Add policies for memorydb

aws/policy/security-services.yaml

@@ -175,6 +175,7 @@ Statement:
       - 'arn:aws:iam::{{ aws_account_id }}:role/aws-service-role/transitgateway.amazonaws.com/*'
       - 'arn:aws:iam::{{ aws_account_id }}:role/aws-service-role/network-firewall.amazonaws.com/*'
       - 'arn:aws:iam::{{ aws_account_id }}:role/aws-service-role/ecs.amazonaws.com/*'
+      - 'arn:aws:iam::{{ aws_account_id }}:role/aws-service-role/memorydb.amazonaws.com/*'
     Condition:
       ForAnyValue:StringEquals:
         iam:AWSServiceName:
@@ -186,3 +187,4 @@ Statement:
           - 'network-firewall.amazonaws.com'
           - 'ecs.amazonaws.com'
           - 'ecs-test.amazonaws.com'
+          - 'memorydb.amazonaws.com'

aws/policy/storage-services.yaml

@@ -57,10 +57,42 @@ Statement:
       - backup:UntagResource
       - backup:UpdateBackupPlan
       - backup-storage:MountCapsule
+      - memorydb:Describe*
+      - memorydb:List*
+      - memorydb:CreateParameterGroup
+      - memorydb:CreateSubnetGroup
+      - memorydb:CreateUser
+      - memorydb:CreateACL
     Resource: "*"
 
   - Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurFees
     Effect: Allow
     Action:
       - s3:PutMetricsConfiguration
     Resource: "*"
+
+  - Sid: AllowRegionalRestrictedResourceActionsWhichIncurFees
+    Effect: Allow
+    Action:
+      - memorydb:CreateCluster
+      - memorydb:CreateSnapshot
+    Resource:
+      - 'arn:aws:memorydb:{{ aws_region }}:{{ aws_account_id }}:cluster/*'
+      - 'arn:aws:memorydb:{{ aws_region }}:{{ aws_account_id }}:snapshot/*'
+    Condition:
+      StringEquals:
+        aws:RequestedRegion:
+          - '{{ aws_region }}'
+
+  - Sid: AllowRegionalRestrictedResourceActionsWhichIncurNoFees
+    Effect: Allow
+    Action:
+      - memorydb:DeleteACL
+      - memorydb:DeleteCluster
+      - memorydb:DeleteParameterGroup
+      - memorydb:DeleleSnapshot
+      - memorydb:DeleteSubnetGroup
+      - memorydb:DeleteUser
+      - memorydb:TagResource
+    Resource:
+      - 'arn:aws:memorydb:{{ aws_region }}:{{ aws_account_id }}:*'

aws/terminator/storage_services.py

@@ -1,7 +1,7 @@
 import botocore
 import botocore.exceptions
 
-from . import Terminator, get_account_id
+from . import DbTerminator, Terminator, get_account_id
 
 
 class S3Bucket(Terminator):
@@ -219,3 +219,150 @@ def created_time(self):
 
     def terminate(self):
         self.client.delete_backup_selection(BackupPlanId=self.plan_id, SelectionId=self.id)
+
+
+class MemoryDBClusters(Terminator):
+    @staticmethod
+    def create(credentials):
+        def get_available_clusters(client):
+            # describe_clusters does not have a parameter to filter results
+            ignore_states = ('creating', 'deleting', 'updating')
+            clusters = client.describe_clusters()['Clusters']
+            return [cluster for cluster in clusters if cluster['Status'] not in ignore_states]
+        return Terminator._create(credentials, MemoryDBClusters, 'memorydb', get_available_clusters) 
+
+    @property
+    def id(self):
+        return self.instance["ARN"]
+
+    @property
+    def name(self):
+        return self.instance["Name"]
+
+    @property
+    def created_time(self):
+        return self.instance["CreationTime"]
+
+    def terminate(self):
+        self.client.delete_cluster(ClusterName=self.name)
+
+
+class MemoryDBACLs(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(credentials, MemoryDBACLs, 'memorydb', lambda client: client.describe_acls()['ACLs'])
+
+    @property
+    def id(self):
+        return self.instance["ARN"]
+
+    @property
+    def name(self):
+        return self.instance["Name"]
+
+    @property
+    def ignore(self):
+        return self.name.startswith('default')
+
+    @property
+    def age_limit(self):
+        return datetime.timedelta(minutes=60)
+
+    def terminate(self):
+        self.client.delete_acl(ACLName=self.name)
+
+
+class MemoryDBParameterGroups(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(credentials, MemoryDBParameterGroups, 'memorydb', lambda client: client.describe_parameter_groups()['ParameterGroups'])
+
+    @property
+    def id(self):
+        return self.instance["ARN"]
+
+    @property
+    def name(self):
+        return self.instance["Name"]
+
+    @property
+    def ignore(self):
+        return self.name.startswith('default')
+
+    @property
+    def age_limit(self):
+        return datetime.timedelta(minutes=60)
+
+    def terminate(self):
+        self.client.delete_parameter_group(ParameterGroupName=self.name)
+
+
+class MemoryDBSubnetGroups(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(credentials, MemoryDBSubnetGroups, 'memorydb', lambda client: client.describe_subnet_groups()['SubnetGroups'])
+
+    @property
+    def id(self):
+        return self.instance["ARN"]
+
+    @property
+    def name(self):
+        return self.instance["Name"]
+
+    @property
+    def ignore(self):
+        return self.name.startswith('default')
+
+    @property
+    def age_limit(self):
+        return datetime.timedelta(minutes=60)
+
+    def terminate(self):
+        self.client.delete_subnet_group(SubnetGroupName=self.name)
+
+
+class MemoryDBUsers(DbTerminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(credentials, MemoryDBUsers, 'memorydb', lambda client: client.describe_users()['Users'])
+
+    @property
+    def id(self):
+        return self.instance["ARN"]
+
+    @property
+    def name(self):
+        return self.instance["Name"]
+
+    @property
+    def ignore(self):
+        return self.name.startswith('default')
+
+    @property
+    def age_limit(self):
+        return datetime.timedelta(minutes=60)
+
+    def terminate(self):
+        self.client.delete_user(UserName=self.name)
+
+
+class MemoryDBSnapshots(Terminator):
+    @staticmethod
+    def create(credentials):
+        return Terminator._create(credentials, MemoryDBSnapshots, 'memorydb', lambda client: client.describe_snapshots()['Snapshots'])
+
+    @property
+    def id(self):
+        return self.instance["ARN"]
+
+    @property
+    def name(self):
+        return self.instance["Name"]
+
+    @property
+    def created_time(self):
+        return self.instance['ClusterConfiguration']['Shards']['SnapshotCreationTime']
+
+    def terminate(self):
+        self.client.delete_snapshot(SnapshotName=self.name)