Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

nirbhay/aws_s3_storage_lens #784

Closed
wants to merge 17 commits into from
Closed
Show file tree
Hide file tree
Changes from 16 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
100 changes: 100 additions & 0 deletions docs/resources/aws_s3_storage_lens.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,100 @@
---
title: About the aws_s3_storage_lens Resource
platform: aws
---

# aws_s3_storage_lens

Use the `aws_s3_storage_lens` InSpec audit resource to test the properties of the singular resource of AWS S3 StorageLens.

## Syntax

Ensure that S3 storage lens exists.

describe aws_s3_storage_lens(config_id: 'CONFIG_ID', account_id: 'ACCOUNT_ID') do
it { should exist }
end

## Parameters

`config_id` _(required)_

The ID of the Amazon S3 Storage Lens configuration.

`account_id` _(required)_

The account ID of the requester.

For additional information, see the [AWS documentation on AWS S3 StorageLens.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-storagelens.html).

## Properties

| Property | Description |
| :----------------------------: | :----------------------------------------------------------------------------------------: |
| id | A container for the Amazon S3 Storage Lens configuration ID. |
| account_level.activity_metrics.is_enabled | A container for whether the activity metrics are enabled. |
| account_level.bucket_level.activity_metrics.is_enabled | A container for whether the activity metrics are enabled. |
| account_level.bucket_level.prefix_level.storage_metrics.is_enabled | A container for whether prefix-level storage metrics are enabled. |
| account_level.bucket_level.prefix_level.storage_metrics.selection_criteria.delimiter | A container for the delimiter of the selection criteria being used. |
| account_level.bucket_level.prefix_level.storage_metrics.selection_criteria.max_depth | The max depth of the selection criteria. |
| account_level.bucket_level.prefix_level.storage_metrics.selection_criteria.min_storage_bytes_percentage | The minimum number of storage bytes percentage whose metrics will be selected. |
| include.buckets | A container for the S3 Storage Lens bucket includes. |
| include.regions | A container for the S3 Storage Lens Region includes. |
| exclude.buckets | A container for the S3 Storage Lens bucket excludes. |
| exclude.regions | A container for the S3 Storage Lens Region excludes. |
| data_export.s3_bucket_destination.format | The format of the s3 bucket destination. |
| data_export.s3_bucket_destination.output_schema_version | The schema version of the export file. |
| data_export.s3_bucket_destination.account_id | The account ID of the owner of the S3 Storage Lens metrics export bucket. |
| data_export.s3_bucket_destination.arn | The Amazon Resource Name (ARN) of the bucket. |
| data_export.s3_bucket_destination.prefix | The prefix of the destination bucket where the metrics export will be delivered. |
| data_export.s3_bucket_destination.encryption.ssekms.key_id | A container for the ARN of the SSE-KMS encryption. |
| data_export.cloud_watch_metrics.is_enabled | A container that indicates whether CloudWatch publishing for S3 Storage Lens metrics is enabled. |
| is_enabled | A container for whether the S3 Storage Lens configuration is enabled. |
| aws_org.arn | A container for the Amazon Resource Name (ARN) of the Amazon Web Services organization. |
| storage_lens_arn | The Amazon Resource Name (ARN) of the S3 Storage Lens configuration. |

## Examples

### Ensure a config ID is `available`.

describe aws_s3_storage_lens(config_id: 'CONFIG_ID', account_id: 'ACCOUNT_ID') do
its('id') { should eq 'CONFIG_ID' }
end

### Ensure that the container is enabled.

describe aws_s3_storage_lens(config_id: 'CONFIG_ID', account_id: 'ACCOUNT_ID') do
its('is_enabled') { should eq true }
end

## Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).

The control passes if the `get` method returns at least one result.

### exist

Use `should` to test that the entity exists.

describe aws_s3_storage_lens(config_id: 'CONFIG_ID', account_id: 'ACCOUNT_ID') do
it { should exist }
end

Use `should_not` to test the entity does not exist.

describe aws_s3_storage_lens(config_id: 'CONFIG_ID', account_id: 'ACCOUNT_ID') do
it { should_not exist }
end

### be_available

Use `should` to check if the entity is available.

describe aws_s3_storage_lens(config_id: 'CONFIG_ID', account_id: 'ACCOUNT_ID') do
it { should be_available }
end

## AWS Permissions

Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `S3Control:Client:GetStorageLensConfigurationResult` action with `Effect` set to `Allow`.
79 changes: 79 additions & 0 deletions docs/resources/aws_s3_storage_lenses.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
---
title: About the aws_s3_storage_lenses Resource
platform: aws
---

# aws_s3_storage_lenses

Use the `aws_s3_storage_lenses` InSpec audit resource to test the properties of the plural resource of AWS S3 StorageLens.

## Syntax

Ensure that S3 storage lens exists.

describe aws_s3_storage_lenses(config_id: 'CONFIG_ID') do
it { should exist }
end

## Parameters

`config_id` _(required)_

The ID of the Amazon S3 Storage Lens configuration.

For additional information, see the [AWS documentation on AWS S3 StorageLens.](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-s3-storagelens.html).

## Properties

| Property | Description | Fields |
| :----------------------------: | :----------------------------------------------------------------------------------------: | :----------------------------------------------------------------------------------------: |
| ids | A container for the S3 Storage Lens configuration ID. | id |
| storage_lens_arns | The ARN of the S3 Storage Lens configuration. This property is read-only. | storage_lens_arn |
| home_regions | A container for the S3 Storage Lens home Region. Your metrics data is stored and retained in your designated S3 Storage Lens home Region. | home_region |
| is_enabled | A container for whether the S3 Storage Lens configuration is enabled. | is_enabled |

## Examples

### Ensure a config ID is `available`.

describe aws_s3_storage_lenses(config_id: 'CONFIG_ID') do
its('ids') { should include 'CONFIG_ID' }
end

### Ensure that the container is enabled.

describe aws_s3_storage_lenses(config_id: 'CONFIG_ID') do
its('is_enabled') { should include true }
end

## Matchers

This InSpec audit resource has the following special matchers. For a full list of available matchers, please visit our [Universal Matchers page](https://www.inspec.io/docs/reference/matchers/).

The control passes if the `get` method returns at least one result.

### exist

Use `should` to test that the entity exists.

describe aws_s3_storage_lenses(config_id: 'CONFIG_ID') do
it { should exist }
end

Use `should_not` to test the entity does not exist.

describe aws_s3_storage_lenses(config_id: 'CONFIG_ID') do
it { should_not exist }
end

### be_available

Use `should` to check if the entity is available.

describe aws_s3_storage_lenses(config_id: 'CONFIG_ID') do
it { should be_available }
end

## AWS Permissions

Your [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/intro-structure.html#intro-structure-principal) will need the `S3Control:Client:GetStorageLensConfigurationResult` action with `Effect` set to `Allow`.
11 changes: 8 additions & 3 deletions libraries/aws_backend.rb
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@
require 'aws-sdk-securityhub'
require 'aws-sdk-ses'
require 'aws-sdk-waf'
require 'aws-sdk-s3control'

# AWS Inspec Backend Classes
#
Expand Down Expand Up @@ -326,6 +327,10 @@ def ses_client
def waf_client
aws_client(Aws::WAF::Client)
end

def s3control_client
aws_client(Aws::S3Control::Client)
end
end

# Base class for AWS resources
Expand Down Expand Up @@ -475,7 +480,7 @@ def method_missing(method_name, *args, &block)
end

# This is to make RuboCop happy.
# Disabling Useless method definition detection as there is an issue with rubocop
# Disbling Useless method definition detection as there is an issue with rubocop
# rubocop:disable Lint/UselessMethodDefinition
def respond_to_missing?(*several_variants)
super
Expand Down Expand Up @@ -652,7 +657,7 @@ def method_missing(method_name, *args, &block)
end

# This is to make RuboCop happy.
# Disabling Useless method definition detection as there is an issue with rubocop
# Disbling Useless method definition detection as there is an issue with rubocop
# rubocop:disable Lint/UselessMethodDefinition
def respond_to_missing?(*several_variants)
super
Expand Down Expand Up @@ -692,7 +697,7 @@ def method_missing(method_name, *args, &block)
end

# This is to make RuboCop happy.
# Disabling Useless method definition detection as there is an issue with rubocop
# Disbling Useless method definition detection as there is an issue with rubocop
# rubocop:disable Lint/UselessMethodDefinition
def respond_to_missing?(*several_variants)
super
Expand Down
40 changes: 40 additions & 0 deletions libraries/aws_s3_storage_lens.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# frozen_string_literal: true

require 'aws_backend'

class AWSS3StorageLens < AwsResourceBase
name 'aws_s3_storage_lens'
desc 'Gets the Amazon S3 Storage Lens configuration.'

example "
describe aws_s3_storage_lens(config_id: 'CONFIG_ID', account_id: 'ACCOUNT_ID') do
it { should exist }
end
"

def initialize(opts = {})
super(opts)
validate_parameters(required: %i(config_id account_id))
raise ArgumentError, "#{@__resource_name__}: config_id must be provided" unless opts[:config_id] && !opts[:config_id].empty?
raise ArgumentError, "#{@__resource_name__}: account_id must be provided" unless opts[:account_id] && !opts[:account_id].empty?
@display_name = opts[:config_id]
catch_aws_errors do
resp = @aws.s3control_client.get_storage_lens_configuration({ config_id: opts[:config_id], account_id: opts[:account_id] })
@res = resp.storage_lens_configuration.to_h
create_resource_methods(@res)
end
end

def config_id
return nil unless exists?
@res[:config_id]
end

def exists?
[email protected]? && [email protected]?
end

def to_s
"S3 Storage Lens: #{@display_name}"
end
end
46 changes: 46 additions & 0 deletions libraries/aws_s3_storage_lenses.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# frozen_string_literal: true

require 'aws_backend'

class AWSS3StorageLenses < AwsResourceBase
name 'aws_s3_storage_lenses'
desc 'Gets a list of Amazon S3 Storage Lens configurations.'

example "
describe aws_s3_storage_lenses(account_id: 'ACCOUNT_ID') do
it { should exist }
end
"

attr_reader :table

FilterTable.create
.register_column(:ids, field: :id)
.register_column(:storage_lens_arns, field: :storage_lens_arn)
.register_column(:home_regions, field: :home_region)
.register_column(:is_enabled, field: :is_enabled)
.install_filter_methods_on_resource(self, :table)

def initialize(opts = {})
super(opts)
validate_parameters(required: %i(account_id))
@query_params = {}
raise ArgumentError, "#{@__resource_name__}: account_id must be provided" unless opts[:account_id] && !opts[:account_id].empty?
@query_params[:account_id] = opts[:account_id]
@table = fetch_data
end

def fetch_data
catch_aws_errors do
@table = @aws.s3control_client.list_storage_lens_configurations(@query_params).map do |table|
table.storage_lens_configuration_list.map { |table_name| {
id: table_name.id,
storage_lens_arn: table_name.storage_lens_arn,
home_region: table_name.home_region,
is_enabled: table_name.is_enabled,
}
}
end.flatten
end
end
end
52 changes: 52 additions & 0 deletions test/unit/resources/aws_s3_storage_lens_test.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
require 'helper'
require 'aws_s3_storage_lens'
require 'aws-sdk-core'

class AWSS3StorageLensConstructorTest < Minitest::Test

def test_empty_params_not_ok
assert_raises(ArgumentError) { AWSS3StorageLens.new(client_args: { stub_responses: true }) }
end

def test_empty_param_arg_not_ok
assert_raises(ArgumentError) { AWSS3StorageLens.new(config_id: '', account_id: '', client_args: { stub_responses: true }) }
end

def test_rejects_unrecognized_params
assert_raises(ArgumentError) { AWSS3StorageLens.new(unexpected: 9) }
end
end

class AWSS3StorageLensSuccessPathTest < Minitest::Test

def setup
data = {}
data[:method] = :get_storage_lens_configuration
mock_data = {}
mock_data[:id] = 'test1'
mock_data[:account_level] = {
bucket_level: {}
}
mock_data[:is_enabled] = true
mock_data[:storage_lens_arn] = 'test1'
data[:data] = { storage_lens_configuration: mock_data }
data[:client] = Aws::S3Control::Client
@resp = AWSS3StorageLens.new(config_id: 'test1', account_id: 'test1', client_args: { stub_responses: true }, stub_data: [data])
end

def test_storage_lens_configuration_exist
assert @resp.exists?
end

def test_id
assert_equal(@resp.id, 'test1')
end

def test_is_enabled
assert_equal(@resp.is_enabled, true)
end

def test_storage_lens_arn
assert_equal(@resp.storage_lens_arn, 'test1')
end
end
Loading