Skip to content

codebuild

Sample rules

A few rules that use objects from this package:

not_car_codebuild_projects_encrypted_at_rest_with_customer_managed_CMK 
from typing import List, Dict

from cloudrail.knowledge.context.aws.aws_environment_context import AwsEnvironmentContext
from cloudrail.knowledge.context.aws.resources.kms.kms_key_manager import KeyManager
from cloudrail.knowledge.rules.aws.aws_base_rule import AwsBaseRule
from cloudrail.knowledge.rules.base_rule import Issue
from cloudrail.knowledge.rules.rule_parameters.base_paramerter import ParameterType


class EnsureCodeBuildProjectsEncryptedRule(AwsBaseRule):

    def get_id(self) -> str:
        return 'not_car_codebuild_projects_encrypted_at_rest_with_customer_managed_CMK'

    def execute(self, env_context: AwsEnvironmentContext, parameters: Dict[ParameterType, any]) -> List[Issue]:
        issues: List[Issue] = []

        for project in env_context.codebuild_projects:
            if not project.kms_data or project.kms_data.key_manager != KeyManager.CUSTOMER:
                issues.append(
                    Issue(
                        f'The {project.get_type()} project `{project.get_friendly_name()}` '
                        f'is not set to use encryption at rest '
                        f'with customer-managed CMK', project, project))
        return issues

    def should_run_rule(self, environment_context: AwsEnvironmentContext) -> bool:
        return bool(environment_context.codebuild_projects)

CodeBuildProject (NetworkEntity)

Attributes:

Name Type Description
project_name str

The name of the project.
encryption_key str

The KMS ID of the encryption key, if used, or None otherwise.
arn str

The ARN of the project.
vpc_config NetworkConfiguration

The network configuration of the project, if configured.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process

CodeBuildReportGroup (AwsResource)

Attributes:

Name Type Description
name str

The name of the report group.
export_config_type str

S3 or NO_EXPORT.
export_config_s3_destination_bucket str

If S3 type is used, the destination bucket.
export_config_s3_destination_encryption_key str

If S3 type is used, the encryption key to use.
export_config_s3_destination_encryption_disabled bool

If S3 type is used, whether or not encryption is enabled.
export_config_s3_destination_kms_data KmsKey

If encryption is used, the KMS key used to encrypt.

custom_invalidation(self) inherited

A list of manual reasons why this resource should be invalidated

exclude_from_invalidation(self) inherited

A list of attributes that should be excluded from the invalidation process