#
#####################################
##           Gherkin               ##
#####################################
# Rule Identifier:
#    LAMBDA_INSIDE_VPC
#
# Description:
#    Checks whether an AWS Lambda function is allowed access to an Amazon Virtual Private Cloud.
#
# Reports on:
#    AWS::Lambda::Function
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when no AWS Lambda functions are present
# b) PASS: when all AWS Lambda functions are VPC enabled
# c) FAIL: when any AWS Lambda functions are not VPC enabled
# d) SKIP: hen metadata includes the suppression for rule LAMBDA_INSIDE_VPC

#
# Select all AWS Lambda Function resources from incoming template (payload)
#
let aws_lambda_functions_inside_vpc = Resources.*[ Type == 'AWS::Lambda::Function' 
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "LAMBDA_INSIDE_VPC"
]

rule  LAMBDA_INSIDE_VPC when %aws_lambda_functions_inside_vpc !empty {
  %aws_lambda_functions_inside_vpc.Properties.VpcConfig.SecurityGroupIds !empty
  %aws_lambda_functions_inside_vpc.Properties.VpcConfig.SubnetIds !empty
  <<
    Violation:  All AWS Lambda Functions must be configured with access to a VPC
    Fix: set the VpcConfig.SecurityGroupIds and VpcConfig.SubnetIds parameters with a list of security groups and subnets.
    Lambda creates an elastic network interface for each combination of security group and subnet in the function's VPC configuration.
  >>
}