---
inputType: CA10__CaAwsDbSnapshot__c
importExtracts:
  - file: "/types/CA10__CaAwsDbSnapshot__c/object.extracts.yaml"
testData:
  - file: "test-data.json"
conditions:
  - status: INAPPLICABLE
    currentStateMessage: "Encrypted RDS snapshots cannot be public." # cannot be set to restore:all
    check:
      IS_EQUAL:
        left:
          EXTRACT: CA10__encrypted__c
        right:
          BOOLEAN: true
  - status: INAPPLICABLE
    currentStateMessage: "RDS snapshots created automatically or via AWS Backup cannot be public."
    check:
      OR:
        args:
          - IS_EQUAL:
              left:
                EXTRACT: CA10__snapshotType__c
              right:
                TEXT: automated
          - IS_EQUAL:
              left:
                EXTRACT: CA10__snapshotType__c
              right:
                TEXT: awsbackup
  - status: INCOMPLIANT
    currentStateMessage: "The RDS snapshot is publicly accessible."
    remediationMessage: "Make the snapshot private or restrict access to specific AWS accounts."
    check:
      IS_EQUAL:
        left:
          EXTRACT: CA10__snapshotType__c
        right:
          TEXT: public
  # TODO: modify the INCOMPLIANT status logic to use map ops when released.
  - status: INCOMPLIANT
    currentStateMessage: "The RDS snapshot is publicly accessible."
    remediationMessage: "Make the snapshot private or restrict access to specific AWS accounts."
    check:
      IS_EQUAL:
        left:
          JSON_QUERY_TEXT:
            arg:
              EXTRACT: caJsonFrom__attributesJson__c
            expression: "to_string(restore[0])"
            undeterminedIf:
              evaluationError: "The JSON query has failed."
              resultTypeMismatch: "The JSON query did not return text type."
        right:
          TEXT: "all"
otherwise:
  status: COMPLIANT
  currentStateMessage: "The RDS snapshot is not publicly accessible."