---
# This policy is based on ce:ca:aws:s3:enable-bucket-lifecycle-configuration.
# We're able to determine if the Lifecycle configuration is enabled on a bucket 
# using the CA10__lifecycleRulesJson__c field.
# Lifecycle configuration is not supported for MFA-enabled buckets and directory buckets.
inputType: "CA10__CaAwsBucket__c"
testData:
  - file: "test-data.json"
importExtracts:
  - file: "/types/CA10__CaAwsBucket__c/object.extracts.yaml"
conditions:
  # Lifecycle configuration on multi-factor authentication (MFA)-enabled buckets is not supported. 
  # https://docs.aws.amazon.com/AmazonS3/latest/userguide/lifecycle-and-other-bucket-config.html#lifecycle-general-considerations-mfa-enabled-bucket
  - status: "INAPPLICABLE"
    currentStateMessage: "Lifecycle configuration on multi-factor authentication (MFA)-enabled buckets is not supported."
    check:
      IS_EQUAL:
        left: 
          EXTRACT: "CA10__versioningMfaDeleteEnabled__c"
        right: 
          BOOLEAN: true
  - status: "INCOMPLIANT"
    currentStateMessage: "The bucket does not have a lifecycle configuration."
    remediationMessage: "Create an S3 lifecycle configuration for the bucket."
    check:
      IS_EMPTY:
        arg:
          EXTRACT: "CA10__lifecycleRulesJson__c"
  - status: "INCOMPLIANT"
    currentStateMessage: "Bucket lifecycle configuration rules are disabled."
    remediationMessage: "Enable or adding active rules to the bucket lifecycle configuration."
    check:
      NOT:
        arg:
          EXTRACT: "caJsonBoolean__lifecycleRulesJsonStatusEnabled__c"
  - status: "COMPLIANT"
    currentStateMessage: "The bucket lifecycle configuration is enabled."
    check:
      EXTRACT: "caJsonBoolean__lifecycleRulesJsonStatusEnabled__c"
otherwise:
  status: "UNDETERMINED"
  currentStateMessage: "Unexpected values in the fields."