Open ekrengel opened 4 years ago
Redshift rule merged: https://github.com/pulumi/pulumi-awsguard/pull/24
7/11 are done -- going to push the rest out to M30
Not able to figure out how to create a policy for rds-snapshots-public-prohibited
.. will need to dig in a bit more.
dynamodb-throughput-limit-check
is an account setting -- if youre approaching an account throughput limit, so probably not something we should do for AWSGuard
The dynamodb-autoscaling-enabled
is dependent on https://github.com/pulumi/pulumi-policy/issues/153 because to properly configure scaling on a DB table you need a aws.appautoscaling.Policy
that references an aws.appautoscaling.Target
by the target's ID.
Below is the code I started to write but for now I will just check that a Policy exists.
export interface DynamodbTableAutoscalingEnabledArgs extends PolicyArgs {
/** Minimum number of units that should be provisioned with read capacity in the Auto Scaling group. If not set, no minimum is required. */
minProvisionedReadCapacity?: number;
/** Minimum number of units that should be provisioned with write capacity in the Auto Scaling group. If not set, no minimum is required. */
minProvisionedWriteCapacity?: number;
/** Maximum number of units that should be provisioned with read capacity in the Auto Scaling group. If not set, no maximum is enforced. */
maxProvisionedReadCapacity?: number;
/** Maximum number of units that should be provisioned with write capacity in the Auto Scaling group. If not set, no maximum is enforced. */
maxProvisionedWriteCapacity?: number;
/** The target utilization percentage for read capacity. Target utilization is expressed in terms of the ratio of consumed capacity to provisioned capacity. */
targetReadUtilization?: number;
/** The target utilization percentage for write capacity. Target utilization is expressed in terms of the ratio of consumed capacity to provisioned capacity. */
targetWriteUtilization?: number;
}
/** @internal */
export function dynamodbTableAutoscalingEnabled(
args?: EnforcementLevel | DynamodbTableAutoscalingEnabledArgs): StackValidationPolicy {
const { enforcementLevel,
minProvisionedReadCapacity, minProvisionedWriteCapacity,
maxProvisionedReadCapacity, maxProvisionedWriteCapacity,
targetReadUtilization, targetWriteUtilization } = getValueOrDefault(args, {
enforcementLevel: defaultEnforcementLevel,
});
return {
name: "dynamodb-autoscaling-enabled",
description: "Checks whether Auto Scaling or On-Demand is enabled on your DynamoDB tables " +
"and/or global secondary indexes.",
enforcementLevel: enforcementLevel,
validateStack: (args: StackValidationArgs, reportViolation: ReportViolation) => {
// Get resolved DynamoDB tables and App Scaling policies.
const dynamodbTables = getResolvedResources(aws.dynamodb.Table.isInstance, args);
const appScalingPolicies = getResolvedResources(aws.appautoscaling.Policy.isInstance, args);
// Create map of resource id's to each policy.
const policyResourceIDMap: Record<string, q.ResolvedResource<aws.appautoscaling.Policy>> = {};
for (const policy of appScalingPolicies) {
policyResourceIDMap[policy.resourceId] = policy;
}
for (const table of dynamodbTables) {
if (policyResourceIDMap[table.id] === undefined) {
reportViolation(`DynamoDB table ${table.id} missing appscaling policy.`);
} else {
if (minProvisionedReadCapacity !== undefined) {
policyResourceIDMap[table.id].policyType
}
}
}
},
};
}
// Utility method for defining returning all resources matching the provided type.
function getResolvedResources<TResource extends Resource>(
typeFilter: (o: any) => o is TResource,
args: StackValidationArgs,
): q.ResolvedResource<TResource>[] {
return args.resources
.map(r => (<unknown>{ ...r.props, __pulumiType: r.type } as q.ResolvedResource<TResource>))
.filter(typeFilter);
}
Pushing the rest of these out since theyre dependent on other work.
@holocronweaver, it looks like you're asking about a problem using the appautoscaling.Policy
resource from pulumi_aws
, and not about the Policy as Code policies from this repo which are released as the @pulumi/awsguard
npm package, right?
If so, would you mind opening a new issue about the problem you're having in https://github.com/pulumi/pulumi-aws?
Tracking Spreadsheet
Wont do:
Definition of Done: