bp-check/services/codeseries.py

86 lines
3.0 KiB
Python
Raw Normal View History

2024-08-14 01:05:06 +00:00
from models import RuleCheckResult, RuleChecker
from functools import cached_property
2024-08-05 02:30:34 +00:00
import boto3
2024-08-14 01:05:06 +00:00
class CodeSeriesChecker(RuleChecker):
def __init__(self):
self.build_client = boto3.client("codebuild")
self.deploy_client = boto3.client("codedeploy")
2024-08-12 02:20:13 +00:00
2024-08-14 01:05:06 +00:00
@cached_property
def projects(self):
project_names = self.build_client.list_projects()["projects"]
return self.build_client.batch_get_projects(names=project_names)["projects"]
2024-08-05 02:30:34 +00:00
2024-08-14 01:05:06 +00:00
def codebuild_project_environment_privileged_check(self):
compliant_resources = []
non_compliant_resources = []
2024-08-05 02:30:34 +00:00
2024-08-14 01:05:06 +00:00
for project in self.projects:
if not project["environment"]["privilegedMode"]:
compliant_resources.append(project["arn"])
else:
non_compliant_resources.append(project["arn"])
2024-08-05 02:30:34 +00:00
2024-08-14 01:05:06 +00:00
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources,
)
2024-08-05 02:30:34 +00:00
2024-08-14 01:05:06 +00:00
def codebuild_project_logging_enabled(self):
compliant_resources = []
non_compliant_resources = []
2024-08-12 02:20:13 +00:00
2024-08-14 01:05:06 +00:00
for project in self.projects:
logs_config = project["logsConfig"]
2024-08-12 02:20:13 +00:00
if (
2024-08-14 01:05:06 +00:00
logs_config["cloudWatchLogs"]["status"] == "ENABLED"
or logs_config["s3Logs"]["status"] == "ENABLED"
2024-08-12 02:20:13 +00:00
):
2024-08-14 01:05:06 +00:00
compliant_resources.append(project["arn"])
2024-08-12 02:20:13 +00:00
else:
2024-08-14 01:05:06 +00:00
non_compliant_resources.append(project["arn"])
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources,
)
def codedeploy_auto_rollback_monitor_enabled(self):
compliant_resources = []
non_compliant_resources = []
applications = self.deploy_client.list_applications()["applications"]
for application in applications:
deployment_group_names = self.deploy_client.list_deployment_groups(
applicationName=application
)["deploymentGroups"]
deployment_groups = self.deploy_client.batch_get_deployment_groups(
applicationName=application, deploymentGroupNames=deployment_group_names
)["deploymentGroupsInfo"]
for deployment_group in deployment_groups:
if (
deployment_group["alarmConfiguration"]["enabled"]
and deployment_group["autoRollbackConfiguration"]["enabled"]
):
compliant_resources.append(deployment_group["deploymentGroupId"])
else:
non_compliant_resources.append(
deployment_group["deploymentGroupId"]
)
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources,
)
rule_checker = CodeSeriesChecker