## Config Rule Name : elbv2-acm-certificate-required
## Config Rule URL: https://docs.aws.amazon.com/config/latest/developerguide/elbv2-acm-certificate-required.html"
#
#####################################
##           Gherkin               ##
#####################################
#
# Rule Identifier:
#   ELBV2_ACM_CERTIFICATE_REQUIRED
#
# Description:
#   Checks if Application Load Balancers and Network Load Balancer HTTPS or TLS listeners are configured to use certificates from AWS Certificate Manager (ACM)
#
# Reports on:
#   AWS::ElasticLoadBalancingV2::Listener
#
# Evaluates:
#   AWS CloudFormation
#
# Rule Parameters:
#   None
#
# Scenarios:
# a) SKIP: when there are no Elastic Load Balancing V2 Listener Resources
# b) SKIP: when metadata has rule suppression for ELB_ACM_CERTIFICATE_REQUIRED
# c) SKIP: when there are no HTTPS or TLS Listeners
# d) FAIL: when the Certificate in 'Certificates' is not an ACM certificate for HTTPS or TLS Listeners
# e) PASS: when the Certificate in 'Certificates' is an ACM certificate for HTTPS or TLS Listeners

#
# Select all Elastic Load Balancing Resources from incoming template (payload)
#
let elbv2_acm_certificate_required_resources = Resources.*[ Type == 'AWS::ElasticLoadBalancingV2::Listener'
  # Scenario c)
  Properties.Protocol == 'HTTPS' or
  Properties.Protocol == 'TLS'
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "ELBV2_ACM_CERTIFICATE_REQUIRED"
]

rule ELBV2_ACM_CERTIFICATE_REQUIRED when %elbv2_acm_certificate_required_resources !empty {
    let doc = this 
    %elbv2_acm_certificate_required_resources.Properties {
        # Scenarios d) and e)
        Certificates exists
        Certificates is_list
        Certificates not empty

        Certificates[*] {
            CertificateArn exists
            CertificateArn == /arn:aws[a-z0-9\-]*:acm:[a-z0-9\-]+:\d{12}:certificate\/[\w\-]{1,64}/ or 
            CertificateArn {
                Ref {
                    let resource_logical_name = this
                    let referenced_resource = %doc.Resources[ keys == %resource_logical_name ]
                    %referenced_resource not empty
                    %referenced_resource {
                        Type == "AWS::CertificateManager::Certificate"
                        <<
                            Violation: ELBv2 Listeners need to use HTTPS/SSL certificates provided by AWS Certificate Manager (ACM).
                            Fix: Set the ELBV2 Certificates.*.CertificateArn property to the ARN of an ACM Certificate.
                        >>
                    }
                }
            }
        }
    }
}