--- policy: /ce/ca/aws/dms/replication-instance-multi-az logic: /ce/ca/aws/dms/replication-instance-multi-az/prod.logic.yaml executionTime: 2026-04-25T12:02:23.234181418Z generationMs: 59 executionMs: 2690 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10A1__disappearanceTime__c) actual: isDisappeared(CA10A1__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10A1__multiAz__c') == false actual: extract('CA10A1__multiAz__c') == false runtimeError: {} - id: test3 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10A1__multiAz__c') == true actual: extract('CA10A1__multiAz__c') == true runtimeError: {} usedFiles: - path: /ce/ca/aws/dms/replication-instance-multi-az/policy.yaml md5Hash: 504C1359EDB9AC1D744B1A22E55A80B5 content: | --- names: full: AWS DMS Replication Instance Multi-AZ Deployment is not enabled contextual: Replication Instance Multi-AZ Deployment is not enabled description: > Ensure that AWS Database Migration Service (DMS) replication instances are configured for Multi-AZ deployment to improve availability and support automatic failover during infrastructure disruptions. type: COMPLIANCE_POLICY categories: - RELIABILITY frameworkMappings: - "/frameworks/cloudaware/resource-reliability/system-configuration" - "/frameworks/aws-fsbp-v1.0.0/dms/13" similarPolicies: awsSecurityHub: - name: "[DMS.13] DMS replication instances should be configured to use multiple Availability Zones" url: "https://docs.aws.amazon.com/securityhub/latest/userguide/dms-controls.html#dms-13" - path: /ce/ca/aws/dms/replication-instance-multi-az/prod.logic.yaml md5Hash: 4EDA0E167D76F72739E7307DC77E3D79 content: | --- inputType: "CA10A1__CaAwsDmsReplicationInstance__c" importExtracts: - file: "/types/CA10A1__CaAwsDmsReplicationInstance__c/object.extracts.yaml" testData: - file: "test-data.json" conditions: - status: "INCOMPLIANT" currentStateMessage: "Multi-AZ deployment is not enabled for the DMS replication instance." remediationMessage: "Enable Multi-AZ deployment for this DMS replication instance." check: IS_EQUAL: left: EXTRACT: "CA10A1__multiAz__c" right: BOOLEAN: false - status: "COMPLIANT" currentStateMessage: "Multi-AZ deployment is enabled for the DMS replication instance." check: IS_EQUAL: left: EXTRACT: "CA10A1__multiAz__c" right: BOOLEAN: true otherwise: status: "UNDETERMINED" currentStateMessage: "The Multi-AZ deployment state for the DMS replication instance could not be determined." - path: /ce/ca/aws/dms/replication-instance-multi-az/test-data.json md5Hash: BD0BE3AC423043446540EB96B6604D0D content: | [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10A1__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": "2026-04-15T12:00:00Z", "CA10A1__multiAz__c": true, "Id": "test1" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "199", "conditionText": "extract('CA10A1__multiAz__c') == false", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": null, "CA10A1__multiAz__c": false, "Id": "test2" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10A1__multiAz__c') == true", "runtimeError": null }, "context": { "snapshotTime": "2026-04-16T12:00:00Z" }, "CA10A1__disappearanceTime__c": null, "CA10A1__multiAz__c": true, "Id": "test3" } ] - path: /types/CA10A1__CaAwsDmsReplicationInstance__c/object.extracts.yaml md5Hash: 3053881A20CD44B23F396A758DE90778 content: "---\nextracts:\n# Checkbox. Values: true/false. Can't have no access,\ \ retrieved via dms:DescribeReplicationInstances\n - name: CA10A1__publiclyAccessible__c\n\ \ value: \n FIELD:\n path: CA10A1__publiclyAccessible__c\n# Checkbox.\ \ Values: true/false. Can't have no access, retrieved via dms:DescribeReplicationInstances\n\ \ - name: CA10A1__minorVersionAutomaricUpdate__c\n value: \n FIELD:\n\ \ path: CA10A1__minorVersionAutomaricUpdate__c\n# Checkbox. Values: true/false.\ \ Can't have no access, retrieved via dms:DescribeReplicationInstances\n -\ \ name: CA10A1__multiAz__c\n value: \n FIELD:\n path: CA10A1__multiAz__c\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10A1__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "199", "conditionText" : "extract('CA10A1__multiAz__c') == false", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10A1__multiAz__c') == true", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10A1__CaAwsDmsReplicationInstance__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__disappearanceTime__c" : new Date("2026-04-15T12:00:00Z"), "CA10A1__multiAz__c" : true, "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__multiAz__c" : false, "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2026-04-16T12:00:00Z") }, "CA10A1__multiAz__c" : true, "Id" : "test3" } ]; """; CREATE TEMP FUNCTION process_CA10A1__CaAwsDmsReplicationInstance__c( obj STRUCT< CA10A1__disappearanceTime__c TIMESTAMP, CA10A1__multiAz__c BOOLEAN, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10A1__disappearanceTime__c]: ' + obj.CA10A1__disappearanceTime__c); if (obj.CA10A1__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10A1__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function extract3() { if (!this.out) { this.out = obj.CA10A1__multiAz__c; } return this.out; }; references1.push('Multi AZ [obj.CA10A1__multiAz__c]: ' + obj.CA10A1__multiAz__c); if (extract3.call(extract3) == false) { return {status: 'INCOMPLIANT', conditionIndex: 199, conditionText: "extract('CA10A1__multiAz__c') == false", currentStateMessage: "Multi-AZ deployment is not enabled for the DMS replication instance.", currentStateReferences: references1.join('\n'), remediation: "Enable Multi-AZ deployment for this DMS replication instance.", runtimeError: null}; } // condition[2], conditionIndex:[200..299] function extract6() { if (!this.out) { this.out = obj.CA10A1__multiAz__c; } return this.out; }; if (extract6.call(extract6) == true) { return {status: 'COMPLIANT', conditionIndex: 299, conditionText: "extract('CA10A1__multiAz__c') == true", currentStateMessage: "Multi-AZ deployment is enabled for the DMS replication instance.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } return {status: 'UNDETERMINED', conditionIndex: 300, conditionText: "otherwise", currentStateMessage: "The Multi-AZ deployment state for the DMS replication instance could not be determined.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10A1__disappearanceTime__c AS CA10A1__disappearanceTime__c, sObject.CA10A1__multiAz__c AS CA10A1__multiAz__c, sObject.Id AS Id, process_CA10A1__CaAwsDmsReplicationInstance__c( STRUCT( sObject.CA10A1__disappearanceTime__c AS CA10A1__disappearanceTime__c, sObject.CA10A1__multiAz__c AS CA10A1__multiAz__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10A1__CaAwsDmsReplicationInstance__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;