#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    EC2_INSTANCE_NO_PUBLIC_IP
#
# Description:
#    Checks whether Amazon Elastic Compute Cloud (Amazon EC2) instances have a public IP association. 
#
# Reports on:
#    AWS::EC2::Instance
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when no EC2 Instance resources are present
# b) SKIP: when no EC2 Instances have network interfaces defined
# c) PASS: when no EC2 Instances with network interfaces have associated public IP addresses
# d) FAIL: when any EC2 Instances with network interfaces have associated public IP addresses
# e) SKIP: hen metadata includes the suppression for rule EC2_INSTANCE_NO_PUBLIC_IP

#
# Select all EC2 Instance resources from incoming template (payload)
#
let ec2_instances_no_public_ip = Resources.*[Type == 'AWS::EC2::Instance'
	Properties.NetworkInterfaces[*] !empty 
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "EC2_INSTANCE_NO_PUBLIC_IP"
]

rule EC2_INSTANCE_NO_PUBLIC_IP when %ec2_instances_no_public_ip !empty {
	%ec2_instances_no_public_ip.Properties.NetworkInterfaces[*] {
		AssociatePublicIpAddress !exists OR 
		AssociatePublicIpAddress == false
		<<
    	Violation: EC2 Instances cannot have public IP addresses associated with their network interfaces 
    	Fix: remove the AssociatePublicIpAddress property from NetworkInterfaces list or set it to false
  	>>
	}
}