CloudWatchLogs LogGroup should specify RetentionInDays to expire the …

…log (#510)

data : #503

lib/cfn-nag/custom_rules/LogsLogGroupRetentionRule.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require 'cfn-nag/util/truthy'
+require_relative 'base'
+
+class LogsLogGroupRetentionRule < BaseRule
+  def rule_text
+    'CloudWatchLogs LogGroup should specify RetentionInDays to expire the log data'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W86'
+  end
+
+  def audit_impl(cfn_model)
+    violating_groups = cfn_model.resources_by_type('AWS::Logs::LogGroup').select do |group|
+      group.retentionInDays.nil?
+    end
+
+    violating_groups.map(&:logical_resource_id)
+  end
+end

spec/custom_rules/LogsLogGroupRetentionRule_spec.rb

@@ -0,0 +1,31 @@
+require 'spec_helper'
+require 'cfn-model'
+require 'cfn-nag/custom_rules/LogsLogGroupRetentionRule'
+
+describe LogsLogGroupRetentionRule do
+  context 'CloudWatchLogs LogGroup without retention' do
+    it 'returns offending logical resource id' do
+      cfn_model = CfnParser.new.parse read_test_template(
+        'yaml/cloudwatchlogs_loggroup/cloudwatchlogs_loggroup_without_retention.yaml'
+      )
+
+      actual_logical_resource_ids = LogsLogGroupRetentionRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[CWLogGroup]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+
+  context 'CloudWatchLogs LogGroup with retention' do
+    it 'returns empty list' do
+      cfn_model = CfnParser.new.parse read_test_template(
+        'yaml/cloudwatchlogs_loggroup/cloudwatchlogs_loggroup_with_retention.yaml'
+      )
+
+      actual_logical_resource_ids = LogsLogGroupRetentionRule.new.audit_impl cfn_model
+      expected_logical_resource_ids = %w[]
+
+      expect(actual_logical_resource_ids).to eq expected_logical_resource_ids
+    end
+  end
+end

spec/test_templates/yaml/cloudwatchlogs_loggroup/cloudwatchlogs_loggroup_with_retention.yaml

@@ -0,0 +1,6 @@
+---
+Resources:
+  CWLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties:
+      RetentionInDays: 7

spec/test_templates/yaml/cloudwatchlogs_loggroup/cloudwatchlogs_loggroup_without_retention.yaml

@@ -0,0 +1,5 @@
+---
+Resources:
+  CWLogGroup:
+    Type: AWS::Logs::LogGroup
+    Properties: