--- policy: /ce/ca/aws/acm/certificate-expires-in-7-days logic: /ce/ca/aws/acm/certificate-expires-in-7-days/prod.logic.yaml executionTime: 2026-02-10T22:32:30.308417241Z generationMs: 74 executionMs: 789 rows: - id: test1 match: true status: expected: DISAPPEARED actual: DISAPPEARED conditionIndex: expected: 99 actual: 99 conditionText: expected: isDisappeared(CA10__disappearanceTime__c) actual: isDisappeared(CA10__disappearanceTime__c) runtimeError: {} - id: test2 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 199 actual: 199 conditionText: expected: extract('CA10__status__c') != 'ISSUED' actual: extract('CA10__status__c') != 'ISSUED' runtimeError: {} - id: test3 match: true status: expected: INAPPLICABLE actual: INAPPLICABLE conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__renewalEligibility__c') != 'INELIGIBLE' actual: extract('CA10__renewalEligibility__c') != 'INELIGIBLE' runtimeError: {} - id: test4 match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: extract('CA10__notAfter__c').withinNextDays(7) actual: extract('CA10__notAfter__c').withinNextDays(7) runtimeError: {} - id: test5 match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 400 actual: 400 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/acm/certificate-expires-in-7-days/policy.yaml md5Hash: 77378F07166D0BBF171876E6B079C4BB content: "---\nnames:\n full: \"AWS ACM Certificate expires in the next 7 days\"\ \n contextual: \"Certificate expires in the next 7 days\"\ndescription: >\n\ \ Renew your SSL/TLS certificates in AWS ACM that are ineligible for automatic\ \ renewal at \n least 7 days before their expiration date to ensure uninterrupted\ \ security coverage \n and prevent service disruptions. Proactive renewal safeguards\ \ your applications \n and maintains user trust. AWS Certificate Manager simplifies\ \ the provisioning, \n management, and deployment of SSL/TLS certificates for\ \ various AWS resources, \n including Elastic Load Balancers, CloudFront distributions,\ \ and APIs on Amazon API Gateway\ncategories:\n - \"SECURITY\"\n - \"RELIABILITY\"\ \ntype: \"COMPLIANCE_POLICY\"\nframeworkMappings:\n - \"/frameworks/cloudaware/secret-and-certificate-governance/expiration-management\"\ \n - \"/frameworks/aws-fsbp-v1.0.0/acm/01\"\nsimilarPolicies:\n internal:\n\ \ - \"dec-x-b24d2338\"\n cloudConformity:\n - url: https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/ACM/certificate-expires-in-7-days.html\n\ \ name: AWS ACM Certificates Renewal (7 days before expiration)\n awsSecurityHub:\n\ \ - name: \"[ACM.1] Imported and ACM-issued certificates should be renewed\ \ after a specified time period\"\n url: \"https://docs.aws.amazon.com/securityhub/latest/userguide/acm-controls.html#acm-1\"" - path: /ce/ca/aws/acm/certificate-expires-in-7-days/prod.logic.yaml md5Hash: D6EC744EF8E0A2049AC94E08F4D9C6BA content: | --- inputType: "CA10__CaAwsAcmCertificate__c" testData: - file: test-data.json importExtracts: - file: /types/CA10__CaAwsAcmCertificate__c/object.extracts.yaml conditions: - status: "INAPPLICABLE" currentStateMessage: "The certificate is not active." check: NOT_EQUAL: left: EXTRACT: "CA10__status__c" right: TEXT: "ISSUED" - status: "INAPPLICABLE" currentStateMessage: "The certificate is eligible for automatic renewal." check: NOT_EQUAL: left: EXTRACT: "CA10__renewalEligibility__c" right: TEXT: "INELIGIBLE" - status: "INCOMPLIANT" currentStateMessage: "The certificate is ineligible for automatic renewal and expires in 7 days or less." remediationMessage: "Reissue the certificate before it expires." check: IS_WITHIN_NEXT_DAYS: offsetDays: 7 arg: EXTRACT: CA10__notAfter__c otherwise: status: "COMPLIANT" currentStateMessage: "The certificate is not expiring within 7 days." - path: /ce/ca/aws/acm/certificate-expires-in-7-days/test-data.json md5Hash: EAEC25F87A3E816CE43AF203CD79CAAA content: |- [ { "expectedResult": { "status": "DISAPPEARED", "conditionIndex": "99", "conditionText": "isDisappeared(CA10__disappearanceTime__c)", "runtimeError": null }, "context": { "snapshotTime": "2024-11-01T12:04:09Z" }, "Id": "test1", "CA10__disappearanceTime__c": "2024-10-17T17:11:36Z", "CA10__status__c": "ISSUED", "CA10__renewalEligibility__c": "INELIGIBLE", "CA10__notAfter__c": "2024-11-02T12:04:09Z" }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "199", "conditionText": "extract('CA10__status__c') != 'ISSUED'", "runtimeError": null }, "context": { "snapshotTime": "2024-11-01T12:04:09Z" }, "Id": "test2", "CA10__disappearanceTime__c": null, "CA10__status__c": "FAILED", "CA10__renewalEligibility__c": "INELIGIBLE", "CA10__notAfter__c": null }, { "expectedResult": { "status": "INAPPLICABLE", "conditionIndex": "299", "conditionText": "extract('CA10__renewalEligibility__c') != 'INELIGIBLE'", "runtimeError": null }, "context": { "snapshotTime": "2024-11-01T12:04:09Z" }, "Id": "test3", "CA10__disappearanceTime__c": null, "CA10__status__c": "ISSUED", "CA10__renewalEligibility__c": "ELIGIBLE", "CA10__notAfter__c": "2024-11-02T12:04:09Z" }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "399", "conditionText": "extract('CA10__notAfter__c').withinNextDays(7)", "runtimeError": null }, "context": { "snapshotTime": "2024-11-01T12:04:09Z" }, "Id": "test4", "CA10__disappearanceTime__c": null, "CA10__status__c": "ISSUED", "CA10__renewalEligibility__c": "INELIGIBLE", "CA10__notAfter__c": "2024-11-06T23:59:59Z" }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "400", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2024-11-01T12:04:09Z" }, "Id": "test5", "CA10__disappearanceTime__c": null, "CA10__status__c": "ISSUED", "CA10__renewalEligibility__c": "INELIGIBLE", "CA10__notAfter__c": "2025-11-01T12:04:09Z" } ] - path: /types/CA10__CaAwsAcmCertificate__c/object.extracts.yaml md5Hash: D20EE095842A506CDEF3AC47E90A5A3B content: "---\nextracts:\n# Values: PENDING_VALIDATION | ISSUED | INACTIVE | EXPIRED\ \ | REVOKED | FAILED | VALIDATION_TIMED_OUT\n# Not Nullable can't have no access\n\ \ - name: CA10__status__c\n value: \n FIELD:\n path: CA10__status__c\n\ \ undeterminedIf:\n noAccessDelegate:\n path: CA10__status__c\n\ \ currentStateMessage: Unable to determine certificate status. Possible\ \ permission issue with acm:DescribeCertificate\n isEmpty: Status is\ \ not populated yet\n# Nullable\n - name: CA10__notAfter__c\n value: \n\ \ FIELD:\n path: CA10__notAfter__c\n undeterminedIf:\n \ \ noAccessDelegate:\n path: CA10__notAfter__c\n \ \ currentStateMessage: Unable to determine certificate 'NotAfter'. Possible\ \ permission issue with acm:DescribeCertificate\n# Not Nullable\n - name: CA10__domainName__c\n\ \ value: \n FIELD:\n path: CA10__domainName__c\n undeterminedIf:\n\ \ noAccessDelegate:\n path: CA10__domainName__c\n \ \ currentStateMessage: Unable to determine certificate domain name. Possible\ \ permission issue with acm:DescribeCertificate\n isEmpty: Domain name\ \ is not populated yet\n# Values: ELIGIBLE | INELIGIBLE, Not Nullable\n - name:\ \ CA10__renewalEligibility__c\n value: \n FIELD:\n path: CA10__renewalEligibility__c\n\ \ undeterminedIf:\n noAccessDelegate:\n path: CA10__renewalEligibility__c\n\ \ currentStateMessage: Unable to determine certificate renewal eligibility.\ \ Possible permission issue with acm:DescribeCertificate\n isEmpty:\ \ Renewal eligibility is not populated yet\n# Values: RSA-1024 | RSA-2048 |\ \ RSA-3072 | RSA-4096 | EC-prime256v1 | EC-secp384r1 | EC-secp521r1\n# Not Nullable\n\ \ - name: CA10__keyAlgorithm__c\n value: \n FIELD:\n path: CA10__keyAlgorithm__c\n\ \ undeterminedIf:\n noAccessDelegate:\n path: CA10__keyAlgorithm__c\n\ \ currentStateMessage: Unable to determine certificate status. Possible\ \ permission issue with acm:DescribeCertificate\n isEmpty: Key Algorithm\ \ is not populated yet\n" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "test1", "expectedResult" : { "status" : "DISAPPEARED", "conditionIndex" : "99", "conditionText" : "isDisappeared(CA10__disappearanceTime__c)", "runtimeError" : null } }, { "Id" : "test2", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "199", "conditionText" : "extract('CA10__status__c') != 'ISSUED'", "runtimeError" : null } }, { "Id" : "test3", "expectedResult" : { "status" : "INAPPLICABLE", "conditionIndex" : "299", "conditionText" : "extract('CA10__renewalEligibility__c') != 'INELIGIBLE'", "runtimeError" : null } }, { "Id" : "test4", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "399", "conditionText" : "extract('CA10__notAfter__c').withinNextDays(7)", "runtimeError" : null } }, { "Id" : "test5", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "400", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsAcmCertificate__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2024-11-01T12:04:09Z") }, "CA10__disappearanceTime__c" : new Date("2024-10-17T17:11:36Z"), "CA10__status__c" : "ISSUED", "CA10__renewalEligibility__c" : "INELIGIBLE", "CA10__notAfter__c" : new Date("2024-11-02T12:04:09Z"), "Id" : "test1" }, { "context" : { "snapshotTime" : new Date("2024-11-01T12:04:09Z") }, "CA10__status__c" : "FAILED", "CA10__renewalEligibility__c" : "INELIGIBLE", "Id" : "test2" }, { "context" : { "snapshotTime" : new Date("2024-11-01T12:04:09Z") }, "CA10__status__c" : "ISSUED", "CA10__renewalEligibility__c" : "ELIGIBLE", "CA10__notAfter__c" : new Date("2024-11-02T12:04:09Z"), "Id" : "test3" }, { "context" : { "snapshotTime" : new Date("2024-11-01T12:04:09Z") }, "CA10__status__c" : "ISSUED", "CA10__renewalEligibility__c" : "INELIGIBLE", "CA10__notAfter__c" : new Date("2024-11-06T23:59:59Z"), "Id" : "test4" }, { "context" : { "snapshotTime" : new Date("2024-11-01T12:04:09Z") }, "CA10__status__c" : "ISSUED", "CA10__renewalEligibility__c" : "INELIGIBLE", "CA10__notAfter__c" : new Date("2025-11-01T12:04:09Z"), "Id" : "test5" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsAcmCertificate__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, CA10__status__c STRING, CA10__renewalEligibility__c STRING, CA10__notAfter__c TIMESTAMP, Id STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var IsEmptyLib = new function () { this.simpleIsEmpty = function(arg) { return arg == null; }; this.simpleIsNotEmpty = function(arg) { return arg != null; }; }(); var today = new Date(snapshotTime.toISOString().substr(0,10)+'T00:00:00.000Z').getTime(); var todayPlus8Day = new Date(snapshotTime.toISOString().substr(0,10)+'T00:00:00.000Z').getTime() + (8 * 86400000); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] function fieldChecked4() { if (TextLib.isEmpty(obj.CA10__status__c)) { throw new Error("UNDETERMINED condition:101", {cause: {status: 'UNDETERMINED', conditionIndex: 101, conditionText: "CA10__status__c.delegatedTo(CA10__status__c).isEmpty()", currentStateMessage: "Unable to determine certificate status. Possible permission issue with acm:DescribeCertificate", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } if (TextLib.isEmpty(obj.CA10__status__c)) { throw new Error("UNDETERMINED condition:102", {cause: {status: 'UNDETERMINED', conditionIndex: 102, conditionText: "CA10__status__c.isEmpty()", currentStateMessage: "Status is not populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__status__c; } function extract3() { if (!this.out) { this.out = fieldChecked4(); } return this.out; }; references1.push('Status [obj.CA10__status__c]: ' + obj.CA10__status__c); try { if (TextLib.notEqual(extract3.call(extract3), 'ISSUED')) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "extract('CA10__status__c') != 'ISSUED'", currentStateMessage: "The certificate is not active.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[2], conditionIndex:[200..299] function fieldChecked7() { if (TextLib.isEmpty(obj.CA10__renewalEligibility__c)) { throw new Error("UNDETERMINED condition:201", {cause: {status: 'UNDETERMINED', conditionIndex: 201, conditionText: "CA10__renewalEligibility__c.delegatedTo(CA10__renewalEligibility__c).isEmpty()", currentStateMessage: "Unable to determine certificate renewal eligibility. Possible permission issue with acm:DescribeCertificate", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } if (TextLib.isEmpty(obj.CA10__renewalEligibility__c)) { throw new Error("UNDETERMINED condition:202", {cause: {status: 'UNDETERMINED', conditionIndex: 202, conditionText: "CA10__renewalEligibility__c.isEmpty()", currentStateMessage: "Renewal eligibility is not populated yet", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__renewalEligibility__c; } function extract6() { if (!this.out) { this.out = fieldChecked7(); } return this.out; }; references1.push('Renewal Eligibility [obj.CA10__renewalEligibility__c]: ' + obj.CA10__renewalEligibility__c); try { if (TextLib.notEqual(extract6.call(extract6), 'INELIGIBLE')) { return {status: 'INAPPLICABLE', conditionIndex: 299, conditionText: "extract('CA10__renewalEligibility__c') != 'INELIGIBLE'", currentStateMessage: "The certificate is eligible for automatic renewal.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } // condition[3], conditionIndex:[300..399] function fieldChecked10() { if (IsEmptyLib.simpleIsEmpty(obj.CA10__notAfter__c)) { throw new Error("UNDETERMINED condition:301", {cause: {status: 'UNDETERMINED', conditionIndex: 301, conditionText: "CA10__notAfter__c.delegatedTo(CA10__notAfter__c).isEmpty()", currentStateMessage: "Unable to determine certificate 'NotAfter'. Possible permission issue with acm:DescribeCertificate", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}}); } return obj.CA10__notAfter__c; } function extract9() { if (!this.out) { this.out = fieldChecked10(); } return this.out; }; references1.push('Not After [obj.CA10__notAfter__c]: ' + obj.CA10__notAfter__c); try { if (extract9.call(extract9) != null && extract9.call(extract9).getTime() >= today && extract9.call(extract9).getTime() < todayPlus8Day) { return {status: 'INCOMPLIANT', conditionIndex: 399, conditionText: "extract('CA10__notAfter__c').withinNextDays(7)", currentStateMessage: "The certificate is ineligible for automatic renewal and expires in 7 days or less.", currentStateReferences: references1.join('\n'), remediation: "Reissue the certificate before it expires.", runtimeError: null}; } } catch (err) { if (err.cause && err.cause.status) { return err.cause; } else { throw err; } } return {status: 'COMPLIANT', conditionIndex: 400, conditionText: "otherwise", currentStateMessage: "The certificate is not expiring within 7 days.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__status__c AS CA10__status__c, sObject.CA10__renewalEligibility__c AS CA10__renewalEligibility__c, sObject.CA10__notAfter__c AS CA10__notAfter__c, sObject.Id AS Id, process_CA10__CaAwsAcmCertificate__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, sObject.CA10__status__c AS CA10__status__c, sObject.CA10__renewalEligibility__c AS CA10__renewalEligibility__c, sObject.CA10__notAfter__c AS CA10__notAfter__c, sObject.Id AS Id ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsAcmCertificate__c()) AS sObject ) sObject ON sObject.Id = expectedResult.Id;