Added new rules for DMS Endpoint Encryption and AWS EMR Cluster Logging

Author: Michael Schappacher

cli/assets/terraform.yml

@@ -799,6 +799,8 @@ rules:
     assertions:
       - key: kms_key_id
         op: present
+    tags:
+      - kinesis
 
   - id: REDSHIFT_CLUSTER_ENCRYPTION
     message: RedshiftCluster should use encryption
@@ -884,6 +886,8 @@ rules:
       - key: policy.Version
         op: eq
         value: "2012-10-17"
+    tags:
+      - iam
 
   - id: ASSUME_ROLEPOLICY_VERSION
     message: Version in IAM Policy should be 2012-10-17
@@ -893,6 +897,8 @@ rules:
       - key: assume_role_policy.Version
         op: eq
         value: "2012-10-17"
+    tags:
+      - iam
 
   - id: BATCH_DEFINITION_PRIVILEGED
     message: Batch Job Definition Container Properties should not have Privileged set to true
@@ -902,6 +908,8 @@ rules:
       - not:
           - key: container_properties.privileged
             op: is-true
+    tags:
+      - batch
 
   - id: EC2_SUBNET_MAP_PUBLIC
     message: EC2 Subnet should not have MapPublicIpOnLaunch set to true
@@ -911,6 +919,9 @@ rules:
     - not:
       - key: map_public_ip_on_launch
         op: is-true
+    tags:
+      - ec2
+      - subnet
 
   - id: ELASTICACHE_ENCRYPTION_REST
     message: ElastiCache ReplicationGroup should have encryption enabled for at rest
@@ -919,6 +930,8 @@ rules:
     assertions:
     - key: at_rest_encryption_enabled
       op: is-true
+    tags:
+      - elasticache
 
   - id: ELASTICACHE_ENCRYPTION_TRANSIT
     message: ElastiCache ReplicationGroup should have encryption enabled for in transit
@@ -927,6 +940,8 @@ rules:
     assertions:
     - key: transit_encryption_enabled
       op: is-true
+    tags:
+      - elasticache
 
   - id: NEPTUNE_DB_ENCRYPTION
     message: Neptune database cluster storage should have encryption enabled
@@ -935,6 +950,8 @@ rules:
     assertions:
     - key: storage_encrypted
       op: is-true
+    tags:
+      - neptune
 
   - id: RDS_PUBLIC_AVAILABILITY
     message: RDS instance should not be publicly accessible
@@ -944,6 +961,28 @@ rules:
     - not:
       - key: publicly_accessible
         op: is-true
+    tags:
+      - rds
+
+  - id: AWS_DMS_ENDPOINT_ENCRYPTION
+    message: AWS DMS Endpoint should have a kms key present
+    resource: aws_dms_endpoint
+    severity: WARNING
+    assertions:
+      - key: kms_key_arn
+        op: present
+    tags:
+      - dms
+
+  - id: AWS_EMR_CLUSTER_LOGGING
+    message: AWS EMR Should have logging enabled
+    resource: aws_emr_cluster
+    severity: WARNING
+    assertions:
+      - key: log_uri
+        op: present
+    tags:
+      - emr
   # add KMS key policy version
   # ECR repository policy
   # add ElasticSearch domain access policy version

linter/terraform_test.go

@@ -234,6 +234,18 @@ func TestTerraformLinterCases(t *testing.T) {
 			1,
 			"KINESIS_STREAM_KMS",
 		},
+		"DmsEncryption": {
+			"./testdata/resources/dms_endpoint_encryption.tf",
+			"./testdata/rules/dms_endpoint_encryption.yml",
+			0,
+			"",
+		},
+		"EmrClusterLogs": {
+			"./testdata/resources/emr_cluster_logs.tf",
+			"./testdata/rules/emr_cluster_logs.yml",
+			1,
+			"AWS_EMR_CLUSTER_LOGGING",
+		},
 	}
 	for name, tc := range testCases {
 		options := Options{

linter/testdata/resources/dms_endpoint_encryption.tf

@@ -0,0 +1,19 @@
+resource "aws_dms_endpoint" "test" {
+  certificate_arn             = "arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012"
+  database_name               = "test"
+  endpoint_id                 = "test-dms-endpoint-tf"
+  endpoint_type               = "source"
+  engine_name                 = "aurora"
+  extra_connection_attributes = ""
+  kms_key_arn                 = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
+  password                    = "test"
+  port                        = 3306
+  server_name                 = "test"
+  ssl_mode                    = "none"
+
+  tags = {
+    Name = "test"
+  }
+
+  username = "test"
+}

linter/testdata/resources/emr_cluster_logs.tf

@@ -0,0 +1,119 @@
+resource "aws_emr_cluster" "cluster" {
+  name          = "emr-test-arn"
+  release_label = "emr-4.6.0"
+  applications  = ["Spark"]
+
+  additional_info = <<EOF
+{
+  "instanceAwsClientConfiguration": {
+    "proxyPort": 8099,
+    "proxyHost": "myproxy.example.com"
+  }
+}
+EOF
+
+  termination_protection            = false
+  keep_job_flow_alive_when_no_steps = true
+
+  ec2_attributes {
+    subnet_id                         = "${aws_subnet.main.id}"
+    emr_managed_master_security_group = "${aws_security_group.sg.id}"
+    emr_managed_slave_security_group  = "${aws_security_group.sg.id}"
+    instance_profile                  = "${aws_iam_instance_profile.emr_profile.arn}"
+  }
+
+  master_instance_group {
+    instance_type = "m4.large"
+  }
+
+  core_instance_group {
+    instance_type  = "c4.large"
+    instance_count = 1
+
+    ebs_config {
+      size                 = "40"
+      type                 = "gp2"
+      volumes_per_instance = 1
+    }
+
+    bid_price = "0.30"
+
+    autoscaling_policy = <<EOF
+{
+"Constraints": {
+  "MinCapacity": 1,
+  "MaxCapacity": 2
+},
+"Rules": [
+  {
+    "Name": "ScaleOutMemoryPercentage",
+    "Description": "Scale out if YARNMemoryAvailablePercentage is less than 15",
+    "Action": {
+      "SimpleScalingPolicyConfiguration": {
+        "AdjustmentType": "CHANGE_IN_CAPACITY",
+        "ScalingAdjustment": 1,
+        "CoolDown": 300
+      }
+    },
+    "Trigger": {
+      "CloudWatchAlarmDefinition": {
+        "ComparisonOperator": "LESS_THAN",
+        "EvaluationPeriods": 1,
+        "MetricName": "YARNMemoryAvailablePercentage",
+        "Namespace": "AWS/ElasticMapReduce",
+        "Period": 300,
+        "Statistic": "AVERAGE",
+        "Threshold": 15.0,
+        "Unit": "PERCENT"
+      }
+    }
+  }
+]
+}
+EOF
+  }
+
+  ebs_root_volume_size = 100
+
+  tags = {
+    role = "rolename"
+    env  = "env"
+  }
+
+  bootstrap_action {
+    path = "s3://elasticmapreduce/bootstrap-actions/run-if"
+    name = "runif"
+    args = ["instance.isMaster=true", "echo running on master node"]
+  }
+
+  configurations_json = <<EOF
+  [
+    {
+      "Classification": "hadoop-env",
+      "Configurations": [
+        {
+          "Classification": "export",
+          "Properties": {
+            "JAVA_HOME": "/usr/lib/jvm/java-1.8.0"
+          }
+        }
+      ],
+      "Properties": {}
+    },
+    {
+      "Classification": "spark-env",
+      "Configurations": [
+        {
+          "Classification": "export",
+          "Properties": {
+            "JAVA_HOME": "/usr/lib/jvm/java-1.8.0"
+          }
+        }
+      ],
+      "Properties": {}
+    }
+  ]
+EOF
+
+  service_role = "${aws_iam_role.iam_emr_service_role.arn}"
+}

linter/testdata/rules/dms_endpoint_encryption.yml

@@ -0,0 +1,15 @@
+
+version: 1
+description: AWS DMS Endpoint Encryption
+type: Terraform
+files:
+  - "*.tf"
+rules:
+
+  - id: AWS_DMS_ENDPOINT_ENCRYPTION
+    message: AWS DMS Endpoint should have a kms key present
+    resource: aws_dms_endpoint
+    severity: WARNING
+    assertions:
+      - key: kms_key_arn
+        op: present

linter/testdata/rules/emr_cluster_logs.yml

@@ -0,0 +1,16 @@
+version: 1
+description: AWS EMR Cluster Logging
+type: Terraform
+files:
+  - "*.tf"
+rules:
+
+  - id: AWS_EMR_CLUSTER_LOGGING
+    message: AWS EMR Should have logging enabled
+    resource: aws_emr_cluster
+    severity: WARNING
+    assertions:
+      - key: log_uri
+        op: present
+    tags:
+      - emr