bp-check/services/codeseries.py
2024-08-12 10:50:57 +00:00

76 lines
2.6 KiB
Python

from models import RuleCheckResult
import boto3
build_client = boto3.client("codebuild")
deploy_client = boto3.client("codedeploy")
def codebuild_project_environment_privileged_check():
compliant_resources = []
non_compliant_resources = []
projects = build_client.list_projects()["projects"]
for project in projects:
project = build_client.batch_get_projects(names=[project])["projects"][0]
if project["environment"]["privilegedMode"] != True:
compliant_resources.append(project["arn"])
else:
non_compliant_resources.append(project["arn"])
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources,
)
def codebuild_project_logging_enabled():
compliant_resources = []
non_compliant_resources = []
projects = build_client.list_projects()["projects"]
for project in projects:
project = build_client.batch_get_projects(names=[project])["projects"][0]
logs_config = project["logsConfig"]
if logs_config["cloudWatchLogs"]["status"] == "ENABLED" or logs_config["s3Logs"]["status"] == "ENABLED":
compliant_resources.append(project["arn"])
else:
non_compliant_resources.append(project["arn"])
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources,
)
def codedeploy_auto_rollback_monitor_enabled():
compliant_resources = []
non_compliant_resources = []
applications = deploy_client.list_applications()["applications"]
for application in applications:
deployment_groups = deploy_client.list_deployment_groups(applicationName=application)["deploymentGroups"]
for deployment_group in deployment_groups:
deployment_group = deploy_client.get_deployment_group(
applicationName=application, deploymentGroupName=deployment_group
)["deploymentGroupInfo"]
if (
deployment_group["alarmConfiguration"]["enabled"] == True
and deployment_group["autoRollbackConfiguration"]["enabled"] == True
):
compliant_resources.append(deployment_group["deploymentGroupId"])
else:
non_compliant_resources.append(deployment_group["deploymentGroupId"])
return RuleCheckResult(
passed=not non_compliant_resources,
compliant_resources=compliant_resources,
non_compliant_resources=non_compliant_resources,
)