###
# SECRETSMANAGER_ROTATION_ENABLED_CHECK test
###
---
- name: Empty, SKIP
  input: {}
  expectations:
    rules:
      SECRETSMANAGER_ROTATION_ENABLED_CHECK: SKIP

- name: No resources, SKIP
  input:
    Resources: {}
  expectations:
    rules:
      SECRETSMANAGER_ROTATION_ENABLED_CHECK: SKIP

- name: Secret with rotation schedule, PASS
  input:
    Resources:
      MySecret:
        Type: 'AWS::SecretsManager::Secret'
        Properties:
          Name: MySecretForAppA
          Description: "This secret has a dynamically generated secret password."
          GenerateSecretString:
            SecretStringTemplate: '{"username": "test-user"}'
            GenerateStringKey: "password"
            PasswordLength: 30
            ExcludeCharacters: '"@/\'
          KmsKeyId:
            Ref: MyKMSKey
      MySecretRotationSchedule:
        Type: AWS::SecretsManager::RotationSchedule
        Properties:
          SecretId:
            Ref: MySecret
          RotationLambdaARN:
            Ref: MyCustomRotationLambda
          RotationRules:
            AutomaticallyAfterDays: 30
  expectations:
    rules:
      SECRETSMANAGER_ROTATION_ENABLED_CHECK: PASS

- name: No rotation schedule, FAIL
  input:
    Resources:
      MySecret:
        Type: 'AWS::SecretsManager::Secret'
        Properties:
          Name: MySecretForAppA
          Description: "This secret has a dynamically generated secret password."
          GenerateSecretString:
            SecretStringTemplate: '{"username": "test-user"}'
            GenerateStringKey: "password"
            PasswordLength: 30
            ExcludeCharacters: '"@/\'
          KmsKeyId:
            Ref: MyKMSKey
  expectations:
    rules:
      SECRETSMANAGER_ROTATION_ENABLED_CHECK: FAIL

- name: Only one secret resource with rotation schedule, FAIL
  input:
    Resources:
      MySecret:
        Type: 'AWS::SecretsManager::Secret'
        Properties:
          Name: MySecretForAppA
          Description: "This secret has a dynamically generated secret password."
          GenerateSecretString:
            SecretStringTemplate: '{"username": "test-user"}'
            GenerateStringKey: "password"
            PasswordLength: 30
            ExcludeCharacters: '"@/\'
          KmsKeyId:
            Ref: MyKMSKey
      MyOtherSecret:
        Type: 'AWS::SecretsManager::Secret'
        Properties:
          Name: MySecretForAppB
          Description: "This secret has a dynamically generated secret password for app B."
          GenerateSecretString:
            SecretStringTemplate: '{"username": "test-user"}'
            GenerateStringKey: "password"
            PasswordLength: 30
            ExcludeCharacters: '"@/\'
          KmsKeyId:
            Ref: MyKMSKey
      MySecretRotationSchedule:
        Type: AWS::SecretsManager::RotationSchedule
        Properties:
          SecretId:
            Ref: MyOtherSecret
          RotationLambdaARN:
            Ref: MyCustomRotationLambda
          RotationRules:
            AutomaticallyAfterDays: 30
  expectations:
    rules:
      SECRETSMANAGER_ROTATION_ENABLED_CHECK: FAIL

- name: rule suppressed, SKIP
  input:
    Resources:
      MySecret:
        Type: 'AWS::SecretsManager::Secret'
        Metadata:
          guard:
            SuppressedRules:
            - SECRETSMANAGER_ROTATION_ENABLED_CHECK
        Properties:
          Name: MySecretForAppA
          Description: "This secret has a dynamically generated secret password."
          GenerateSecretString:
            SecretStringTemplate: '{"username": "test-user"}'
            GenerateStringKey: "password"
            PasswordLength: 30
            ExcludeCharacters: '"@/\'
          KmsKeyId:
            Ref: MyKMSKey
  expectations:
    rules:
      SECRETSMANAGER_ROTATION_ENABLED_CHECK: SKIP