aws - cloudsearch - add domain-options filter and enable-https action (…

…cloud-custodian#7280)

c7n/resources/cloudsearch.py

@@ -2,13 +2,13 @@
 # SPDX-License-Identifier: Apache-2.0
 from c7n.actions import Action
 from c7n.manager import resources
+from c7n.filters import ValueFilter
 from c7n.query import QueryResourceManager, TypeInfo
 from c7n.utils import local_session, type_schema
 
 
 @resources.register('cloudsearch')
 class CloudSearch(QueryResourceManager):
-
     class resource_type(TypeInfo):
         service = "cloudsearch"
         enum_spec = ("describe_domains", "DomainStatusList", None)
@@ -21,7 +21,6 @@ class resource_type(TypeInfo):
 
 @CloudSearch.action_registry.register('delete')
 class Delete(Action):
-
     schema = type_schema('delete')
     permissions = ('cloudsearch:DeleteDomain',)
 
@@ -32,3 +31,75 @@ def process(self, resources):
             if r['Created'] is not True or r['Deleted'] is True:
                 continue
             client.delete_domain(DomainName=r['DomainName'])
+
+
+@CloudSearch.filter_registry.register('domain-options')
+class DomainOptionsFilter(ValueFilter):
+    """
+    Filter for cloud search domains by their domain options.
+
+    :example:
+
+    .. code-block:: yaml
+
+            policies:
+              - name: cloudsearch-detect-https
+                resource: cloudsearch
+                filters:
+                  - type: domain-options
+                    key: Options.EnforceHTTPS
+                    value: false
+
+    """
+
+    schema = type_schema('domain-options', rinherit=ValueFilter.schema)
+    permissions = ('cloudsearch:DescribeDomainEndpointOptions',)
+
+    def process(self, resources, event=None):
+        results = []
+        client = local_session(self.manager.session_factory).client('cloudsearch')
+        for r in resources:
+            options = client.describe_domain_endpoint_options(
+                DomainName=r['DomainName']
+            ).get('DomainEndpointOptions')
+            if self.match(options):
+                results.append(r)
+        return results
+
+
+@CloudSearch.action_registry.register('enable-https')
+class EnableHttps(Action):
+    """Enable HTTPs to cloudsearch
+
+    :example:
+    .. code-block:: yaml
+            policies:
+              - name: enable-https
+                resource: cloudsearch
+                filters:
+                  - type: domain-options
+                    key: Options.EnforceHTTPS
+                    value: false
+                actions:
+                  - type: enable-https
+                    tls-policy: Policy-Min-TLS-1-0-2019-07
+    """
+
+    schema = type_schema(
+        'enable-https',
+        **{"tls-policy": {'enum': ['Policy-Min-TLS-1-0-2019-07', 'Policy-Min-TLS-1-2-2019-07']}}
+    )
+    permissions = ('cloudsearch:UpdateDomainEndpointOptions',)
+
+    def process(self, resources):
+        client = local_session(
+            self.manager.session_factory).client('cloudsearch')
+        for r in resources:
+            client.update_domain_endpoint_options(
+                DomainName=r['DomainName'],
+                DomainEndpointOptions={
+                    'EnforceHTTPS': True,
+                    'TLSSecurityPolicy': self.data.get(
+                        'tls-policy', 'Policy-Min-TLS-1-2-2019-07')
+                }
+            )

tests/data/config/event-cloudsearch.json

@@ -0,0 +1,65 @@
+{
+  "version": "0",
+  "id": "xxxxx-84b9-4e68-a930-03a7f8d62b50",
+  "detail-type": "AWS API Call via CloudTrail",
+  "source": "aws.rds",
+  "account": "687174582794",
+  "time": "2021-05-26T09:51:58Z",
+  "region": "us-east-1",
+  "resources": [],
+  "detail": {
+    "eventVersion": "1.08",
+    "userIdentity": {
+      "type": "AssumedRole",
+      "principalId": "AROAILJD4VDVFFUUQB4VM:xxxxx-4dea-91bf-70a953d01bda_cred_session",
+      "arn": "arn:aws:sts::123456789:assumed-role/XXXX1OT8CHKE29AQJ/XXXX-d10e-4dea-91bf-70a953d01bda_cred_session",
+      "accountId": "123456789",
+      "accessKeyId": "XXXXXXX",
+      "sessionContext": {
+        "sessionIssuer": {
+          "type": "Role",
+          "principalId": "XXXXXX",
+          "arn": "arn:aws:iam::123456789:role/role-xxxx",
+          "accountId": "123456789",
+          "userName": "xxxx"
+        },
+        "webIdFederationData": {},
+        "attributes": {
+          "creationDate": "2021-12-01T14:24:34Z",
+          "mfaAuthenticated": "False"
+        }
+      }
+    },
+    "eventTime": "2021-12-01T14:25:42Z",
+    "eventSource": "cloudsearch.amazonaws.com",
+    "eventName": "CreateDomain",
+    "awsRegion": "us-east-1",
+    "sourceIPAddress": "148.177.96.202",
+    "userAgent": "console.amazonaws.com",
+    "requestParameters": {
+      "domainName": "demo-search"
+    },
+    "responseElements": {
+      "domainStatus": {
+        "aRN": "arn:aws:cloudsearch:us-east-1:123456789:domain/demo-search",
+        "searchInstanceCount": 0,
+        "docService": {},
+        "requiresIndexDocuments": false,
+        "deleted": false,
+        "searchService": {},
+        "domainId": "123456789/demo-search",
+        "processing": false,
+        "created": true,
+        "searchPartitionCount": 0,
+        "domainName": "demo-search"
+      }
+    },
+    "requestID": "d8c5a08a-f0dd-4e81-b41d-ed216546448a",
+    "eventID": "9f17a0f0-a75d-425e-8d25-7fd72e7885ae",
+    "readOnly": false,
+    "eventType": "AwsApiCall",
+    "managementEvent": true,
+    "recipientAccountId": "123456789",
+    "eventCategory": "Management"
+  }
+}

tests/data/placebo/test_enable_https_cloud_search/cloudsearch.DescribeDomainEndpointOptions_1.json

@@ -0,0 +1,47 @@
+{
+    "status_code": 200,
+    "data": {
+        "DomainEndpointOptions": {
+            "Options": {
+                "EnforceHTTPS": false,
+                "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07"
+            },
+            "Status": {
+                "CreationDate": {
+                    "__class__": "datetime",
+                    "year": 2021,
+                    "month": 12,
+                    "day": 1,
+                    "hour": 14,
+                    "minute": 25,
+                    "second": 42,
+                    "microsecond": 528000
+                },
+                "UpdateDate": {
+                    "__class__": "datetime",
+                    "year": 2021,
+                    "month": 12,
+                    "day": 1,
+                    "hour": 16,
+                    "minute": 3,
+                    "second": 15,
+                    "microsecond": 677000
+                },
+                "UpdateVersion": 19,
+                "State": "Active",
+                "PendingDeletion": false
+            }
+        },
+        "ResponseMetadata": {
+            "RequestId": "b70f91-3067-xxxx-bbb7-6b36318a4faa",
+            "HTTPStatusCode": 200,
+            "HTTPHeaders": {
+                "x-amzn-requestid": "b70fa1-xxxxx-4ea3-bbb7-6b36318a4faa",
+                "content-type": "text/xml",
+                "content-length": "804",
+                "date": "Wed, 01 Dec 2021 16:08:40 GMT"
+            },
+            "RetryAttempts": 0
+        }
+    }
+}

tests/data/placebo/test_enable_https_cloud_search/cloudsearch.DescribeDomainEndpointOptions_2.json

@@ -0,0 +1,47 @@
+{
+    "status_code": 200,
+    "data": {
+        "DomainEndpointOptions": {
+            "Options": {
+                "EnforceHTTPS": true,
+                "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07"
+            },
+            "Status": {
+                "CreationDate": {
+                    "__class__": "datetime",
+                    "year": 2022,
+                    "month": 6,
+                    "day": 6,
+                    "hour": 8,
+                    "minute": 6,
+                    "second": 54,
+                    "microsecond": 586000
+                },
+                "UpdateDate": {
+                    "__class__": "datetime",
+                    "year": 2022,
+                    "month": 6,
+                    "day": 6,
+                    "hour": 8,
+                    "minute": 9,
+                    "second": 14,
+                    "microsecond": 485000
+                },
+                "UpdateVersion": 102,
+                "State": "Processing",
+                "PendingDeletion": false
+            }
+        },
+        "ResponseMetadata": {
+            "RequestId": "333f8b57-901e-4cb2-xxxxxx17e9cc479",
+            "HTTPStatusCode": 200,
+            "HTTPHeaders": {
+                "x-amzn-requestid": "333f8b57-90xxxxx-f8717e9cc479",
+                "content-type": "text/xml",
+                "content-length": "809",
+                "date": "Mon, 06 Jun 2022 08:09:14 GMT"
+            },
+            "RetryAttempts": 0
+        }
+    }
+}

tests/data/placebo/test_enable_https_cloud_search/cloudsearch.DescribeDomains_1.json

@@ -0,0 +1,40 @@
+{
+    "status_code": 200,
+    "data": {
+        "DomainStatusList": [
+            {
+                "DomainId": "123456789/demo-search",
+                "DomainName": "demo-search",
+                "ARN": "arn:aws:cloudsearch:us-east-1:123456789:domain/demo-search",
+                "Created": true,
+                "Deleted": false,
+                "DocService": {
+                    "Endpoint": "doc-demo-search-xxx.us-east-1.cloudsearch.amazonaws.com"
+                },
+                "SearchService": {
+                    "Endpoint": "search-demo-search-xxx.us-east-1.cloudsearch.amazonaws.com"
+                },
+                "RequiresIndexDocuments": false,
+                "Processing": false,
+                "SearchInstanceType": "search.small",
+                "SearchPartitionCount": 1,
+                "SearchInstanceCount": 1,
+                "Limits": {
+                    "MaximumReplicationCount": 5,
+                    "MaximumPartitionCount": 10
+                }
+            }
+        ],
+        "ResponseMetadata": {
+            "RequestId": "5fcac0-cf65-xxx-839f-0d2237aa70f6",
+            "HTTPStatusCode": 200,
+            "HTTPHeaders": {
+                "x-amzn-requestid": "5fcac0-xxxx-4c81-839f-0d2237aa70f6",
+                "content-type": "text/xml",
+                "content-length": "1623",
+                "date": "Wed, 01 Dec 2021 16:08:40 GMT"
+            },
+            "RetryAttempts": 0
+        }
+    }
+}

tests/data/placebo/test_enable_https_cloud_search/cloudsearch.UpdateDomainEndpointOptions_1.json

@@ -0,0 +1,47 @@
+{
+    "status_code": 200,
+    "data": {
+        "DomainEndpointOptions": {
+            "Options": {
+                "EnforceHTTPS": true,
+                "TLSSecurityPolicy": "Policy-Min-TLS-1-0-2019-07"
+            },
+            "Status": {
+                "CreationDate": {
+                    "__class__": "datetime",
+                    "year": 2021,
+                    "month": 12,
+                    "day": 1,
+                    "hour": 14,
+                    "minute": 25,
+                    "second": 42,
+                    "microsecond": 528000
+                },
+                "UpdateDate": {
+                    "__class__": "datetime",
+                    "year": 2021,
+                    "month": 12,
+                    "day": 1,
+                    "hour": 16,
+                    "minute": 3,
+                    "second": 15,
+                    "microsecond": 677000
+                },
+                "UpdateVersion": 19,
+                "State": "Active",
+                "PendingDeletion": false
+            }
+        },
+        "ResponseMetadata": {
+            "RequestId": "db8e7493-xxx-44c2-aa69-c970e78a2320",
+            "HTTPStatusCode": 200,
+            "HTTPHeaders": {
+                "x-amzn-requestid": "db8e7493-xxxx-44c2-aa69-c970e78a2320",
+                "content-type": "text/xml",
+                "content-length": "796",
+                "date": "Wed, 01 Dec 2021 16:08:40 GMT"
+            },
+            "RetryAttempts": 0
+        }
+    }
+}