#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    REDSHIFT_BACKUP_ENABLED
#
# Description:
#    Checks that Amazon Redshift automated snapshots are enabled for clusters. 
#
# Reports on:
#   AWS::Redshift::Cluster
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no Redshift Cluster resource present
# b) PASS: when Redshift Cluster resources don't have the AutomatedSnapshotRetentionPeriod property set (default retention period is 1 day)
# c) PASS: when Redshift Cluster resources have the AutomatedSnapshotRetentionPeriod property set to greater than 0 
# d) FAIL: when any Redshift Cluster resources have the AutomatedSnapshotRetentionPeriod property set to 0 
# e) SKIP: when metadata includes the suppression for rule REDSHIFT_BACKUP_ENABLED

#
# Select all Redshift Cluster resources from incoming template (payload)
#
let redhshift_backup_enabled_clusters = Resources.*[ Type == 'AWS::Redshift::Cluster' 
	Metadata.guard.SuppressedRules not exists or
    Metadata.guard.SuppressedRules.* != "REDSHIFT_BACKUP_ENABLED"
]

rule REDSHIFT_BACKUP_ENABLED when %redhshift_backup_enabled_clusters !empty {
    %redhshift_backup_enabled_clusters.Properties.AutomatedSnapshotRetentionPeriod not exists
    or %redhshift_backup_enabled_clusters.Properties.AutomatedSnapshotRetentionPeriod > 0
    <<
			Violation: Amazon Redshift automated snapshots must be enabled for clusters
			Fix: Either remove the AutomatedSnapshotRetentionPeriod property (default retention period is 1 day)
            Or set the AutomatedSnapshotRetentionPeriod property to an integer greater than 0 
    >>
}