#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    S3_BUCKET_VERSIONING_ENABLED
#
# Description:
#   Checks if versioning is enabled for your S3 buckets.
#
# Reports on:
#    AWS::S3::Bucket
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no S3 resource present
# b) PASS: when all S3 resources Versioning Configuration status is set to Enabled
# c) FAIL: when all S3 resources have Versioning Configuration status property not set or set to Suspended
# d) SKIP: when metadata includes the suppression for rule S3_BUCKET_VERSIONING_ENABLED

#
# Select all S3 resources from incoming template (payload)
#
let s3_buckets_versioning_enabled = Resources.*[ Type == 'AWS::S3::Bucket'
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "S3_BUCKET_VERSIONING_ENABLED"
]

rule S3_BUCKET_VERSIONING_ENABLED when %s3_buckets_versioning_enabled !empty {
  %s3_buckets_versioning_enabled.Properties.VersioningConfiguration exists
  %s3_buckets_versioning_enabled.Properties.VersioningConfiguration.Status == 'Enabled'
  <<
    Violation: S3 Bucket Versioning must be enabled.
    Fix: Set the S3 Bucket property VersioningConfiguration.Status to 'Enabled' .
  >>
}