###
# SECRETSMANAGER_USING_CMK test
###
---
- name: Empty, SKIP
  input: {}
  expectations:
    rules:
      SECRETSMANAGER_USING_CMK: SKIP

- name: No resources, SKIP
  input:
    Resources: {}
  expectations:
    rules:
      SECRETSMANAGER_USING_CMK: SKIP

- name: secret using CMK, PASS
  input:
    Resources:
      MySecret:
        Type: 'AWS::SecretsManager::Secret'
        Properties:
          Name: MySecretForAppA
          Description: "This secret has a dynamically generated secret password."
          GenerateSecretString:
            SecretStringTemplate: '{"username": "test-user"}'
            GenerateStringKey: "password"
            PasswordLength: 30
            ExcludeCharacters: '"@/\'
          KmsKeyId:
            Ref: MyKMSKey
      MySecretRotationSchedule:
        Type: AWS::SecretsManager::RotationSchedule
        Properties:
          SecretId:
            Ref: MySecret
          RotationLambdaARN:
            Ref: MyCustomRotationLambda
          RotationRules:
            AutomaticallyAfterDays: 30
  expectations:
    rules:
      SECRETSMANAGER_USING_CMK: PASS

- name: Secret not using KmsKey, FAIL
  input:
    Resources:
      MySecret:
        Type: 'AWS::SecretsManager::Secret'
        Properties:
          Name: MySecretForAppA
          Description: "This secret has a dynamically generated secret password."
          GenerateSecretString:
            SecretStringTemplate: '{"username": "test-user"}'
            GenerateStringKey: "password"
            PasswordLength: 30
            ExcludeCharacters: '"@/\'
      MySecretRotationSchedule:
        Type: AWS::SecretsManager::RotationSchedule
        Properties:
          SecretId:
            Ref: MySecret
          RotationLambdaARN:
            Ref: MyCustomRotationLambda
          RotationRules:
            AutomaticallyAfterDays: 30
  expectations:
    rules:
      SECRETSMANAGER_USING_CMK: FAIL

- name: Secret using aws/secretsmanager kms key, FAIL
  input:
    Resources:
      MySecret:
        Type: 'AWS::SecretsManager::Secret'
        Properties:
          Name: MySecretForAppA
          Description: "This secret has a dynamically generated secret password."
          GenerateSecretString:
            SecretStringTemplate: '{"username": "test-user"}'
            GenerateStringKey: "password"
            PasswordLength: 30
            ExcludeCharacters: '"@/\'
          KmsKeyId: alias/aws/secretsmanager
      MySecretRotationSchedule:
        Type: AWS::SecretsManager::RotationSchedule
        Properties:
          SecretId:
            Ref: MySecret
          RotationLambdaARN:
            Ref: MyCustomRotationLambda
          RotationRules:
            AutomaticallyAfterDays: 30
  expectations:
    rules:
      SECRETSMANAGER_USING_CMK: FAIL

- name: rule suppressed, SKIP
  input:
    Resources:
      MySecret:
        Type: 'AWS::SecretsManager::Secret'
        Metadata:
          guard:
            SuppressedRules:
            - SECRETSMANAGER_USING_CMK
        Properties:
          Name: MySecretForAppA
          Description: "This secret has a dynamically generated secret password."
          GenerateSecretString:
            SecretStringTemplate: '{"username": "test-user"}'
            GenerateStringKey: "password"
            PasswordLength: 30
            ExcludeCharacters: '"@/\'
          KmsKeyId: alias/aws/secretsmanager
      MySecretRotationSchedule:
        Type: AWS::SecretsManager::RotationSchedule
        Properties:
          SecretId:
            Ref: MySecret
          RotationLambdaARN:
            Ref: MyCustomRotationLambda
          RotationRules:
            AutomaticallyAfterDays: 30
  expectations:
    rules:
      SECRETSMANAGER_USING_CMK: SKIP