nirmata · anusha94 · Feb 19, 2024 · Feb 7, 2024 · Feb 7, 2024 · Feb 12, 2024
diff --git a/terraform-best-practices/aws/s3/abort-incomplete-uploads/README.md b/terraform-best-practices/aws/s3/abort-incomplete-uploads/README.md
@@ -0,0 +1,27 @@
+Amazon S3 supports a bucket lifecycle rule that you can use to direct Amazon S3 to stop multipart uploads that aren't completed within a specified number of days after being initiated. When a multipart upload isn't completed within the specified time frame, it becomes eligible for an abort operation. Amazon S3 then stops the multipart upload and deletes the parts associated with the multipart upload.
+
+You need to make sure that the *lifecycle_configuration* is Enabled and *days_after_initiation* is set to an Integer value. If you don't set an Integer value, NULL value will be considered.
+
+In order to test this policy, use the following commands:
+
+1. Initialise Terraform in your working directory
+    ```
+    terraform init
+    ```
+
+2. Create a binary of your terraform plan
+    ```
+    terraform plan -out tfplan.binary
+    ```
+
+3. Convert the executable binary into JSON Payload
+   ```
+   terraform show -json tfplan.binary | jq > payload.json
+   ```
+4. Test the policy using `kyverno-json` command
+   ```
+   kyverno-json scan --payload payload.json --policy policy.yaml 
+   ```
+   Since you've set the `Status` field to `Enabled` in *good-terraform.tf* file and *days_after_initiation* argument inside the *abort_incomplete_multipart_upload* set to an Positive Integer value, the policy will give you Passing checks. If you try to change the value of `Status` to *Disabled* or *days_after_initiation* to *NULL* value, the policy will give you failing checks.
+
+   In case you'd like to test this policy for a failing scneario, try to set the payload to `./aws/disable-s3-acl/test/bad-payload-01.json` and run the `kyverno-json scan` command again.
diff --git a/terraform-best-practices/aws/s3/abort-incomplete-uploads/abort-incomplete-uploads.yaml b/terraform-best-practices/aws/s3/abort-incomplete-uploads/abort-incomplete-uploads.yaml
@@ -0,0 +1,35 @@
+apiVersion: json.kyverno.io/v1alpha1
+kind: ValidatingPolicy
+metadata:
+  name: abort-incomplete-uploads
+  annotations:
+    policies.kyverno.io/title: enable-s3-versioning 
+    policies.kyverno.io/category: AWS S3 Security Best Practices
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/description: >-
+      Amazon S3 supports a bucket lifecycle rule that you can use to direct Amazon S3 
+      to stop multipart uploads that aren't completed within a specified number of days
+      after being initiated. When a multipart upload isn't completed within the specified time
+      frame, it becomes eligible for an abort operation. Amazon S3 then stops the multipart
+      upload and deletes the parts associated with the multipart upload.
+spec:
+  rules:
+    - name: abort-incomplete-uploads
+      match:
+        all:
+        - (planned_values.root_module.resources[?type=='aws_s3_bucket'] | length(@) > `0`): true
+      assert:
+        all:
+        - message: Use the `aws_s3_bucket_lifecycle_configuration` resource to enable lifecycle configuration.
+          check:
+            (planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration'] | length(@) > `0`): true
+        - message: S3 Bucket Lifecycle Configuration 'status' needs to be set to 'Enabled'
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration']):
+              (values.rule[?status=='Enabled'] | length(@) > `0`): true
+        - message: Set the 'days_after_initiation' argument value to a Positive Integer value in 'abort_incomplete_multipart_upload' inside the lifecycle configuration block
+          check:
+            ~.(planned_values.root_module.resources[?type=='aws_s3_bucket_lifecycle_configuration']):
+              ~.(values.rule[?status=='Enabled'].abort_incomplete_multipart_upload[]):
+                (days_after_initiation > `0`): true
+
diff --git a/terraform-best-practices/aws/s3/abort-incomplete-uploads/test/bad-payload-01.json b/terraform-best-practices/aws/s3/abort-incomplete-uploads/test/bad-payload-01.json
@@ -0,0 +1,281 @@
+{
+  "format_version": "1.2",
+  "terraform_version": "1.6.6",
+  "planned_values": {
+    "root_module": {
+      "resources": [
+        {
+          "address": "aws_s3_bucket.example",
+          "mode": "managed",
+          "type": "aws_s3_bucket",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/aws",
+          "schema_version": 0,
+          "values": {
+            "bucket": "test-bucket-demo-18012003",
+            "force_destroy": false,
+            "tags": null,
+            "timeouts": null
+          },
+          "sensitive_values": {
+            "cors_rule": [],
+            "grant": [],
+            "lifecycle_rule": [],
+            "logging": [],
+            "object_lock_configuration": [],
+            "replication_configuration": [],
+            "server_side_encryption_configuration": [],
+            "tags_all": {},
+            "versioning": [],
+            "website": []
+          }
+        },
+        {
+          "address": "aws_s3_bucket_lifecycle_configuration.example",
+          "mode": "managed",
+          "type": "aws_s3_bucket_lifecycle_configuration",
+          "name": "example",
+          "provider_name": "registry.terraform.io/hashicorp/aws",
+          "schema_version": 0,
+          "values": {
+            "expected_bucket_owner": null,
+            "rule": [
+              {
+                "abort_incomplete_multipart_upload": [
+                  {
+                    "days_after_initiation": null
+                  }
+                ],
+                "expiration": [],
+                "filter": [],
+                "id": "rule-1",
+                "noncurrent_version_expiration": [],
+                "noncurrent_version_transition": [],
+                "prefix": null,
+                "status": "Enabled",
+                "transition": []
+              }
+            ]
+          },
+          "sensitive_values": {
+            "rule": [
+              {
+                "abort_incomplete_multipart_upload": [
+                  {}
+                ],
+                "expiration": [],
+                "filter": [],
+                "noncurrent_version_expiration": [],
+                "noncurrent_version_transition": [],
+                "transition": []
+              }
+            ]
+          }
+        }
+      ]
+    }
+  },
+  "resource_changes": [
+    {
+      "address": "aws_s3_bucket.example",
+      "mode": "managed",
+      "type": "aws_s3_bucket",
+      "name": "example",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "bucket": "test-bucket-demo-18012003",
+          "force_destroy": false,
+          "tags": null,
+          "timeouts": null
+        },
+        "after_unknown": {
+          "acceleration_status": true,
+          "acl": true,
+          "arn": true,
+          "bucket_domain_name": true,
+          "bucket_prefix": true,
+          "bucket_regional_domain_name": true,
+          "cors_rule": true,
+          "grant": true,
+          "hosted_zone_id": true,
+          "id": true,
+          "lifecycle_rule": true,
+          "logging": true,
+          "object_lock_configuration": true,
+          "object_lock_enabled": true,
+          "policy": true,
+          "region": true,
+          "replication_configuration": true,
+          "request_payer": true,
+          "server_side_encryption_configuration": true,
+          "tags_all": true,
+          "versioning": true,
+          "website": true,
+          "website_domain": true,
+          "website_endpoint": true
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "cors_rule": [],
+          "grant": [],
+          "lifecycle_rule": [],
+          "logging": [],
+          "object_lock_configuration": [],
+          "replication_configuration": [],
+          "server_side_encryption_configuration": [],
+          "tags_all": {},
+          "versioning": [],
+          "website": []
+        }
+      }
+    },
+    {
+      "address": "aws_s3_bucket_lifecycle_configuration.example",
+      "mode": "managed",
+      "type": "aws_s3_bucket_lifecycle_configuration",
+      "name": "example",
+      "provider_name": "registry.terraform.io/hashicorp/aws",
+      "change": {
+        "actions": [
+          "create"
+        ],
+        "before": null,
+        "after": {
+          "expected_bucket_owner": null,
+          "rule": [
+            {
+              "abort_incomplete_multipart_upload": [
+                {
+                  "days_after_initiation": null
+                }
+              ],
+              "expiration": [],
+              "filter": [],
+              "id": "rule-1",
+              "noncurrent_version_expiration": [],
+              "noncurrent_version_transition": [],
+              "prefix": null,
+              "status": "Enabled",
+              "transition": []
+            }
+          ]
+        },
+        "after_unknown": {
+          "bucket": true,
+          "id": true,
+          "rule": [
+            {
+              "abort_incomplete_multipart_upload": [
+                {}
+              ],
+              "expiration": [],
+              "filter": [],
+              "noncurrent_version_expiration": [],
+              "noncurrent_version_transition": [],
+              "transition": []
+            }
+          ]
+        },
+        "before_sensitive": false,
+        "after_sensitive": {
+          "rule": [
+            {
+              "abort_incomplete_multipart_upload": [
+                {}
+              ],
+              "expiration": [],
+              "filter": [],
+              "noncurrent_version_expiration": [],
+              "noncurrent_version_transition": [],
+              "transition": []
+            }
+          ]
+        }
+      }
+    }
+  ],
+  "configuration": {
+    "provider_config": {
+      "aws": {
+        "name": "aws",
+        "full_name": "registry.terraform.io/hashicorp/aws",
+        "version_constraint": "~> 4.16",
+        "expressions": {
+          "access_key": {
+            "constant_value": "ASIA4JFRUINQBWNEIM6Y"
+          },
+          "region": {
+            "constant_value": "us-west-2"
+          },
+          "secret_key": {
+            "constant_value": "Ws1gpfLcATSsRnk/o3tNbieqaWZcLGhXOXzs+UyH"
+          },
+          "token": {
+            "constant_value": "IQoJb3JpZ2luX2VjEGQaCXVzLWVhc3QtMiJHMEUCIQC5s3XZqe0G6p4C8sqremQwG8Qpn0A7j1V/XhmRRnvDHgIgHspQ9p51MAHsS4IIeg+Iat4DcWR50l9VOgMaD1dnVrMqjgMILRADGgw4NDQzMzM1OTc1MzYiDDJ8P2dn2rVnqFDv7SrrAvGQ5l2a64fPDdxN56wII6zF9YkPHMkYIHgq/11WnNQpAhE1c0EbmZdwObJA9/rdHrSQsmhSuUBAiFU9Ys5Ro/I6fNt7zqotQ/trvgjMDwG4+q3InowH1zuE+1fa4ewQGSG9jrJvlT7X7hWa65lw8Qr5XGSddGeKtby/kDckqkVOJV+wUb2s3cuLW9j7x7hsE/xJRVUA70z0i5rhmXsiR9JP7vFMhmZDu9yH46375tGE7Ih7Mwtd8DejPwlpeMBUMGlcc+xAahcUxP8n+fjwAuZrLO+v0f96uWEHo87foB/SnpGwbitCWGt8UcDtmN0939P9MiMHLitorCtrpQyeUk1DPTdzwNww0nRKEjwtTw9MqRkTI0PG/5SWScphhxjxb/268qJIjS3FE+xG4hulr+gj3KId0sAbPRlUUv12SIbjgH6esD//S5JmxzBMTPQ+8A38fXSiZQ1ZQL1BaktLGbf0x1o+TafmeQSenjCm5eitBjqmAZlxiRWfntKUiH64SawiWbyDJ7kJMfoq6pT59EtNIOa/8rHfx4+aOFAqYCAClJe6Hw8d4RIpfewlaqiJL7Gw5uXc4IcepdOi2KMZ0f32k5HIMa8uKZBWpaUsH8tyWlKKjzRAMM/LsoGSovknkmmwLLkAJ+0Y6YySyQQqv1SpHQuyv7ySbk2qS7+kPplkK8+LQiB21NpHZfGirS6bnRrwLpHZ3TAzNF0="
+          }
+        }
+      }
+    },
+    "root_module": {
+      "resources": [
+        {
+          "address": "aws_s3_bucket.example",
+          "mode": "managed",
+          "type": "aws_s3_bucket",
+          "name": "example",
+          "provider_config_key": "aws",
+          "expressions": {
+            "bucket": {
+              "constant_value": "test-bucket-demo-18012003"
+            }
+          },
+          "schema_version": 0
+        },
+        {
+          "address": "aws_s3_bucket_lifecycle_configuration.example",
+          "mode": "managed",
+          "type": "aws_s3_bucket_lifecycle_configuration",
+          "name": "example",
+          "provider_config_key": "aws",
+          "expressions": {
+            "bucket": {
+              "references": [
+                "aws_s3_bucket.example.id",
+                "aws_s3_bucket.example"
+              ]
+            },
+            "rule": [
+              {
+                "abort_incomplete_multipart_upload": [
+                  {}
+                ],
+                "id": {
+                  "constant_value": "rule-1"
+                },
+                "status": {
+                  "constant_value": "Enabled"
+                }
+              }
+            ]
+          },
+          "schema_version": 0
+        }
+      ]
+    }
+  },
+  "relevant_attributes": [
+    {
+      "resource": "aws_s3_bucket.example",
+      "attribute": [
+        "id"
+      ]
+    }
+  ],
+  "timestamp": "2024-01-31T12:04:06Z",
+  "errored": false
+}