Update aws_kubernetes_cluster_version.yaml

Author: acx1729

compliance/controls/baseline/aws/eks/aws_kubernetes_cluster_version.yaml

@@ -9,25 +9,77 @@ Query:
   Parameters:
     - Key: awsEksClusterLatestVersion
       Required: true
-      DefaultValue: "1.29"
+      DefaultValue: "1.29"  # e.g. "1.29", can also be "1.29.4" or "1.29.4.3"
   PrimaryTable: aws_eks_cluster
   QueryToExecute: |
+    WITH cluster_versions AS (
+      SELECT
+        -- Parse up to four segments from the cluster's 'version' field
+        COALESCE(NULLIF(split_part(version, '.', 1), ''), '0')::int AS major,
+        COALESCE(NULLIF(split_part(version, '.', 2), ''), '0')::int AS minor,
+        COALESCE(NULLIF(split_part(version, '.', 3), ''), '0')::int AS patch,
+        COALESCE(NULLIF(split_part(version, '.', 4), ''), '0')::int AS sub,
+        version,
+        arn,
+        platform_integration_id,
+        platform_resource_id,
+        title,
+        region,
+        account_id
+      FROM aws_eks_cluster
+    ),
+
+    param_versions AS (
+      SELECT
+        -- Parse up to four segments from the param {{.awsEksClusterLatestVersion}}
+        COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 1), ''), '0')::int AS major,
+        COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 2), ''), '0')::int AS minor,
+        COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 3), ''), '0')::int AS patch,
+        COALESCE(NULLIF(split_part('{{.awsEksClusterLatestVersion}}', '.', 4), ''), '0')::int AS sub
+    )
+
     SELECT
       arn AS resource,
       platform_integration_id,
       platform_resource_id,
       CASE
-        WHEN (version)::decimal >= '{{.awsEksClusterLatestVersion}}'::decimal THEN 'ok'
+        WHEN (
+          -- Convert cluster version to a big integer
+          cluster_versions.major * 1000000000 +
+          cluster_versions.minor * 1000000 +
+          cluster_versions.patch * 1000 +
+          cluster_versions.sub
+        ) >= (
+          -- Convert param version to a big integer
+          param_versions.major * 1000000000 +
+          param_versions.minor * 1000000 +
+          param_versions.patch * 1000 +
+          param_versions.sub
+        )
+        THEN 'ok'
         ELSE 'alarm'
       END AS status,
       CASE
-        WHEN (version)::decimal >= '{{.awsEksClusterLatestVersion}}'::decimal THEN title || ' runs on a supported kubernetes version.'
-        ELSE title || ' is running on version ' || version || ' which is not supported. supported versions are >= ' || '{{.awsEksClusterLatestVersion}}'::decimal
+        WHEN (
+          cluster_versions.major * 1000000000 +
+          cluster_versions.minor * 1000000 +
+          cluster_versions.patch * 1000 +
+          cluster_versions.sub
+        ) >= (
+          param_versions.major * 1000000000 +
+          param_versions.minor * 1000000 +
+          param_versions.patch * 1000 +
+          param_versions.sub
+        )
+        THEN title || ' runs on a supported Kubernetes version.'
+        ELSE
+          title || ' is running on version ' || cluster_versions.version ||
+          ' which is not supported. Supported versions are >= ' || '{{.awsEksClusterLatestVersion}}'
       END AS reason,
       region,
       account_id
-    FROM
-      aws_eks_cluster;
+    FROM cluster_versions
+    CROSS JOIN param_versions;
 Severity: low
 Tags:
   platform_score_cloud_service_name: