feat(aws/cis): fix config query (#325)

turbot · Nov 26, 2021 · b6e0313 · b6e0313
1 parent 0177421
commit b6e0313
Showing 1 changed file with 19 additions and 4 deletions.
diff --git a/query/config/config_enabled_all_regions.sql b/query/config/config_enabled_all_regions.sql
@@ -1,17 +1,31 @@
 -- pgFormatter-ignore
-
+-- Get count for any region with all matching criteria
+with global_recorders as (
+  select
+    count(*) as global_config_recorders
+  from
+    aws_config_configuration_recorder
+  where
+    recording_group -> 'IncludeGlobalResourceTypes' = 'true'
+    and recording_group -> 'AllSupported' = 'true'
+    and status ->> 'Recording' = 'true'
+    and status ->> 'LastStatus' = 'SUCCESS'
+ )
 select
   -- Required columns
   'arn:aws::' || a.region || ':' || a.account_id as resource,
   case
+  -- When any of the region satisfies with above CTE
+  -- In left join of <aws_config_configuration_recorder> table, regions now having
+  -- 'Recording' and 'LastStatus' matching criteria can be considered as OK
     when
-      recording_group -> 'IncludeGlobalResourceTypes' = 'true'
-      and recording_group -> 'AllSupported' = 'true'
+      g.global_config_recorders >= 1
       and status ->> 'Recording' = 'true'
       and status ->> 'LastStatus' = 'SUCCESS'
     then 'ok'
     else 'alarm'
   end as status,
+  -- Below cases are for citing respective reasons for control state
   case
     when recording_group -> 'IncludeGlobalResourceTypes' = 'true' then a.region || ' IncludeGlobalResourceTypes enabled,'
     else a.region || ' IncludeGlobalResourceTypes disabled,'
@@ -32,6 +46,7 @@ select
   a.region,
   a.account_id
 from
+  global_recorders as g,
   aws_region as a
-  left join aws_config_configuration_recorder as r 
+  left join aws_config_configuration_recorder as r
     on r.account_id = a.account_id and r.region = a.name;