LambdaFunctionReservedConcurrentExecutionsRule and fix end_end_test (#…

…530) #503
stelligent · Apr 12, 2021 · 48c23fa · 48c23fa
1 parent 28a0312
commit 48c23fa
Show file tree

Hide file tree

Showing 7 changed files with 223 additions and 5 deletions.
diff --git a/lib/cfn-nag/custom_rules/LambdaFunctionReservedConcurrentExecutionsRule.rb b/lib/cfn-nag/custom_rules/LambdaFunctionReservedConcurrentExecutionsRule.rb
@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'base'
+
+class LambdaFunctionReservedConcurrentExecutionsRule < BaseRule
+  def rule_text
+    'Lambda functions should define ReservedConcurrentExecutions to reserve simultaneous executions'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W92'
+  end
+
+  def audit_impl(cfn_model)
+    lambda_functions = cfn_model.resources_by_type('AWS::Lambda::Function')
+    violating_lambda_functions = lambda_functions.select do |lambda_function|
+      lambda_function.reservedConcurrentExecutions.nil?
+    end
+
+    violating_lambda_functions.map(&:logical_resource_id)
+  end
+end
diff --git a/spec/cfn_nag_integration/cfn_nag_lambda_permission_spec.rb b/spec/cfn_nag_integration/cfn_nag_lambda_permission_spec.rb
@@ -22,17 +22,17 @@
                             type: Violation::FAILING_VIOLATION,
                             message: 'IAM role should not allow * resource with PassRole action on its permissions policy',
                             logical_resource_ids: %w[LambdaExecutionRole],
-                            line_numbers: [49]),
+                            line_numbers: [50]),
               Violation.new(id: 'F3',
                             type: Violation::FAILING_VIOLATION,
                             message: 'IAM role should not allow * action on its permissions policy',
                             logical_resource_ids: %w[LambdaExecutionRole],
-                            line_numbers: [49]),
+                            line_numbers: [50]),
               Violation.new(id: 'W11',
                             type: Violation::WARNING,
                             message: 'IAM role should not allow * resource on its permissions policy',
                             logical_resource_ids: %w[LambdaExecutionRole],
-                            line_numbers: [49]),
+                            line_numbers: [50]),
               Violation.new(id: 'W89',
                             type: Violation::WARNING,
                             message: 'Lambda functions should be deployed inside a VPC',
@@ -42,7 +42,7 @@
                             type: Violation::FAILING_VIOLATION,
                             message: 'Lambda permission principal should not be wildcard',
                             logical_resource_ids: %w[lambdaPermission],
-                            line_numbers: [23])
+                            line_numbers: [24])
             ]
           }
         }

diff --git a/spec/cfn_nag_integration/cfn_nag_serverless_transform_spec.rb b/spec/cfn_nag_integration/cfn_nag_serverless_transform_spec.rb
@@ -32,7 +32,13 @@
                 message: LambdaFunctionInsideVPCRule.new.rule_text,
                 logical_resource_ids: ["SomeFunction", "SomeFunction2"],
                 line_numbers: [-1,-1]
-              )              
+              ),
+              Violation.new(
+                id: 'W92', type: Violation::WARNING,
+                message: LambdaFunctionReservedConcurrentExecutionsRule.new.rule_text,
+                logical_resource_ids: ["SomeFunction","SomeFunction2"],
+                line_numbers: [-1,-1]
+              )
             ]
           }
         }

diff --git a/spec/custom_rules/LambdaFunctionReservedConcurrentExecutionsRule_spec.rb b/spec/custom_rules/LambdaFunctionReservedConcurrentExecutionsRule_spec.rb
@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'cfn-model'
+require 'cfn-nag/custom_rules/LambdaFunctionReservedConcurrentExecutionsRule'
+
+describe LambdaFunctionReservedConcurrentExecutionsRule do
+
+  describe 'AWS::Lambda::Function' do
+    context 'when Lambda functions defines ReservedConcurrentExecutions to reserve simultaneous executions' do
+      it 'does not return an offending logical resource id' do
+        cfn_model = CfnParser.new.parse read_test_template('json/lambda_function/lambda_reserved_executions.json')
+        actual_logical_resource_ids = LambdaFunctionReservedConcurrentExecutionsRule.new.audit_impl cfn_model
+
+        expect(actual_logical_resource_ids).to eq []
+      end
+    end
+  end
+
+  describe 'AWS::Lambda::Function' do
+    context 'when Lambda functions does not define ReservedConcurrentExecutions to reserve simultaneous executions' do
+      it 'does return an offending logical resource id' do
+        cfn_model = CfnParser.new.parse read_test_template('json/lambda_function/lambda_not_reserved_executions.json')
+        actual_logical_resource_ids = LambdaFunctionReservedConcurrentExecutionsRule.new.audit_impl cfn_model
+
+        expect(actual_logical_resource_ids).to eq ["FunctionNotReserved"]
+      end
+    end
+   end
+
+end
diff --git a/spec/test_templates/json/lambda_function/lambda_not_reserved_executions.json b/spec/test_templates/json/lambda_function/lambda_not_reserved_executions.json
@@ -0,0 +1,76 @@
+{
+	"Resources": {
+		"FunctionNotReserved": {
+			"Type": "AWS::Lambda::Function",
+			"Properties": {
+				"Role": {
+					"Ref": "RoleWithLambdaVPCAccessManagedPolicy"
+				},
+				"Handler": "index.handler",
+				"Code": {
+					"ZipFile": {
+						"Fn::Join": [
+							"",
+							[
+								"var response = require('cfn-response');",
+								"exports.handler = function(event, context) {",
+								"var responseData = {Value: event.ResourceProperties.List};",
+								"responseData.Value.push(event.ResourceProperties.AppendedItem);",
+								"response.send(event, context, response.SUCCESS, responseData);}"
+							]
+						]
+					}
+				},
+				"Runtime": "nodejs6.10",
+				"VpcConfig": {
+					"SecurityGroupIds": [
+						"secgroup"
+					],
+					"SubnetIds": [
+						"subnetid"
+					]
+				}
+			}
+		},
+		"RoleWithLambdaVPCAccessManagedPolicy": {
+			"Type": "AWS::IAM::Role",
+			"Properties": {
+				"AssumeRolePolicyDocument": {
+					"Version": "2012-10-17",
+					"Statement": [
+						{
+							"Effect": "Allow",
+							"Principal": {
+								"Service": "lambda.amazonaws.com"
+							},
+							"Action": [
+								"sts:AssumeRole"
+							]
+						}
+					]
+				},
+				"ManagedPolicyArns": [
+					"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+				],
+				"Path": "/",
+				"Policies": [
+					{
+						"PolicyName": "root",
+						"PolicyDocument": {
+							"Version": "2012-10-17",
+							"Statement": [
+								{
+									"Effect": "Allow",
+									"Action": [
+										"specific:ObscureAction"
+									],
+									"Resource": "*"
+								}
+							]
+						}
+					}
+				]
+			}
+		}
+	}
+}
diff --git a/spec/test_templates/json/lambda_function/lambda_reserved_executions.json b/spec/test_templates/json/lambda_function/lambda_reserved_executions.json
@@ -0,0 +1,77 @@
+{
+	"Resources": {
+		"FunctionConcurrentReserverd": {
+			"Type": "AWS::Lambda::Function",
+			"Properties": {
+			    "ReservedConcurrentExecutions": "1",
+				"Role": {
+					"Ref": "RoleWithLambdaVPCAccessManagedPolicy"
+				},
+				"Handler": "index.handler",
+				"Code": {
+					"ZipFile": {
+						"Fn::Join": [
+							"",
+							[
+								"var response = require('cfn-response');",
+								"exports.handler = function(event, context) {",
+								"var responseData = {Value: event.ResourceProperties.List};",
+								"responseData.Value.push(event.ResourceProperties.AppendedItem);",
+								"response.send(event, context, response.SUCCESS, responseData);}"
+							]
+						]
+					}
+				},
+				"Runtime": "nodejs6.10",
+				"VpcConfig": {
+					"SecurityGroupIds": [
+						"secgroup"
+					],
+					"SubnetIds": [
+						"subnetid"
+					]
+				}
+			}
+		},
+		"RoleWithLambdaVPCAccessManagedPolicy": {
+			"Type": "AWS::IAM::Role",
+			"Properties": {
+				"AssumeRolePolicyDocument": {
+					"Version": "2012-10-17",
+					"Statement": [
+						{
+							"Effect": "Allow",
+							"Principal": {
+								"Service": "lambda.amazonaws.com"
+							},
+							"Action": [
+								"sts:AssumeRole"
+							]
+						}
+					]
+				},
+				"ManagedPolicyArns": [
+					"arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+				],
+				"Path": "/",
+				"Policies": [
+					{
+						"PolicyName": "root",
+						"PolicyDocument": {
+							"Version": "2012-10-17",
+							"Statement": [
+								{
+									"Effect": "Allow",
+									"Action": [
+										"specific:ObscureAction"
+									],
+									"Resource": "*"
+								}
+							]
+						}
+					}
+				]
+			}
+		}
+	}
+}
diff --git a/.../lambda_permission/lambda_with_wildcard_principal_and_non_invoke_function_permission.json b/.../lambda_permission/lambda_with_wildcard_principal_and_non_invoke_function_permission.json
@@ -5,6 +5,7 @@
       "Properties": {
         "Handler": "index.handler",
         "Role": { "Fn::GetAtt" : ["LambdaExecutionRole", "Arn"] },
+        "ReservedConcurrentExecutions": "1",
         "Code": {
           "ZipFile":  { "Fn::Join": ["", [
             "var response = require('cfn-response');",