Enhanced check extra740: reworked to consider all snapshots, use JMESPath query @pacohope

Enhanced check extra740: reworked to consider all snapshots, use JMESPath query

checks/check_extra740

@@ -20,20 +20,64 @@ CHECK_ALTERNATE_check740="extra740"
 CHECK_ASFF_COMPLIANCE_TYPE_extra740="ens-mp.info.3.aws.ebs.3"
 
 extra740(){
-  textInfo "Looking for EBS Snapshots in all regions...  "
+  textInfo "Examining EBS Volume Snapshots ..."
-  for regx in $REGIONS; do
+  # This does NOT use max-items, which would limit the number of items
-    LIST_OF_EBS_SNAPSHOTS=$($AWSCLI ec2 describe-snapshots $PROFILE_OPT --region $regx --owner-ids $ACCOUNT_NUM --output text --query 'Snapshots[*].{ID:SnapshotId}' --max-items $MAXITEMS | grep -v None 2> /dev/null)
+  # considered. It considers all snapshots, but only reports at most 
-    if [[ $LIST_OF_EBS_SNAPSHOTS ]];then
+  # max-items passing and max-items failing.
-      for snapshot in $LIST_OF_EBS_SNAPSHOTS; do
+  for regx in ${REGIONS}; do
-        SNAPSHOT_IS_ENCRYPTED=$($AWSCLI ec2 describe-snapshots $PROFILE_OPT --region $regx --output text --snapshot-id $snapshot --query Snapshots[*].Encrypted|grep False)
+    UNENCRYPTED_SNAPSHOTS=$(${AWSCLI} ec2 describe-snapshots ${PROFILE_OPT} \
-        if [[ $SNAPSHOT_IS_ENCRYPTED ]];then
+    --region ${regx} --owner-ids ${ACCOUNT_NUM} --output text \
-          textFail "$regx: $snapshot is currently not encrypted!" "$regx"
+    --query 'Snapshots[?Encrypted==`false`]|[*].{Id:SnapshotId}' \
-        else
+     | grep -v None 2> /dev/null)
-          textPass "$regx: $snapshot is encrypted" "$regx"
+    ENCRYPTED_SNAPSHOTS=$(${AWSCLI} ec2 describe-snapshots ${PROFILE_OPT} \
-        fi
+    --region ${regx} --owner-ids ${ACCOUNT_NUM} --output text \
+    --query 'Snapshots[?Encrypted==`true`]|[*].{Id:SnapshotId}' \
+     | grep -v None 2> /dev/null)
+    typeset -i unencrypted
+    typeset -i encrypted
+    unencrypted=0
+    encrypted=0
+
+    if [[ ${UNENCRYPTED_SNAPSHOTS} ]]; then
+      for snapshot in ${UNENCRYPTED_SNAPSHOTS}; do
+          unencrypted=${unencrypted}+1
+          if [ "${unencrypted}" -le "${MAXITEMS}" ]; then
+            textFail "${regx}: ${snapshot} is not encrypted!" "${regx}"
+          fi
       done
+    fi
+    if [[ ${ENCRYPTED_SNAPSHOTS} ]]; then
+      for snapshot in ${ENCRYPTED_SNAPSHOTS}; do
+          encrypted=${encrypted}+1
+          if [ "${encrypted}" -le "${MAXITEMS}" ]; then
+            textPass "${regx}: ${snapshot} is encrypted." "${regx}"
+          fi
+      done
+    fi
+    if [[ "${encrypted}" = "0" ]] && [[ "${unencrypted}" = "0" ]] ; then
+      textInfo "${regx}: No EBS volume snapshots" "${regx}"
     else
-      textInfo "$regx: No EBS Snapshots found" "$regx"
+      typeset -i total
+      total=${encrypted}+${unencrypted}
+      if [[ "${unencrypted}" -ge "${MAXITEMS}" ]]; then
+        textFail "${unencrypted} unencrypted snapshots out of ${total} snapshots found. Only the first ${MAXITEMS} unencrypted snapshots are reported!"
+      fi
+      if [[ "${encrypted}" -ge "${MAXITEMS}" ]]; then
+        textPass "${encrypted} encrypted snapshots out of ${total} snapshots found. Only the first ${MAXITEMS} encrypted snapshots are reported."
+      fi
+      # Bit of 'bc' magic to print something like 10.42% or 0.85% or similar. 'bc' has a
+      # bug where it will never print leading zeros. So 0.5 is output as ".5". This has a
+      # little extra clause to print a 0 if 0 < x < 1.
+      ratio=$(echo "scale=2; p=(100*${encrypted}/(${encrypted}+${unencrypted})); if(p<1 && p>0) print 0;print p, \"%\";" | bc 2>/dev/null)
+      exit=$?
+
+      # maybe 'bc' doesn't exist, or it exits with an error
+      if [[ "${exit}" = "0" ]]
+      then
+        textInfo "${regx}: ${ratio} encrypted EBS volumes (${encrypted} out of ${total})" "${regx}"
+      else
+        textInfo "${regx}: ${unencrypted} unencrypted EBS volume snapshots out of ${total} total snapshots" "${regx}"
+      fi
     fi
   done
 }