Add additional thrifty control to check unused NAT gateways. Closes #38

controls/network.sp

@@ -7,10 +7,11 @@ locals {
 benchmark "network" {
   title         = "Networking Checks"
   description   = "Thrifty developers ensure delete unused network resources."
-  documentation = file("./controls/docs/network.md") #TODO
+  documentation = file("./controls/docs/network.md")
   tags          = local.vpc_common_tags
   children = [
-    control.unattached_eips
+    control.unattached_eips,
+    control.unused_vpc_nat_gateways
   ]
 }
 
@@ -24,4 +25,12 @@ control "unattached_eips" {
   })
 }
 
-//TODO Add unattached Gateways
+control "unused_vpc_nat_gateways" {
+  title         = "VPC NAT gateway available and unused should be reviewed"
+  description   = "NAT Gateway is charged on an hourly basis once it is provisioned and available, check why these are available but not used."
+  sql           = query.vpc_nat_gateway_unused.sql
+  severity      = "low"
+  tags = merge(local.vpc_common_tags, {
+    class = "unused"
+  })
+}

query/vpc/vpc_nat_gateway_unused.sql

@@ -0,0 +1,29 @@
+with instance_data as (
+  select
+    instance_id,
+    subnet_id,
+    instance_state
+  from
+    aws_ec2_instance
+)
+select
+  -- Required Columns
+  nat.arn as resource,
+  case
+    when nat.state <> 'available' then 'alarm'
+    when i.subnet_id is null then 'alarm'
+    when i.instance_state <> 'running' then 'alarm'
+    else 'ok'
+  end as status,
+  case
+    when nat.state <> 'available' then nat.title || ' in ' || nat.state || ' state.'
+    when i.subnet_id is null then nat.title || ' not in-use.'
+    when i.instance_state <> 'running' then nat.title || ' associated with ' || i.instance_id || ', which is in ' || i.instance_state || ' state.'
+    else nat.title || ' in-use.'
+  end as reason,
+  -- Additional Dimensions
+  nat.region,
+  nat.account_id
+from
+  aws_vpc_nat_gateway as nat
+  left join instance_data as i on nat.subnet_id = i.subnet_id;