#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    CW_LOGGROUP_RETENTION_PERIOD_CHECK
#
# Description:
#   Checks whether Amazon CloudWatch LogGroup retention
#   period is set to specific number of days.
#
# Reports on:
#    AWS::Logs::LogGroup
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no cloudwatch logs log group resources present
# b) PASS: when all cloudwatch logs log group resources property RetentionInDays is set
# c) FAIL: when all cloudwatch logs log group resources property RetentionInDays is not set with valid value
# d) SKIP: when metada has rule suppression for CW_LOGGROUP_RETENTION_PERIOD_CHECK

#
# Select all cloudwatch logs log group resources from incoming template (payload)
#
let cloudwatch_logs_retention_period = Resources.*[ Type == 'AWS::Logs::LogGroup'
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "CW_LOGGROUP_RETENTION_PERIOD_CHECK"
]

rule CW_LOGGROUP_RETENTION_PERIOD_CHECK when %cloudwatch_logs_retention_period !empty {
  %cloudwatch_logs_retention_period.Properties.RetentionInDays IN [1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, 3653]
  <<
    Violation: CloudWatch Log LogsGroup does not have RetentionInDays set.
    Fix: Set the RetentionInDays parameter to a value of 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1827, or 3653.
  >>
}