Added support for AWS Config Retention Configuration

- Added AWS Config Retention Configuration support - Also added S3 KMS Key ARN support for the Delivery Channel - Updated the supported functions page for Config
2023-04-07 18:06:37 -04:00 · 2023-04-07 18:06:37 -04:00 · ae8f2a19c6
commit ae8f2a19c6
parent dc460a3258
5 changed files with 259 additions and 4 deletions
--- a/docs/docs/services/config.rst
+++ b/docs/docs/services/config.rst
@ -62,7 +62,7 @@ config
 - [ ] delete_remediation_configuration
 - [ ] delete_remediation_exceptions
 - [ ] delete_resource_config
- [ ] delete_retention_configuration
+- [X] delete_retention_configuration
 - [ ] delete_stored_query
 - [ ] deliver_config_snapshot
 - [ ] describe_aggregate_compliance_by_config_rules
@ -91,7 +91,7 @@ config
 - [ ] describe_remediation_configurations
 - [ ] describe_remediation_exceptions
 - [ ] describe_remediation_execution_status
- [ ] describe_retention_configurations
+- [X] describe_retention_configurations
 - [ ] get_aggregate_compliance_details_by_config_rule
 - [ ] get_aggregate_config_rule_compliance_summary
 - [ ] get_aggregate_conformance_pack_compliance_summary
@ -179,7 +179,7 @@ config
 - [ ] put_remediation_configurations
 - [ ] put_remediation_exceptions
 - [ ] put_resource_config
- [ ] put_retention_configuration
+- [X] put_retention_configuration
 - [ ] put_stored_query
 - [ ] select_aggregate_resource_config
 - [ ] select_resource_config
--- a/moto/config/exceptions.py
+++ b/moto/config/exceptions.py
@ -114,6 +114,14 @@ class InvalidS3KeyPrefixException(JsonRESTError):
        super().__init__("InvalidS3KeyPrefixException", message)


+class InvalidS3KmsKeyArnException(JsonRESTError):
+    code = 400
+
+    def __init__(self) -> None:
+        message = "The arn '' is not a valid kms key or alias arn."
+        super().__init__("InvalidS3KmsKeyArnException", message)
+
+
 class InvalidSNSTopicARNException(JsonRESTError):
    """We are *only* validating that there is value that is not '' here."""

@ -373,3 +381,13 @@ class MissingRequiredConfigRuleParameterException(JsonRESTError):

    def __init__(self, message: str):
        super().__init__("ParamValidationError", message)
+
+
+class NoSuchRetentionConfigurationException(JsonRESTError):
+    code = 400
+
+    def __init__(self, name: str):
+        message = (
+            f"Cannot find retention configuration with the specified name '{name}'."
+        )
+        super().__init__("NoSuchRetentionConfigurationException", message)
--- a/moto/config/models.py
+++ b/moto/config/models.py
@ -18,6 +18,7 @@ from moto.config.exceptions import (
    InvalidDeliveryChannelNameException,
    NoSuchBucketException,
    InvalidS3KeyPrefixException,
+    InvalidS3KmsKeyArnException,
    InvalidSNSTopicARNException,
    MaxNumberOfDeliveryChannelsExceededException,
    NoAvailableDeliveryChannelException,
@ -44,6 +45,7 @@ from moto.config.exceptions import (
    MaxNumberOfConfigRulesExceededException,
    InsufficientPermissionsException,
    NoSuchConfigRuleException,
+    NoSuchRetentionConfigurationException,
    ResourceInUseException,
    MissingRequiredConfigRuleParameterException,
 )
@ -259,6 +261,7 @@ class ConfigDeliveryChannel(ConfigEmptyDictable):
        s3_bucket_name: str,
        prefix: Optional[str] = None,
        sns_arn: Optional[str] = None,
+        s3_kms_key_arn: Optional[str] = None,
        snapshot_properties: Optional[ConfigDeliverySnapshotProperties] = None,
    ):
        super().__init__()
@ -266,9 +269,21 @@ class ConfigDeliveryChannel(ConfigEmptyDictable):
        self.name = name
        self.s3_bucket_name = s3_bucket_name
        self.s3_key_prefix = prefix
+        self.s3_kms_key_arn = s3_kms_key_arn
        self.sns_topic_arn = sns_arn
        self.config_snapshot_delivery_properties = snapshot_properties

+    def to_dict(self) -> Dict[str, Any]:
+        """Need to override this function because the KMS Key ARN is written as `Arn` vs. SNS which is `ARN`."""
+        data = super().to_dict()
+
+        # Fix the KMS ARN if it's here:
+        kms_arn = data.pop("s3KmsKeyARN", None)
+        if kms_arn:
+            data["s3KmsKeyArn"] = kms_arn
+
+        return data
+

 class RecordingGroup(ConfigEmptyDictable):
    def __init__(
@ -883,6 +898,14 @@ class ConfigRule(ConfigEmptyDictable):
        # Verify the rule is allowed for this region -- not yet implemented.


+class RetentionConfiguration(ConfigEmptyDictable):
+    def __init__(self, retention_period_in_days: int, name: Optional[str] = None):
+        super().__init__(capitalize_start=True, capitalize_arn=False)
+
+        self.name = name or "default"
+        self.retention_period_in_days = retention_period_in_days
+
+
 class ConfigBackend(BaseBackend):
    def __init__(self, region_name: str, account_id: str):
        super().__init__(region_name, account_id)
@ -893,6 +916,7 @@ class ConfigBackend(BaseBackend):
        self.organization_conformance_packs: Dict[str, OrganizationConformancePack] = {}
        self.config_rules: Dict[str, ConfigRule] = {}
        self.config_schema: Optional[AWSServiceSpec] = None
+        self.retention_configuration: Optional[RetentionConfiguration] = None

    @staticmethod
    def default_vpc_endpoint_service(service_region: str, zones: List[str]) -> List[Dict[str, Any]]:  # type: ignore[misc]
@ -1264,9 +1288,15 @@ class ConfigBackend(BaseBackend):

        # Ditto for SNS -- Only going to assume that the ARN provided is not
        # an empty string:
+        # NOTE: SNS "ARN" is all caps, but KMS "Arn" is UpperCamelCase!
        if delivery_channel.get("snsTopicARN", None) == "":
            raise InvalidSNSTopicARNException()

+        # Ditto for S3 KMS Key ARN -- Only going to assume that the ARN provided is not
+        # an empty string:
+        if delivery_channel.get("s3KmsKeyArn", None) == "":
+            raise InvalidS3KmsKeyArnException()
+
        # Config currently only allows 1 delivery channel for an account:
        if len(self.delivery_channels) == 1 and not self.delivery_channels.get(
            delivery_channel["name"]
@ -1292,6 +1322,7 @@ class ConfigBackend(BaseBackend):
            delivery_channel["name"],
            delivery_channel["s3BucketName"],
            prefix=delivery_channel.get("s3KeyPrefix", None),
+            s3_kms_key_arn=delivery_channel.get("s3KmsKeyArn", None),
            sns_arn=delivery_channel.get("snsTopicARN", None),
            snapshot_properties=dprop,
        )
@ -2012,5 +2043,66 @@ class ConfigBackend(BaseBackend):
        rule.config_rule_state = "DELETING"
        self.config_rules.pop(rule_name)

+    def put_retention_configuration(
+        self, retention_period_in_days: int
+    ) -> Dict[str, Any]:
+        """Creates a Retention Configuration."""
+        if retention_period_in_days < 30:
+            raise ValidationException(
+                f"Value '{retention_period_in_days}' at 'retentionPeriodInDays' failed to satisfy constraint: Member must have value greater than or equal to 30"
+            )
+
+        if retention_period_in_days > 2557:
+            raise ValidationException(
+                f"Value '{retention_period_in_days}' at 'retentionPeriodInDays' failed to satisfy constraint: Member must have value less than or equal to 2557"
+            )
+
+        self.retention_configuration = RetentionConfiguration(retention_period_in_days)
+        return {"RetentionConfiguration": self.retention_configuration.to_dict()}
+
+    def describe_retention_configurations(
+        self, retention_configuration_names: Optional[List[str]]
+    ) -> List[Dict[str, Any]]:
+        """
+        This will return the retention configuration if one is present.
+
+        This should only receive at most 1 name in. It will raise a ValidationException if more than 1 is supplied.
+        """
+        # Handle the cases where we get a retention name to search for:
+        if retention_configuration_names:
+            if len(retention_configuration_names) > 1:
+                raise ValidationException(
+                    f"Value '{retention_configuration_names}' at 'retentionConfigurationNames' failed to satisfy constraint: Member must have length less than or equal to 1"
+                )
+
+            # If we get a retention name to search for, and we don't have it, then we need to raise an exception:
+            if (
+                not self.retention_configuration
+                or not self.retention_configuration.name
+                == retention_configuration_names[0]
+            ):
+                raise NoSuchRetentionConfigurationException(
+                    retention_configuration_names[0]
+                )
+
+            # If we found it, then return it:
+            return [self.retention_configuration.to_dict()]
+
+        # If no name was supplied:
+        if self.retention_configuration:
+            return [self.retention_configuration.to_dict()]
+
+        return []
+
+    def delete_retention_configuration(self, retention_configuration_name: str) -> None:
+        """This will delete the retention configuration if one is present with the provided name."""
+        if (
+            not self.retention_configuration
+            or not self.retention_configuration.name == retention_configuration_name
+        ):
+            raise NoSuchRetentionConfigurationException(retention_configuration_name)
+
+        self.retention_configuration = None
+

 config_backends = BackendDict(ConfigBackend, "config")
--- a/moto/config/responses.py
+++ b/moto/config/responses.py
@ -235,3 +235,24 @@ class ConfigResponse(BaseResponse):
    def delete_config_rule(self) -> str:
        self.config_backend.delete_config_rule(self._get_param("ConfigRuleName"))
        return ""
+
+    def put_retention_configuration(self) -> str:
+        retention_configuration = self.config_backend.put_retention_configuration(
+            self._get_param("RetentionPeriodInDays")
+        )
+        return json.dumps(retention_configuration)
+
+    def describe_retention_configurations(self) -> str:
+        retention_configurations = (
+            self.config_backend.describe_retention_configurations(
+                self._get_param("RetentionConfigurationNames")
+            )
+        )
+        schema = {"RetentionConfigurations": retention_configurations}
+        return json.dumps(schema)
+
+    def delete_retention_configuration(self) -> str:
+        self.config_backend.delete_retention_configuration(
+            self._get_param("RetentionConfigurationName")
+        )
+        return ""
--- a/tests/test_config/test_config.py
+++ b/tests/test_config/test_config.py
@ -4,6 +4,7 @@ import time
 from datetime import datetime, timedelta

 import boto3
+from botocore.config import Config
 from botocore.exceptions import ClientError
 from unittest import SkipTest
 import pytest
@ -879,6 +880,21 @@ def test_delivery_channels():
    assert ce.value.response["Error"]["Code"] == "InvalidSNSTopicARNException"
    assert "The sns topic arn" in ce.value.response["Error"]["Message"]

+    # With an empty string for the S3 KMS Key ARN:
+    with pytest.raises(ClientError) as ce:
+        client.put_delivery_channel(
+            DeliveryChannel={
+                "name": "testchannel",
+                "s3BucketName": "somebucket",
+                "s3KmsKeyArn": "",
+            }
+        )
+    assert ce.value.response["Error"]["Code"] == "InvalidS3KmsKeyArnException"
+    assert (
+        ce.value.response["Error"]["Message"]
+        == "The arn '' is not a valid kms key or alias arn."
+    )
+
    # With an invalid delivery frequency:
    with pytest.raises(ClientError) as ce:
        client.put_delivery_channel(
@ -973,6 +989,7 @@ def test_describe_delivery_channels():
            "name": "testchannel",
            "s3BucketName": "somebucket",
            "snsTopicARN": "sometopicarn",
+            "s3KmsKeyArn": "somekmsarn",
            "configSnapshotDeliveryProperties": {
                "deliveryFrequency": "TwentyFour_Hours"
            },
@ -980,10 +997,11 @@ def test_describe_delivery_channels():
    )
    result = client.describe_delivery_channels()["DeliveryChannels"]
    assert len(result) == 1
-    assert len(result[0].keys()) == 4
+    assert len(result[0].keys()) == 5
    assert result[0]["name"] == "testchannel"
    assert result[0]["s3BucketName"] == "somebucket"
    assert result[0]["snsTopicARN"] == "sometopicarn"
+    assert result[0]["s3KmsKeyArn"] == "somekmsarn"
    assert (
        result[0]["configSnapshotDeliveryProperties"]["deliveryFrequency"]
        == "TwentyFour_Hours"
@ -2148,3 +2166,109 @@ def test_delete_organization_conformance_pack_errors():
    ex.response["Error"]["Message"].should.equal(
        "Could not find an OrganizationConformancePack for given request with resourceName not-existing"
    )
+
+
+@mock_config
+def test_put_retention_configuration():
+    # Test with parameter validation being False to test the retention days check:
+    client = boto3.client(
+        "config",
+        region_name="us-west-2",
+        config=Config(parameter_validation=False, user_agent_extra="moto"),
+    )
+
+    # Less than 30 days:
+    with pytest.raises(ClientError) as ce:
+        client.put_retention_configuration(RetentionPeriodInDays=29)
+    assert (
+        ce.value.response["Error"]["Message"]
+        == "Value '29' at 'retentionPeriodInDays' failed to satisfy constraint: Member must have value greater than or equal to 30"
+    )
+
+    # More than 2557 days:
+    with pytest.raises(ClientError) as ce:
+        client.put_retention_configuration(RetentionPeriodInDays=2558)
+    assert (
+        ce.value.response["Error"]["Message"]
+        == "Value '2558' at 'retentionPeriodInDays' failed to satisfy constraint: Member must have value less than or equal to 2557"
+    )
+
+    # No errors:
+    result = client.put_retention_configuration(RetentionPeriodInDays=2557)
+    assert result["RetentionConfiguration"] == {
+        "Name": "default",
+        "RetentionPeriodInDays": 2557,
+    }
+
+
+@mock_config
+def test_describe_retention_configurations():
+    client = boto3.client("config", region_name="us-west-2")
+
+    # Without any recorder configurations:
+    result = client.describe_retention_configurations()
+    assert not result["RetentionConfigurations"]
+
+    # Create one and then describe:
+    client.put_retention_configuration(RetentionPeriodInDays=2557)
+    result = client.describe_retention_configurations()
+    assert result["RetentionConfigurations"] == [
+        {"Name": "default", "RetentionPeriodInDays": 2557}
+    ]
+
+    # Describe with the correct name:
+    result = client.describe_retention_configurations(
+        RetentionConfigurationNames=["default"]
+    )
+    assert result["RetentionConfigurations"] == [
+        {"Name": "default", "RetentionPeriodInDays": 2557}
+    ]
+
+    # Describe with more than 1 configuration name provided:
+    with pytest.raises(ClientError) as ce:
+        client.describe_retention_configurations(
+            RetentionConfigurationNames=["bad", "entry"]
+        )
+    assert (
+        ce.value.response["Error"]["Message"]
+        == "Value '['bad', 'entry']' at 'retentionConfigurationNames' failed to satisfy constraint: "
+        "Member must have length less than or equal to 1"
+    )
+
+    # Describe with a name that's not default:
+    with pytest.raises(ClientError) as ce:
+        client.describe_retention_configurations(
+            RetentionConfigurationNames=["notfound"]
+        )
+    assert (
+        ce.value.response["Error"]["Message"]
+        == "Cannot find retention configuration with the specified name 'notfound'."
+    )
+
+
+@mock_config
+def test_delete_retention_configuration():
+    client = boto3.client("config", region_name="us-west-2")
+
+    # Create one first:
+    client.put_retention_configuration(RetentionPeriodInDays=2557)
+
+    # Delete with a name that's not default:
+    with pytest.raises(ClientError) as ce:
+        client.delete_retention_configuration(RetentionConfigurationName="notfound")
+    assert (
+        ce.value.response["Error"]["Message"]
+        == "Cannot find retention configuration with the specified name 'notfound'."
+    )
+
+    # Delete it properly:
+    client.delete_retention_configuration(RetentionConfigurationName="default")
+    assert not client.describe_retention_configurations()["RetentionConfigurations"]
+
+    # And again...
+    with pytest.raises(ClientError) as ce:
+        client.delete_retention_configuration(RetentionConfigurationName="default")
+    assert (
+        ce.value.response["Error"]["Message"]
+        == "Cannot find retention configuration with the specified name 'default'."
+    )