Database policies

[ekrengel]

Tracking Spreadsheet

• [x] db-instance-backup-enabled
• [ ] dynamodb-autoscaling-enabled -- stack validation; need to be able to access id
• [x] dynamodb-table-encryption-enabled
• [x] rds-instance-public-access-check
• [x] rds-multi-az-support
• [ ] rds-snapshots-public-prohibited
• [x] rds-storage-encrypted
• [x] redshift-cluster-configuration-check
• [x] redshift-cluster-maintenancesettings-check
• [x] redshift-cluster-public-access-check

Wont do:

• dynamodb-throughput-limit-check

Definition of Done:

• Written in new API format
• Configurable in an exported function - example
• Unit tests
• Integrations tests

[ekrengel]

Redshift rule merged: https://github.com/pulumi/pulumi-awsguard/pull/24

[ekrengel]

7/11 are done -- going to push the rest out to M30

[ekrengel]

Not able to figure out how to create a policy for rds-snapshots-public-prohibited.. will need to dig in a bit more.

[ekrengel]

dynamodb-throughput-limit-check is an account setting -- if youre approaching an account throughput limit, so probably not something we should do for AWSGuard

[ekrengel]

The dynamodb-autoscaling-enabled is dependent on https://github.com/pulumi/pulumi-policy/issues/153 because to properly configure scaling on a DB table you need a aws.appautoscaling.Policy that references an aws.appautoscaling.Target by the target's ID.

Below is the code I started to write but for now I will just check that a Policy exists.

export interface DynamodbTableAutoscalingEnabledArgs extends PolicyArgs {
    /** Minimum number of units that should be provisioned with read capacity in the Auto Scaling group. If not set, no minimum is required. */
    minProvisionedReadCapacity?: number;

    /** Minimum number of units that should be provisioned with write capacity in the Auto Scaling group. If not set, no minimum is required. */
    minProvisionedWriteCapacity?: number;

    /** Maximum number of units that should be provisioned with read capacity in the Auto Scaling group. If not set, no maximum is enforced. */
    maxProvisionedReadCapacity?: number;

    /** Maximum number of units that should be provisioned with write capacity in the Auto Scaling group. If not set, no maximum is enforced. */
    maxProvisionedWriteCapacity?: number;

    /** The target utilization percentage for read capacity. Target utilization is expressed in terms of the ratio of consumed capacity to provisioned capacity. */
    targetReadUtilization?: number;

    /** The target utilization percentage for write capacity. Target utilization is expressed in terms of the ratio of consumed capacity to provisioned capacity. */
    targetWriteUtilization?: number;
}

/** @internal */
export function dynamodbTableAutoscalingEnabled(
    args?: EnforcementLevel | DynamodbTableAutoscalingEnabledArgs): StackValidationPolicy {

    const { enforcementLevel,
        minProvisionedReadCapacity, minProvisionedWriteCapacity,
        maxProvisionedReadCapacity, maxProvisionedWriteCapacity,
        targetReadUtilization, targetWriteUtilization } = getValueOrDefault(args, {
            enforcementLevel: defaultEnforcementLevel,
        });

    return {
        name: "dynamodb-autoscaling-enabled",
        description: "Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables " +
            "and/or global secondary indexes.",
        enforcementLevel: enforcementLevel,
        validateStack: (args: StackValidationArgs, reportViolation: ReportViolation) => {

            // Get resolved DynamoDB tables and App Scaling policies.
            const dynamodbTables = getResolvedResources(aws.dynamodb.Table.isInstance, args);
            const appScalingPolicies = getResolvedResources(aws.appautoscaling.Policy.isInstance, args);

            // Create map of resource id's to each policy.
            const policyResourceIDMap: Record<string, q.ResolvedResource<aws.appautoscaling.Policy>> = {};
            for (const policy of appScalingPolicies) {
                policyResourceIDMap[policy.resourceId] = policy;
            }

            for (const table of dynamodbTables) {
                if (policyResourceIDMap[table.id] === undefined) {
                    reportViolation(`DynamoDB table ${table.id} missing appscaling policy.`);
                } else {
                    if (minProvisionedReadCapacity !== undefined) {
                        policyResourceIDMap[table.id].policyType
                    }
                }
            }
        },
    };
}

// Utility method for defining returning all resources matching the provided type.
function getResolvedResources<TResource extends Resource>(
    typeFilter: (o: any) => o is TResource,
    args: StackValidationArgs,
): q.ResolvedResource<TResource>[] {
    return args.resources
        .map(r => (<unknown>{ ...r.props, __pulumiType: r.type } as q.ResolvedResource<TResource>))
        .filter(typeFilter);
}

[ekrengel]

Pushing the rest of these out since theyre dependent on other work.

[justinvp]

@holocronweaver, it looks like you're asking about a problem using the appautoscaling.Policy resource from pulumi_aws, and not about the Policy as Code policies from this repo which are released as the @pulumi/awsguard npm package, right?

If so, would you mind opening a new issue about the problem you're having in https://github.com/pulumi/pulumi-aws?