let redshift_clusters = Resources.*[
	Type == "AWS::Redshift::Cluster"
]

rule redshift_public_access when %redshift_clusters !empty {
	%redshift_clusters {
		Properties {
			PubliclyAccessible exists <<PubliclyAccessible is not configured. (i.e. enabled)>>
			when PubliclyAccessible exists {
				PubliclyAccessible == false <<Public Access is enabled.>>
			}
		}
	}
}


rule redshift_logging_enabled when %redshift_clusters !empty {
	%redshift_clusters {
		Properties {
			LoggingProperties exists <<LoggingProperties is not configured.(i.e. disabled)>>
		}
	}
}

rule redshift_storage_encrypted when %redshift_clusters !empty {
	%redshift_clusters {
		Properties {
			Encrypted exists <<Encrypted is not configured. (i.e. disabled)>>
			when Encrypted exists {
				Encrypted == true <<Encrypted at rest is disabled.>>
			}
		}
	}
}

rule redshift_version_upgrades when %redshift_clusters !empty {
	%redshift_clusters {
		Properties {
			AllowVersionUpgrade !exists OR
			AllowVersionUpgrade exists
			when AllowVersionUpgrade exists {
				AllowVersionUpgrade == true <<AllowVersionUpgrade is disabled.>>
			}
		}
	}
}

rule redshift_automated_snapshots when %redshift_clusters !empty {
	%redshift_clusters {
		Properties {
			AutomatedSnapshotRetentionPeriod !exists OR
			AutomatedSnapshotRetentionPeriod exists
			when AutomatedSnapshotRetentionPeriod exists {
				AutomatedSnapshotRetentionPeriod > 0 <<Automated snapshot is disabled.>>
			}
		}
	}
}

rule redshift_enhanced_vpc_routing when %redshift_clusters !empty {
	%redshift_clusters {
		Properties {
			EnhancedVpcRouting exists <<EnhancedVpcRouting is not configured. (i.e. disabled)>>
			when EnhancedVpcRouting exists {
				EnhancedVpcRouting == true <<Enhanced VPC routing is disabled.>>
			}
		}
	}
}