#
#####################################
##           Gherkin               ##
#####################################
#
# Rule Identifier:
#    SECRETSMANAGER_ROTATION_ENABLED_CHECK
#
# Description:
#   Checks if AWS Secrets Manager secret has rotation enabled.
#
# Reports on:
#    AWS::SecretsManager::Secret
#
# Evaluates:
#    AWS CloudFormation
#
# Rule Parameters:
#    NA
#
# Scenarios:
# a) SKIP: when there are no Secrets Manager Secret resources
# b) PASS: when all Secrets Manager Secrets have an associated RotationPolicy
# c) FAIL: when any Secrets Manager Secrets is missing an associated RotationPolicy
# d) SKIP: when metada has rule suppression for SECRETSMANAGER_ROTATION_ENABLED_CHECK

let aws_secretsmanager_secret_rotate = Resources.*[ Type == "AWS::SecretsManager::Secret"
  Metadata.guard.SuppressedRules not exists or
  Metadata.guard.SuppressedRules.* != "SECRETSMANAGER_ROTATION_ENABLED_CHECK"
]

let aws_secretsmanager_rotation_schedule_rotate = Resources.*[ Type == "AWS::SecretsManager::RotationSchedule" ]

rule SECRETSMANAGER_ROTATION_ENABLED_CHECK when %aws_secretsmanager_secret_rotate !empty {
	%aws_secretsmanager_rotation_schedule_rotate !empty
	let secret_names = %aws_secretsmanager_rotation_schedule_rotate.Properties.SecretId.Ref
	let referenced_secrets = Resources[keys in %secret_names]
	%aws_secretsmanager_secret_rotate in %referenced_secrets
	<<
		Violation: Secret Manager Secret should be assocaited with a rotation schedule
		Fix: Reference the Secret Manager Secret resource ID in a AWS::SecretsManager::RotationSchedule resource
  >>
}