Elasticsearch domain inside vpc (#528)

#503
stelligent · Apr 5, 2021 · d5c66b1 · d5c66b1
1 parent cd54ba1
commit d5c66b1
Show file tree

Hide file tree

Showing 4 changed files with 81 additions and 0 deletions.
diff --git a/lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb b/lib/cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule.rb
@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class ElasticsearchDomainInsideVPCRule < BaseRule
+  def rule_text
+    'ElasticsearchcDomain should be inside vpc, should specify VPCOptions'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W90'
+  end
+
+  def audit_impl(cfn_model)
+    violating_domains = cfn_model.resources_by_type('AWS::Elasticsearch::Domain').select do |domain|
+      domain.vPCOptions.nil?
+    end
+
+    violating_domains.map(&:logical_resource_id)
+  end
+end
diff --git a/spec/custom_rules/ElasticsearchDomainInsideVPCRule_spec.rb b/spec/custom_rules/ElasticsearchDomainInsideVPCRule_spec.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'cfn-model'
+require 'cfn-nag/custom_rules/ElasticsearchDomainInsideVPCRule'
+
+describe ElasticsearchDomainInsideVPCRule do
+
+  describe 'AWS::Elasticsearch::Domain' do
+    context 'when Elasticsearch domain is inside VPC' do
+      it 'does not return an offending logical resource id' do
+        cfn_model = CfnParser.new.parse read_test_template('json/elasticsearch/elasticsearch_inside_vpc.json')
+        actual_logical_resource_ids = ElasticsearchDomainInsideVPCRule.new.audit_impl cfn_model
+
+        expect(actual_logical_resource_ids).to eq []
+      end
+    end
+  end
+
+  describe 'AWS::Elasticsearch::Domain' do
+    context 'when Elasticsearch domain is not inside VPC' do
+      it 'does return an offending logical resource id' do
+        cfn_model = CfnParser.new.parse read_test_template('json/elasticsearch/elasticsearch_not_inside_vpc.json')
+        actual_logical_resource_ids = ElasticsearchDomainInsideVPCRule.new.audit_impl cfn_model
+
+        expect(actual_logical_resource_ids).to eq ["ElasticsearchDomainNotInVPC"]
+      end
+    end
+   end
+
+end
diff --git a/spec/test_templates/json/elasticsearch/elasticsearch_inside_vpc.json b/spec/test_templates/json/elasticsearch/elasticsearch_inside_vpc.json
@@ -0,0 +1,14 @@
+{
+	"Resources": {
+		"ElasticsearchDomainInVPC": {
+			"Type": "AWS::Elasticsearch::Domain",
+			"Properties": {
+				"DomainName": "nameddomain",
+				"VPCOptions" : {
+					"SecurityGroupIds": ["secgroup"],
+					"SubnetIds": ["subnetid"]
+				}
+			}
+		}
+	}
+}
diff --git a/spec/test_templates/json/elasticsearch/elasticsearch_not_inside_vpc.json b/spec/test_templates/json/elasticsearch/elasticsearch_not_inside_vpc.json
@@ -0,0 +1,10 @@
+{
+	"Resources": {
+		"ElasticsearchDomainNotInVPC": {
+			"Type": "AWS::Elasticsearch::Domain",
+			"Properties": {
+				"DomainName": "nameddomain"
+			}
+		}
+	}
+}