Skip to content

Commit

Permalink
Added AWS 'RDS Deletion Protection Enabled' plugin and test cases
Browse files Browse the repository at this point in the history
  • Loading branch information
@AkhtarAmir
AkhtarAmir committed Feb 22, 2021
1 parent a3dcef2 commit f972686
Show file tree
Hide file tree
Showing 3 changed files with 159 additions and 0 deletions.
1 change: 1 addition & 0 deletions exports.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,7 @@ module.exports = {
'rdsMinorVersionUpgrade' : require(__dirname + '/plugins/aws/rds/rdsMinorVersionUpgrade.js'),
'sqlServerTLSVersion' : require(__dirname + '/plugins/aws/rds/sqlServerTLSVersion'),
'rdsTransportEncryption' : require(__dirname + '/plugins/aws/rds/rdsTransportEncryption'),
'rdsDeletionProtectionEnabled' : require(__dirname + '/plugins/aws/rds/rdsDeletionProtectionEnabled.js'),

'domainAutoRenew' : require(__dirname + '/plugins/aws/route53/domainAutoRenew.js'),
'domainExpiry' : require(__dirname + '/plugins/aws/route53/domainExpiry.js'),
Expand Down
52 changes: 52 additions & 0 deletions plugins/aws/rds/rdsDeletionProtectionEnabled.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
var async = require('async');
var helpers = require('../../../helpers/aws');

module.exports = {
title: 'RDS Deletion Protection Enabled',
category: 'RDS',
description: 'Ensures deletion protection is enabled for RDS database instances.',
more_info: 'Deletion protection prevents Amazon RDS instances from being deleted accidentally by any user.',
link: 'https://aws.amazon.com/about-aws/whats-new/2018/09/amazon-rds-now-provides-database-deletion-protection/',
recommended_action: 'Modify the RDS instances to enable deletion protection.',
apis: ['RDS:describeDBInstances'],

run: function(cache, settings, callback) {
var results = [];
var source = {};
var regions = helpers.regions(settings);

async.each(regions.rds, function(region, rcb) {
var describeDBInstances = helpers.addSource(cache, source,
['rds', 'describeDBInstances', region]);

if (!describeDBInstances) return rcb();

if (describeDBInstances.err || !describeDBInstances.data) {
helpers.addResult(results, 3,
'Unable to query for RDS instances: ' + helpers.addError(describeDBInstances), region);
return rcb();
}

if (!describeDBInstances.data.length) {
helpers.addResult(results, 0, 'No RDS instances found', region);
return rcb();
}

describeDBInstances.data.forEach(instance => {
if (!instance.DBInstanceArn) return;

if (instance.DeletionProtection) {
helpers.addResult(results, 0,
'RDS instance has deletion protection enabled', region, instance.DBInstanceArn);
} else {
helpers.addResult(results, 2,
'RDS instance does not have deletion protection enabled', region, instance.DBInstanceArn);
}
});

rcb();
}, function() {
callback(null, results, source);
});
}
};
106 changes: 106 additions & 0 deletions plugins/aws/rds/rdsDeletionProtectionEnabled.spec.js
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
const expect = require('chai').expect;
var rdsDeletionProtectionEnabled = require('./rdsDeletionProtectionEnabled');

const describeDBInstances = [
{
"DBInstanceIdentifier": "database-1",
"Engine": "mysql",
"DBInstanceStatus": "available",
"DBInstanceArn": "arn:aws:rds:us-east-1:560213429563:db:database-1",
"IAMDatabaseAuthenticationEnabled": false,
"PerformanceInsightsEnabled": false,
"DeletionProtection": true,
"AssociatedRoles": [],
"TagList": [],
"CustomerOwnedIpEnabled": false
},
{
"DBInstanceIdentifier": "database-1",
"Engine": "mysql",
"DBInstanceStatus": "available",
"DBInstanceArn": "arn:aws:rds:us-east-1:560213429563:db:database-1",
"IAMDatabaseAuthenticationEnabled": false,
"PerformanceInsightsEnabled": false,
"DeletionProtection": false,
"AssociatedRoles": [],
"TagList": [],
"CustomerOwnedIpEnabled": false
}
];

const createCache = (instanceData, instanceErr) => {
return {
rds: {
describeDBInstances: {
'us-east-1': {
data: instanceData,
err: instanceErr
}
}
}
};
};

const createNullCache = () => {
return {
rds: {
describeDBInstances: {
'us-east-1': null
}
}
};
};

describe('rdsDeletionProtectionEnabled', function () {
describe('run', function () {

it('should PASS if RDS instance has deletion protection enabled', function (done) {
const cache = createCache([describeDBInstances[0]]);
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
done();
});
});

it('should FAIL if RDS instance does not have deletion protection enabled', function (done) {
const cache = createCache([describeDBInstances[1]]);
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(2);
expect(results[0].region).to.equal('us-east-1');
done();
});
});

it('should PASS if no RDS instances found', function (done) {
const cache = createCache([]);
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(0);
expect(results[0].region).to.equal('us-east-1');
done();
});
});

it('should UNKNOWN if unable to describe RDS instances', function (done) {
const cache = createCache([], { message: 'Unable to describe instances' });
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(1);
expect(results[0].status).to.equal(3);
expect(results[0].region).to.equal('us-east-1');
done();
});
});


it('should not return anything if describe RDS instances response not found', function (done) {
const cache = createNullCache();
rdsDeletionProtectionEnabled.run(cache, {}, (err, results) => {
expect(results.length).to.equal(0);
done();
});
});
});
});

0 comments on commit f972686

Please sign in to comment.