-
Notifications
You must be signed in to change notification settings - Fork 862
/
Copy pathinstance_desired_tenancy-triggered.js
executable file
·81 lines (78 loc) · 3.57 KB
/
instance_desired_tenancy-triggered.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
//
// This file made available under CC0 1.0 Universal (https://creativecommons.org/publicdomain/zero/1.0/legalcode)
//
// Ensure EC2 Instances have desired tenancy
// Description: Checks that EC2 Instances have desired tenancy
//
// Trigger Type: Change Triggered
// Scope of Changes: EC2:Instance
// Required Parameter: DesiredTenancy
// Example Value: dedicated
var aws = require('aws-sdk');
var config = new aws.ConfigService();
// This is where it's determined whether the resource is compliant or not.
// In this example, we look at the tenancy of the EC2 instance and determine whether it matches
// the "DesiredTenancy" parameter that is passed to the rule. If the tenancy is not of the DesiredTenancy type, the
// instance is marked non-compliant. Otherwise, it is marked complaint.
function evaluateCompliance(configurationItem, ruleParameters, context) {
checkDefined(configurationItem, "configurationItem");
checkDefined(configurationItem.configuration, "configurationItem.configuration");
checkDefined(ruleParameters, "ruleParameters");
if ('AWS::EC2::Instance' !== configurationItem.resourceType) {
return 'NOT_APPLICABLE';
} if (ruleParameters.DesiredTenancy === configurationItem.configuration.placement.tenancy) {
return 'COMPLIANT';
} else {
return 'NON_COMPLIANT';
}
}
// Helper function used to validate input
function checkDefined(reference, referenceName) {
if (!reference) {
console.log("Error: " + referenceName + " is not defined");
throw referenceName;
}
return reference;
}
// Check whether the the resource has been deleted. If it has, then the evaluation is unnecessary.
function isApplicable(configurationItem, event) {
checkDefined(configurationItem, "configurationItem");
checkDefined(event, "event");
var status = configurationItem.configurationItemStatus;
var eventLeftScope = event.eventLeftScope;
return ('OK' === status || 'ResourceDiscovered' === status) && false === eventLeftScope;
}
// This is the handler that's invoked by Lambda
// Most of this code is boilerplate; use as is
exports.handler = function(event, context) {
event = checkDefined(event, "event");
var invokingEvent = JSON.parse(event.invokingEvent);
var ruleParameters = JSON.parse(event.ruleParameters);
var configurationItem = checkDefined(invokingEvent.configurationItem, "invokingEvent.configurationItem");
var compliance = 'NOT_APPLICABLE';
var putEvaluationsRequest = {};
if (isApplicable(invokingEvent.configurationItem, event)) {
// Invoke the compliance checking function.
compliance = evaluateCompliance(invokingEvent.configurationItem, ruleParameters, context);
}
// Put together the request that reports the evaluation status
// Note that we're choosing to report this evaluation against the resource that was passed in.
// You can choose to report this against any other resource type, as long as it is supported by Config rules
putEvaluationsRequest.Evaluations = [
{
ComplianceResourceType: configurationItem.resourceType,
ComplianceResourceId: configurationItem.resourceId,
ComplianceType: compliance,
OrderingTimestamp: configurationItem.configurationItemCaptureTime
}
];
putEvaluationsRequest.ResultToken = event.resultToken;
// Invoke the Config API to report the result of the evaluation
config.putEvaluations(putEvaluationsRequest, function (err, data) {
if (err) {
context.fail(err);
} else {
context.succeed(data);
}
});
};