#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED
#
# Description:
#  Checks if Amazon CloudFront distributions backed by S3 are configured with an Origin Access Identity (OAI).
#
# Reports on:
#    AWS::CloudFront::Distribution
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no CloudFront Distribution Resources
# b) SKIP: when metadata has rule suppression for CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED
# c) FAIL: when CloudFront Distribution Resources have a Legacy S3 Origin configuration present
# d) FAIL: when CloudFront Distribution Resources have an S3 Origin configured without an Origin Access Identity (OAI)
# e) PASS: when CloudFront Distribution Resources do not have an S3 Origin configured
# f) PASS: when CloudFront Distribution Resources have an S3 Origin configured with an Origin Access Identity (OAI)

#
# Select all CloudFront Distribution Resources from incoming template (payload)
#
let cloudfront_origin_access_identity_enabled_resources = Resources.*[ Type == 'AWS::CloudFront::Distribution'
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED"
]

rule CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED when %cloudfront_origin_access_identity_enabled_resources !empty {
  let doc = this  
  %cloudfront_origin_access_identity_enabled_resources.Properties.DistributionConfig {
    S3Origin not exists

    when Origins exists
         Origins is_list
         Origins not empty {

      Origins [
        DomainName == /(.*)\.s3(-external-\d|[-\.][a-z]*-[a-z]*-[0-9])?\.amazonaws\.com(\.cn)?$/ or
        DomainName {
          'Fn::GetAtt' {
              this is_list
              this[1] == "DomainName" or
              this[1] == "RegionalDomainName"
              
              let resource_logical_name = this[0]
              let referenced_resource = %doc.Resources[ keys == %resource_logical_name ]            
              
              %referenced_resource not empty
              %referenced_resource {
                  Type == "AWS::S3::Bucket"    
              }
          }
        }
      ] {
        S3OriginConfig.OriginAccessIdentity exists
        S3OriginConfig.OriginAccessIdentity != ""
        
        S3OriginConfig.OriginAccessIdentity is_string or 
        S3OriginConfig.OriginAccessIdentity is_struct
        <<
          Violation: CloudFront Distributions backed by S3 must be configured with an Origin Access Identity (OAI).
          Fix: Set the S3OriginConfig.OriginAccessIdentity property for CloudFront Distribution Origins backed by S3.
        >>
      }
    }
  } 
}