#378 Created custom rules from boolean_base_rule and applied to SageM…

…aker EndpointConfig/NotebookInstance (#419)

* Lock release-master version down to a SHA hash that contains the publish functionality to avoid issues with the latest master branch.

* #378 Adding custom rule for missing KmsKeyId property on SageMaker EndpointConfig and NotebookInstance resources.

lib/cfn-nag/custom_rules/SageMakerEndpointConfigKmsKeyIdRule.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'boolean_base_rule'
+
+class SageMakerEndpointConfigKmsKeyIdRule < BooleanBaseRule
+  def rule_text
+    'SageMaker EndpointConfig should have a KmsKeyId property set.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W1200'
+  end
+
+  def resource_type
+    'AWS::SageMaker::EndpointConfig'
+  end
+
+  def boolean_property
+    :kmsKeyId
+  end
+end

lib/cfn-nag/custom_rules/SageMakerNotebookInstanceKmsKeyIdRule.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require 'cfn-nag/violation'
+require_relative 'boolean_base_rule'
+
+class SageMakerNotebookInstanceKmsKeyIdRule < BooleanBaseRule
+  def rule_text
+    'SageMaker NotebookInstance should have a KmsKeyId property set.'
+  end
+
+  def rule_type
+    Violation::WARNING
+  end
+
+  def rule_id
+    'W1201'
+  end
+
+  def resource_type
+    'AWS::SageMaker::NotebookInstance'
+  end
+
+  def boolean_property
+    :kmsKeyId
+  end
+end

spec/custom_rules/SageMakerEndpointConfigKmsKeyIdRule_spec.rb

@@ -0,0 +1,22 @@
+require 'spec_helper'
+require 'password_rule_spec_helper'
+require 'cfn-model'
+
+resource_type = 'AWS::SageMaker::EndpointConfig'
+property_name = 'KmsKeyId'
+sub_property_name = nil
+test_template_type = 'yaml'
+
+require "cfn-nag/custom_rules/#{rule_name(resource_type, property_name, sub_property_name)}"
+
+describe Object.const_get(rule_name(resource_type, property_name, sub_property_name)), :rule do
+  # Creates dynamic set of contexts based on the missing_property_rule_test_sets hash
+  boolean_rule_test_sets.each do |test_description, desired_test_result|
+    context "#{resource_type} #{property_name} #{sub_property_name} #{test_description}" do
+      it context_return_value(desired_test_result) do
+        run_test(resource_type, property_name, sub_property_name,
+                 test_template_type, test_description, desired_test_result)
+      end
+    end
+  end
+end

spec/custom_rules/SageMakerNotebookInstanceKmsKeyIdRule_spec.rb

@@ -0,0 +1,22 @@
+require 'spec_helper'
+require 'password_rule_spec_helper'
+require 'cfn-model'
+
+resource_type = 'AWS::SageMaker::NotebookInstance'
+property_name = 'KmsKeyId'
+sub_property_name = nil
+test_template_type = 'yaml'
+
+require "cfn-nag/custom_rules/#{rule_name(resource_type, property_name, sub_property_name)}"
+
+describe Object.const_get(rule_name(resource_type, property_name, sub_property_name)), :rule do
+  # Creates dynamic set of contexts based on the missing_property_rule_test_sets hash
+  boolean_rule_test_sets.each do |test_description, desired_test_result|
+    context "#{resource_type} #{property_name} #{sub_property_name} #{test_description}" do
+      it context_return_value(desired_test_result) do
+        run_test(resource_type, property_name, sub_property_name,
+                 test_template_type, test_description, desired_test_result)
+      end
+    end
+  end
+end

spec/password_rule_spec_helper.rb

@@ -26,6 +26,15 @@ def password_rule_test_sets
   }
 end
 
+# Name of the boolean tests to run, matching the test teplates file names
+# States whether the test should be a pass or fail
+def boolean_rule_test_sets
+  {
+    'not set': 'fail',
+    'set': 'pass'
+  }
+end
+
 # Returns a string based on the value result of the password_rule_test_sets
 def context_return_value(desired_test_result)
   raise 'desired_test_result value must be either "pass" or "fail"' unless

spec/test_templates/yaml/sagemaker_endpointconfig/sagemaker_endpointconfig_kms_key_id_not_set.yaml

@@ -0,0 +1,14 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Define a SageMaker EndpointConfig without the requisite KmsKeyId property.
+
+Resources:
+  SageMakerEndpointConfig:
+    Type: AWS::SageMaker::EndpointConfig
+    Properties:
+      ProductionVariants:
+        - ModelName: Model1
+          VariantName: Variant1
+          InitialInstanceCount: 1
+          InstanceType: ml.t2.medium
+          InitialVariantWeight: 1.0

spec/test_templates/yaml/sagemaker_endpointconfig/sagemaker_endpointconfig_kms_key_id_set.yaml

@@ -0,0 +1,15 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Define a SageMaker EndpointConfig with the requisite KmsKeyId property.
+
+Resources:
+  SageMakerEndpointConfig:
+    Type: AWS::SageMaker::EndpointConfig
+    Properties:
+      KmsKeyId: alias/SuperSecureKey
+      ProductionVariants:
+        - ModelName: Model1
+          VariantName: Variant1
+          InitialInstanceCount: 1
+          InstanceType: ml.t2.medium
+          InitialVariantWeight: 1.0

spec/test_templates/yaml/sagemaker_notebookinstance/sagemaker_notebookinstance_kms_key_id_not_set.yaml

@@ -0,0 +1,10 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Define a SageMaker NotebookInstance without the requisite KmsKeyId property.
+
+Resources:
+  SageMakerNotebookInstance:
+    Type: AWS::SageMaker::NotebookInstance
+    Properties:
+      InstanceType: ml.t2.large
+      RoleArn: arn:aws:iam::012345678910:role/MLUserRole

spec/test_templates/yaml/sagemaker_notebookinstance/sagemaker_notebookinstance_kms_key_id_set.yaml

@@ -0,0 +1,11 @@
+---
+AWSTemplateFormatVersion: 2010-09-09
+Description: Define a SageMaker NotebookInstance with the requisite KmsKeyId property.
+
+Resources:
+  SageMakerNotebookInstance:
+    Type: AWS::SageMaker::NotebookInstance
+    Properties:
+      InstanceType: ml.t2.large
+      KmsKeyId: alias/SuperSecureKey
+      RoleArn: arn:aws:iam::012345678910:role/MLUserRole