#
# Rule Identifier:
#    dynamodb_pitr_is_enabled
#
# Description:
#   Brief description of the rule
#
# Reports on:
#    AWS::DynamoDB::Table
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no dynamodb table resource present
# b) PASS: when all dynamodb table resources ObjectLockEnabled property is set to true
# c) FAIL: when all dynamodb table resources do not have the ObjectLockEnabled property is set to true or is missing
# d) SKIP: when metadata has rule suppression for dynamodb_pitr_is_enabled

#
# Select all dynamodb table resources from incoming template (payload)
#
let aws_dynamodb_table_resources_pitr_example = Resources.*[ Type == 'AWS::DynamoDB::Table'
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "dynamodb_pitr_is_enabled"
]

rule dynamodb_pitr_is_enabled when %aws_dynamodb_table_resources_pitr_example !empty {
  # Ensure ALL DynamoDB Tables have Point-In-Time-Recovery enabled
  %aws_dynamodb_table_resources_pitr_example.Properties.PointInTimeRecoverySpecification.PointInTimeRecoveryEnabled == true
  <<
    Violation: Point In Time Recovery must be enabled for strong resiliency
    Fix: your fix here
  >>
}