#
#####################################
##           Gherkin               ##
#####################################
#
# Rule Identifier:
#    ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK
#
# Description:
#   Checks if Amazon DynamoDB table is encrypted with AWS Key Management Service (KMS).
#
# Reports on:
#    AWS::ElastiCache::ReplicationGroup
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no AWS::ElastiCache::ReplicationGroup resources present
# b) PASS: when all DynamoDB Tables are encrypted with KMS
# c) FAIL: when all DynamoDB Tables are not are encrypted with KMS
# d) SKIP: when metada has rule suppression for ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK

let replication_groups_automatedbackup = Resources.*[Type == "AWS::ElastiCache::ReplicationGroup"
	Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK"
]

rule ELASTICACHE_REDIS_CLUSTER_AUTOMATIC_BACKUP_CHECK when %replication_groups_automatedbackup !empty {
	%replication_groups_automatedbackup.Properties.Engine != "redis" or
	%replication_groups_automatedbackup.Properties.SnapshotRetentionLimit > 0
	<<
		Violation: Amazon ElastiCache Replication Groups are configured with automatic backups
		Fix: Set SnapshotRetentionLimit to value greater than zero
	>>
}