    end
+
+### Ensure a status is `available`.
+
+    describe aws_rds_global_clusters do
+      its('statuses') { should include 'available' }
+    end
+
+## Matchers
+
+This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).
+
+The controls will pass if the `describe` method returns at least one result.
+
+### exist
+
+Use `should` to test that the entity exists.
+
+    describe aws_rds_global_clusters do
+      it { should exist }
+    end
+
+Use `should_not` to test the entity does not exist.
+
+    describe aws_rds_global_clusters do
+      it { should_not exist }
+    end
+
+### be_available
+
+Use `should` to check if the entity is available.
+
+    describe aws_rds_global_clusters do
+      it { should be_available }
+    end
+
+## AWS Permissions
+
+Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `RDS:Client:DescribeGlobalClustersMessage` action with `Effect` set to `Allow`.
@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'aws_backend'
+
+class AWSRDSGlobalCluster < AwsResourceBase
+  name 'aws_rds_global_cluster'
+  desc 'Returns information about Aurora global database clusters.'
+
+  example "
+    describe aws_rds_global_cluster(global_cluster_identifier: 'GLOBAL_CLUSTER_IDENTIFIER') do
+      it { should exist }
+    end
+  "
+
+  def initialize(opts = {})
+    super(opts)
+    validate_parameters(required: %i(global_cluster_identifier))
+    raise ArgumentError, "#{@__resource_name__}: global_cluster_identifier must be provided" unless opts[:global_cluster_identifier] && !opts[:global_cluster_identifier].empty?
+    @display_name = opts[:global_cluster_identifier]
+    catch_aws_errors do
+      resp = @aws.rds_client.describe_global_clusters({ global_cluster_identifier: opts[:global_cluster_identifier] })
+      @res = resp.global_clusters[0].to_h
+      create_resource_methods(@res)
+    end
+  end
+
+  def global_cluster_identifier
+    return nil unless exists?
+    @res[:global_cluster_identifier]
+  end
+
+  def exists?
+    !@res.nil? && !@res.empty?
+  end
+
+  def to_s
+    "RDS Global Cluster Identifier: #{@display_name}"
+  end
+end
@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+require 'aws_backend'
+
+class AWSRDSGlobalClusters < AwsResourceBase
+  name 'aws_rds_global_clusters'
+  desc 'Returns information about DB Global Cluster.'
+
+  example "
+    describe aws_rds_global_clusters do
+      it { should exist }
+    end
+  "
+
+  attr_reader :table
+
+  FilterTable.create
+             .register_column(:global_cluster_identifiers, field: :global_cluster_identifier)
+             .register_column(:global_cluster_resource_ids, field: :global_cluster_resource_id)
+             .register_column(:global_cluster_arns, field: :global_cluster_arn)
+             .register_column(:statuses, field: :status)
+             .register_column(:engines, field: :engine)
+             .register_column(:vpc_security_group_ids, field: :vpc_security_group_ids)
+             .register_column(:engine_versions, field: :engine_version)
+             .register_column(:database_names, field: :database_name)
+             .register_column(:storage_encrypted, field: :role_arn)
+             .register_column(:deletion_protection, field: :deletion_protection)
+             .install_filter_methods_on_resource(self, :table)
+
+  def initialize(opts = {})
+    super(opts)
+    validate_parameters
+    @table = fetch_data
+  end
+
+  def fetch_data
+    catch_aws_errors do
+      @table = @aws.rds_client.describe_global_clusters.map do |table|
+        table.global_clusters.map { |table_name| {
+          global_cluster_identifier: table_name.global_cluster_identifier,
+          global_cluster_resource_id: table_name.global_cluster_resource_id,
+          global_cluster_arn: table_name.global_cluster_arn,
+          status: table_name.status,
+          engine: table_name.engine,
+          engine_version: table_name.engine_version,
+          database_name: table_name.database_name,
+          storage_encrypted: table_name.storage_encrypted,
+          deletion_protection: table_name.deletion_protection,
+        }
+        }
+      end.flatten
+    end
+  end
+end
@@ -5645,3 +5645,33 @@ resource "aws_db_event_subscription" "for_test" {
     "restoration",
   ]
 }
+
+
+#AWS::RDS::GlobalCluster
+resource "aws_rds_global_cluster" "for_test" {
+  global_cluster_identifier = "global-test-1"
+  engine                    = "aurora"
+  engine_version            = "5.6.mysql_aurora.1.22.2"
+  database_name             = "example_db"
+}
+
+resource "aws_rds_cluster" "primary" {
+  engine                    = aws_rds_global_cluster.for_test.engine
+  engine_version            = aws_rds_global_cluster.for_test.engine_version
+  cluster_identifier        = "test-primary-cluster"
+  master_username           = "username"
+  master_password           = "somepass123"
+  database_name             = "example_db"
+  global_cluster_identifier = aws_rds_global_cluster.for_test.id
+  db_subnet_group_name      = "default"
+}
+
+resource "aws_rds_cluster_instance" "primary" {
+  engine               = aws_rds_global_cluster.for_test.engine
+  engine_version       = aws_rds_global_cluster.for_test.engine_version
+  identifier           = "test-primary-cluster-instance"
+  cluster_identifier   = aws_rds_cluster.primary.id
+  instance_class       = "db.r4.large"
+  db_subnet_group_name = "default"
+}
+
@@ -1388,4 +1388,8 @@ output "aws_proxy_name" {
 
 output "subscription_name" {
   value = aws.aws_db_event_subscription.name
+}
+
+output "global_cluster_identifier" {
+  value = aws_rds_global_cluster.for_test.global_cluster_identifier
 }
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+global_cluster_identifier = attribute(:global_cluster_identifier, value: '')
+
+control 'aws_rds_global_cluster-1.0' do
+  impact 1.0
+  title 'Test the properties of a Global cluster.'
+  describe aws_rds_global_cluster(global_cluster_identifier: global_cluster_identifier) do
+    it { should exist }
+    its('global_cluster_identifier') { should eq global_cluster_identifier }
+    its('global_cluster_resource_id') { should_not eq 'cluster-7355440cd5620115' }
+    its('global_cluster_arn') { should_not eq 'arn:aws:rds::546464644:global-cluster:global-test-1' }
+    its('status') { should_not eq 'unavailable' }
+  end
+end
@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+global_cluster_identifier = attribute(:global_cluster_identifier, value: '')
+
+control 'aws_rds_global_clusters-1.0' do
+  impact 1.0
+  title 'Test the properties of all the Global cluster.'
+  describe aws_rds_global_clusters do
+    it { should exist }
+    its('global_cluster_identifiers') { should_not include global_cluster_identifier }
+    its('global_cluster_resource_ids') { should_not include 'cluster-7355440cd5620115' }
+    its('global_cluster_arns') { should_not include 'arn:aws:rds::3646654567:global-cluster:global-test-1' }
+    its('statuses') { should_not include 'unavailable' }
+  end
+end