aws - emr - security configuration filter (cloud-custodian#8268)

Author: kk1532

c7n/resources/emr.py

@@ -7,7 +7,7 @@
 
 from c7n.actions import ActionRegistry, BaseAction
 from c7n.exceptions import PolicyValidationError
-from c7n.filters import FilterRegistry, MetricsFilter
+from c7n.filters import FilterRegistry, MetricsFilter, ValueFilter
 from c7n.manager import resources
 from c7n.query import QueryResourceManager, TypeInfo, ConfigSource, DescribeSource
 from c7n.tags import universal_augment
@@ -307,6 +307,45 @@ def get_related_ids(self, resources):
 filters.register('network-location', net_filters.NetworkLocation)
 
 
+@filters.register('security-configuration')
+class EMRSecurityConfigurationFilter(ValueFilter):
+    """Filter for annotate security configuration and
+       filter based on its attributes.
+
+    :example:
+
+    .. code-block:: yaml
+
+      policies:
+        - name: emr-security-configuration
+          resource: emr
+          filters:
+            - type: security-configuration
+              key: EnableAtRestEncryption
+              value: true
+
+    """
+    annotation_key = 'c7n:SecurityConfiguration'
+    permissions = ("elasticmapreduce:ListSecurityConfigurations",
+                   "elasticmapreduce:DescribeSecurityConfiguration",)
+    schema = type_schema('security-configuration', rinherit=ValueFilter.schema)
+    schema_alias = False
+
+    def process(self, resources, event=None):
+        results = []
+        emr_sec_cfgs = {
+            cfg['Name']: cfg for cfg in self.manager.get_resource_manager(
+                'emr-security-configuration').resources()}
+        for r in resources:
+            if 'SecurityConfiguration' not in r:
+                continue
+            cfg = emr_sec_cfgs.get(r['SecurityConfiguration'], {}).get('SecurityConfiguration', {})
+            if self.match(cfg):
+                r[self.annotation_key] = cfg
+                results.append(r)
+        return results
+
+
 @resources.register('emr-security-configuration')
 class EMRSecurityConfiguration(QueryResourceManager):
     """Resource manager for EMR Security Configuration

tests/data/placebo/test_emr_sc/elasticmapreduce.DescribeCluster_1.json

@@ -0,0 +1,80 @@
+{
+    "status_code": 200,
+    "data": {
+        "Cluster": {
+            "Id": "j-1OBEPJWLJBMDO",
+            "Name": "Test cluster1",
+            "Status": {
+                "State": "WAITING",
+                "StateChangeReason": {
+                    "Message": "Cluster ready to run steps."
+                },
+                "Timeline": {
+                    "CreationDateTime": {
+                        "__class__": "datetime",
+                        "year": 2023,
+                        "month": 1,
+                        "day": 18,
+                        "hour": 21,
+                        "minute": 7,
+                        "second": 52,
+                        "microsecond": 540000
+                    },
+                    "ReadyDateTime": {
+                        "__class__": "datetime",
+                        "year": 2023,
+                        "month": 1,
+                        "day": 18,
+                        "hour": 21,
+                        "minute": 13,
+                        "second": 18,
+                        "microsecond": 256000
+                    }
+                }
+            },
+            "Ec2InstanceAttributes": {
+                "Ec2SubnetId": "subnet-0f3b0ee5d4a7da815",
+                "RequestedEc2SubnetIds": [
+                    "subnet-0f3b0ee5d4a7da815"
+                ],
+                "Ec2AvailabilityZone": "us-west-2a",
+                "RequestedEc2AvailabilityZones": [],
+                "IamInstanceProfile": "EMR_EC2_DefaultRole",
+                "EmrManagedMasterSecurityGroup": "sg-05e325f9b09aa11fc",
+                "EmrManagedSlaveSecurityGroup": "sg-03c8063bd682c0ebe",
+                "ServiceAccessSecurityGroup": "sg-0b238edeeb3fe44eb",
+                "AdditionalMasterSecurityGroups": [],
+                "AdditionalSlaveSecurityGroups": []
+            },
+            "InstanceCollectionType": "INSTANCE_GROUP",
+            "ReleaseLabel": "emr-6.9.0",
+            "AutoTerminate": false,
+            "TerminationProtected": true,
+            "VisibleToAllUsers": true,
+            "Applications": [
+                {
+                    "Name": "Spark",
+                    "Version": "3.3.0"
+                },
+                {
+                    "Name": "Zeppelin",
+                    "Version": "0.10.1"
+                }
+            ],
+            "Tags": [],
+            "ServiceRole": "EMR_DefaultRole",
+            "NormalizedInstanceHours": 0,
+            "MasterPublicDnsName": "ip-10-0-2-44.us-west-2.compute.internal",
+            "Configurations": [],
+            "SecurityConfiguration": "AtRestEnabled",
+            "ScaleDownBehavior": "TERMINATE_AT_TASK_COMPLETION",
+            "EbsRootVolumeSize": 10,
+            "KerberosAttributes": {},
+            "ClusterArn": "arn:aws:elasticmapreduce:us-west-2:644160558196:cluster/j-1OBEPJWLJBMDO",
+            "StepConcurrencyLevel": 1,
+            "PlacementGroups": [],
+            "OSReleaseLabel": "2.0.20221210.1"
+        },
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_emr_sc/elasticmapreduce.DescribeCluster_2.json

@@ -0,0 +1,78 @@
+{
+    "status_code": 200,
+    "data": {
+        "Cluster": {
+            "Id": "j-1QXCH9K3E0NMM",
+            "Name": "Test cluster2",
+            "Status": {
+                "State": "WAITING",
+                "StateChangeReason": {
+                    "Message": "Cluster ready to run steps."
+                },
+                "Timeline": {
+                    "CreationDateTime": {
+                        "__class__": "datetime",
+                        "year": 2023,
+                        "month": 1,
+                        "day": 13,
+                        "hour": 17,
+                        "minute": 13,
+                        "second": 1,
+                        "microsecond": 542000
+                    },
+                    "ReadyDateTime": {
+                        "__class__": "datetime",
+                        "year": 2023,
+                        "month": 1,
+                        "day": 13,
+                        "hour": 17,
+                        "minute": 18,
+                        "second": 31,
+                        "microsecond": 240000
+                    }
+                }
+            },
+            "Ec2InstanceAttributes": {
+                "Ec2SubnetId": "subnet-0f3b0ee5d4a7da815",
+                "RequestedEc2SubnetIds": [
+                    "subnet-0f3b0ee5d4a7da815"
+                ],
+                "Ec2AvailabilityZone": "us-west-2a",
+                "RequestedEc2AvailabilityZones": [],
+                "IamInstanceProfile": "EMR_EC2_DefaultRole",
+                "EmrManagedMasterSecurityGroup": "sg-05e325f9b09aa11fc",
+                "EmrManagedSlaveSecurityGroup": "sg-03c8063bd682c0ebe",
+                "ServiceAccessSecurityGroup": "sg-0b238edeeb3fe44eb",
+                "AdditionalMasterSecurityGroups": [],
+                "AdditionalSlaveSecurityGroups": []
+            },
+            "InstanceCollectionType": "INSTANCE_GROUP",
+            "ReleaseLabel": "emr-6.9.0",
+            "AutoTerminate": false,
+            "TerminationProtected": true,
+            "VisibleToAllUsers": true,
+            "Applications": [
+                {
+                    "Name": "Spark",
+                    "Version": "3.3.0"
+                },
+                {
+                    "Name": "Zeppelin",
+                    "Version": "0.10.1"
+                }
+            ],
+            "Tags": [],
+            "ServiceRole": "arn:aws:iam::644160558196:role/EMR_DefaultRole",
+            "NormalizedInstanceHours": 5952,
+            "MasterPublicDnsName": "ip-10-0-2-77.us-west-2.compute.internal",
+            "Configurations": [],
+            "ScaleDownBehavior": "TERMINATE_AT_TASK_COMPLETION",
+            "KerberosAttributes": {},
+            "ClusterArn": "arn:aws:elasticmapreduce:us-west-2:644160558196:cluster/j-1QXCH9K3E0NMM",
+            "StepConcurrencyLevel": 1,
+            "PlacementGroups": [],
+            "OSReleaseLabel": "2.0.20221210.1"
+        },
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_emr_sc/elasticmapreduce.DescribeSecurityConfiguration_1.json

@@ -0,0 +1,18 @@
+{
+    "status_code": 200,
+    "data": {
+        "Name": "AtRestEnabled",
+        "SecurityConfiguration": "{\"EncryptionConfiguration\":{\"AtRestEncryptionConfiguration\":{\"S3EncryptionConfiguration\":{\"EncryptionMode\":\"SSE-S3\"}},\"EnableInTransitEncryption\":false,\"EnableAtRestEncryption\":true}}",
+        "CreationDateTime": {
+            "__class__": "datetime",
+            "year": 2023,
+            "month": 1,
+            "day": 18,
+            "hour": 21,
+            "minute": 5,
+            "second": 46,
+            "microsecond": 879000
+        },
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_emr_sc/elasticmapreduce.DescribeSecurityConfiguration_2.json

@@ -0,0 +1,18 @@
+{
+    "status_code": 200,
+    "data": {
+        "Name": "In-Transit",
+        "SecurityConfiguration": "{\"EncryptionConfiguration\":{\"InTransitEncryptionConfiguration\":{\"TLSCertificateConfiguration\":{\"CertificateProviderType\":\"PEM\",\"S3Object\":\"s3://openssl-emr/my-certs.zip\"}},\"EnableInTransitEncryption\":true,\"EnableAtRestEncryption\":false}}",
+        "CreationDateTime": {
+            "__class__": "datetime",
+            "year": 2023,
+            "month": 1,
+            "day": 11,
+            "hour": 15,
+            "minute": 55,
+            "second": 16,
+            "microsecond": 102000
+        },
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_emr_sc/elasticmapreduce.ListClusters_1.json

@@ -0,0 +1,76 @@
+{
+    "status_code": 200,
+    "data": {
+        "Clusters": [
+            {
+                "Id": "j-1OBEPJWLJBMDO",
+                "Name": "Test cluster1",
+                "Status": {
+                    "State": "WAITING",
+                    "StateChangeReason": {
+                        "Message": "Cluster ready to run steps."
+                    },
+                    "Timeline": {
+                        "CreationDateTime": {
+                            "__class__": "datetime",
+                            "year": 2023,
+                            "month": 1,
+                            "day": 18,
+                            "hour": 21,
+                            "minute": 7,
+                            "second": 52,
+                            "microsecond": 540000
+                        },
+                        "ReadyDateTime": {
+                            "__class__": "datetime",
+                            "year": 2023,
+                            "month": 1,
+                            "day": 18,
+                            "hour": 21,
+                            "minute": 13,
+                            "second": 18,
+                            "microsecond": 256000
+                        }
+                    }
+                },
+                "NormalizedInstanceHours": 0,
+                "ClusterArn": "arn:aws:elasticmapreduce:us-west-2:644160558196:cluster/j-1OBEPJWLJBMDO"
+            },
+            {
+                "Id": "j-1QXCH9K3E0NMM",
+                "Name": "Test cluster2",
+                "Status": {
+                    "State": "WAITING",
+                    "StateChangeReason": {
+                        "Message": "Cluster ready to run steps."
+                    },
+                    "Timeline": {
+                        "CreationDateTime": {
+                            "__class__": "datetime",
+                            "year": 2023,
+                            "month": 1,
+                            "day": 13,
+                            "hour": 17,
+                            "minute": 13,
+                            "second": 1,
+                            "microsecond": 542000
+                        },
+                        "ReadyDateTime": {
+                            "__class__": "datetime",
+                            "year": 2023,
+                            "month": 1,
+                            "day": 13,
+                            "hour": 17,
+                            "minute": 18,
+                            "second": 31,
+                            "microsecond": 240000
+                        }
+                    }
+                },
+                "NormalizedInstanceHours": 5952,
+                "ClusterArn": "arn:aws:elasticmapreduce:us-west-2:644160558196:cluster/j-1QXCH9K3E0NMM"
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}

tests/data/placebo/test_emr_sc/elasticmapreduce.ListSecurityConfigurations_1.json

@@ -0,0 +1,34 @@
+{
+    "status_code": 200,
+    "data": {
+        "SecurityConfigurations": [
+            {
+                "Name": "AtRestEnabled",
+                "CreationDateTime": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 1,
+                    "day": 18,
+                    "hour": 21,
+                    "minute": 5,
+                    "second": 46,
+                    "microsecond": 879000
+                }
+            },
+            {
+                "Name": "In-Transit",
+                "CreationDateTime": {
+                    "__class__": "datetime",
+                    "year": 2023,
+                    "month": 1,
+                    "day": 11,
+                    "hour": 15,
+                    "minute": 55,
+                    "second": 16,
+                    "microsecond": 102000
+                }
+            }
+        ],
+        "ResponseMetadata": {}
+    }
+}