#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    LAMBDA_DLQ_CHECK
#
# Description:
#    Checks whether an AWS Lambda function is configured with a dead-letter queue.
#
# Reports on:
#    AWS::Lambda::Function
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when no AWS Lambda functions are present
# b) PASS: when all AWS Lambda functions are configured with a dead-letter queue
# c) FAIL: when any AWS Lambda functions are not configured with a dead-letter queue
# d) SKIP: hen metadata includes the suppression for rule LAMBDA_DLQ_CHECK

#
# Select all AWS Lambda Function resources from incoming template (payload)
#
let aws_lambda_functions_dlq = Resources.*[ Type == 'AWS::Lambda::Function' 
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "LAMBDA_DLQ_CHECK"
]

rule LAMBDA_DLQ_CHECK when %aws_lambda_functions_dlq !empty {
  %aws_lambda_functions_dlq.Properties.DeadLetterConfig.TargetArn !empty
  <<
    Violation: All AWS Lambda Functions must have a dead-letter queue configured
    Fix: Set the DeadLetterConfig.TargetAr Property to the Amazon Resource Name (ARN) of an Amazon SQS queue or Amazon SNS topic
  >>
}