#
#####################################
##           Gherkin               ##
#####################################
#
# Rule Identifier:
#    SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS
#
# Description:
#   Checks whether AWS Key Management Service (KMS) key is configured for an Amazon SageMaker endpoint configuration.
#
# Reports on:
#    AWS::SageMaker::NotebookInstance
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when Sagemaker Notebook Instance resource not present
# b) PASS: when all Sagemaker Notebook Instance resources KmsKeyId property is set
# c) FAIL: when all Sagemaker Notebook Instance resources KmsKeyId property does not exist
# d) SKIP: when metada has rule suppression for SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS

#
# Select all AWS::SageMaker::NotebookInstance resources from incoming template (payload)
#

let sagemaker_notebookinstances_directaccess = Resources.*[ Type == "AWS::SageMaker::NotebookInstance"
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS"
]

rule SAGEMAKER_NOTEBOOK_NO_DIRECT_INTERNET_ACCESS when %sagemaker_notebookinstances_directaccess !empty {
	%sagemaker_notebookinstances_directaccess.Properties.DirectInternetAccess exists
	%sagemaker_notebookinstances_directaccess.Properties.DirectInternetAccess == "Disabled"
	<<
		Violation: Amazon SageMaker Notebook instance should not have direct internet access
		Fix: Set the property DirectInternetAccess to "Disabled" and provide a value for SubnetId property
	>>
}